ocsf_types/

ocsf_generated.rs

#![allow(deprecated)]
#![allow(unused_imports)]
use serde::{Deserialize, Serialize};
use serde_json::Value;
#[doc = "Account Change\n\nAccount Change events report when specific user account management tasks are performed, such as a user/role being created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.\n\n[UID:3001] Category: iam | Name: account_change"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct AccountChange {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\nrecommended"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authentication Factors\n\nDetails about the authentication factors associated with the MFA Factor Enable/Disable activities.\n\noptional"]
    #[serde(rename = "auth_factors")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub auth_factors: Option<Vec<AuthFactor>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Identity & Access Management</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Account Change</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "HTTP Request\n\nDetails about the underlying HTTP request.\n\noptional"]
    #[serde(rename = "http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_request: Option<Box<HttpRequest>>,
    #[doc = "HTTP Response\n\nDetails about the underlying HTTP response.\n\noptional"]
    #[serde(rename = "http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_response: Option<Box<HttpResponse>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policies\n\nDetails about the IAM policies associated with the Attach/Detach Policy activities.\n\noptional"]
    #[serde(rename = "policies")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policies: Option<Vec<Policy>>,
    #[doc = "Policy\n\nDetails about the IAM policy associated to the Attach/Detach Policy activities.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nDetails about the source of the IAM activity.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "User\n\nThe user that was a target of an activity.\n\nrequired"]
    #[serde(rename = "user")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user: Option<Box<User>>,
    #[doc = "User Result\n\nThe result of the user account change. It should contain the new values of the changed attributes.\n\nrecommended"]
    #[serde(rename = "user_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user_result: Option<Box<User>>,
}
#[doc = "Admin Group Query\n\nAdmin Group Query events report information about administrative groups.\n\n[UID:5009] Category: discovery | Name: admin_group_query"]
#[deprecated(note = "Use the <code>Live Evidence Info</code> class. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct AdminGroupQuery {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Admin Group Query</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Group\n\nThe administrative group.\n\nrequired"]
    #[serde(rename = "group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub group: Option<Box<Group>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "Users\n\nThe users that belong to the administrative group.\n\nrecommended"]
    #[serde(rename = "users")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub users: Option<Vec<User>>,
}
#[doc = "Airborne Broadcast Activity\n\nAirborne Broadcast Activity events report the activity of any aircraft or unmanned system as reported and tracked by Automatic Dependent Surveillance - Broadcast (ADS-B) receivers. Based on the ADS-B standards described in <a target='_blank' href='https://www.ecfr.gov/current/title-14/chapter-I/subchapter-F/part-91#91.225'>Code of Federal Regulations (CFR) Title 14 Chapter I Subchapter F Part 91</a> and in other general Federal Aviation Administration (FAA) supplemental orders and guidance described <a target='_blank' href='https://www.faa.gov/about/office_org/headquarters_offices/avs/offices/afx/afs/afs400/afs410/ads-b'>here</a>.\n\n[UID:8002] Category: unmanned_systems | Name: airborne_broadcast_activity\n\n**Constraints:**\n* at_least_one: `[aircraft`,`unmanned_aerial_system`,`unmanned_system_operating_area]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct AirborneBroadcastActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "Aircraft\n\nThe Aircraft object represents any aircraft or otherwise airborne asset such as an unmanned system, airplane, balloon, spacecraft, or otherwise. The Aircraft object is intended to normalized data captured or otherwise logged from active radar, passive radar, multi-spectral systems, or the Automatic Dependant Broadcast - Surveillance (ADS-B), and/or Mode S systems.\n\nrecommended"]
    #[serde(rename = "aircraft")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub aircraft: Option<Box<Aircraft>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Unmanned Systems</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Airborne Broadcast Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Connection Info\n\nThe network connection information.\n\nrecommended"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe destination network endpoint for the ADS-B system, if telemetry is being remotely broadcasted.\n\noptional"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "ADS-B Protocol\n\nThe specific protocol associated with the ADS-B system. E.g. <code>ADS-B UAT</code> or <code>ADS-B ES</code>.\n\nrecommended"]
    #[serde(rename = "protocol_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub protocol_name: Option<String>,
    #[doc = "Proxy Endpoint\n\nThe proxy (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "proxy_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_endpoint: Option<Box<NetworkProxy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "RSSI\n\nRecent average RSSI (signal power) measured in dbFS. This value will always be negative, e.g., <code>-87.13</code>.\n\noptional"]
    #[serde(rename = "rssi")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub rssi: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nThe source network endpoint for the ADS-B system.\n\noptional"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "TLS\n\nThe Transport Layer Security (TLS) attributes.\n\noptional"]
    #[serde(rename = "tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tls: Option<Box<Tls>>,
    #[doc = "Traffic\n\nTraffic refers to the amount of data transmitted from a ADS-B remote monitoring system at a given point of time. Ex: <code>bytes_in</code> and <code>bytes_out</code>.\n\noptional"]
    #[serde(rename = "traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmanned Aerial System\n\nThe Unmanned Aerial System object describes the characteristics, Position Location Information (PLI), and other metadata of Unmanned Aerial Systems (UAS) and other unmanned and drone systems used in Remote ID. Remote ID is defined in the Standard Specification for Remote ID and Tracking (ASTM Designation: F3411-22a) <a target='_blank' href='https://cdn.standards.iteh.ai/samples/112830/71297057ac42432880a203654f213709/ASTM-F3411-22a.pdf'>ASTM F3411-22a</a>.\n\nrequired"]
    #[serde(rename = "unmanned_aerial_system")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmanned_aerial_system: Option<Box<UnmannedAerialSystem>>,
    #[doc = "UAS Operating Area\n\nThe UAS Operating Area object describes details about a precise area of operations for a UAS flight or mission.\n\nrecommended"]
    #[serde(rename = "unmanned_system_operating_area")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmanned_system_operating_area: Option<Box<UnmannedSystemOperatingArea>>,
    #[doc = "Unmanned Systems Operator\n\nThe human or machine operator of an Unmanned System.\n\nrequired"]
    #[serde(rename = "unmanned_system_operator")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmanned_system_operator: Option<Box<User>>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "API Activity\n\nAPI events describe general CRUD (Create, Read, Update, Delete) API activities, e.g. (AWS Cloudtrail)\n\n[UID:6003] Category: application | Name: api_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ApiActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\nrequired"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "AI Model\n\nThe AI Model object describes the characteristics of an AI/ML model. Examples include language models like GPT-4, embedding models like text-embedding-ada-002, and computer vision models like CLIP.\n\nrecommended"]
    #[serde(rename = "ai_model")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ai_model: Option<Box<AiModel>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\nrequired"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Application Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>API Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe network destination endpoint.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "HTTP Request\n\nDetails about the underlying http request.\n\nrecommended"]
    #[serde(rename = "http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_request: Option<Box<HttpRequest>>,
    #[doc = "HTTP Response\n\nDetails about the underlying http response.\n\nrecommended"]
    #[serde(rename = "http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_response: Option<Box<HttpResponse>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Message Context\n\nCommunication context for AI system interactions including protocols, roles, clients, and session information for MCP and other AI communication systems.\n\noptional"]
    #[serde(rename = "message_context")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message_context: Option<Box<MessageContext>>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Resources Array\n\nDetails about resources that were affected by the activity/event.\n\nrecommended"]
    #[serde(rename = "resources")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resources: Option<Vec<ResourceDetails>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nDetails about the source of the activity.\n\nrequired"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Trace\n\nThe trace object contains information about distributed traces which are critical to observability and describe how requests move through a system, capturing each step's timing and status.\n\nrecommended"]
    #[serde(rename = "trace")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub trace: Option<Box<Trace>>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Application Error\n\nApplication Error events describe issues with an applications. The error message should be put in the event's <code>message</code> attribute. The <code>metadata.product</code> attribute can be used to capture the originating application information. The <code>host</code> profile can used to include the generating device information. This class is helpful for applications that generate or handle OCSF events and can also be used for errors in upstream products and services.\n\n[UID:6008] Category: application | Name: application_error"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ApplicationError {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Application Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Application Error</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe error message as reported by the application.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Application Lifecycle\n\nApplication Lifecycle events report installation, removal, start, stop of an application or service.\n\n[UID:6002] Category: application | Name: application_lifecycle"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ApplicationLifecycle {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Application\n\nThe application that was affected by the lifecycle event.  This also applies to self-updating application systems.\n\nrequired"]
    #[serde(rename = "app")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub app: Option<Box<Product>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Application Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Application Lifecycle</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Application Security Posture Finding\n\nThe Application Security Posture Finding event is a notification about any bug, defect, deficiency, exploit, vulnerability, weakness or any other issue with software and related systems. Application Security Posture Findings typically involve reporting on the greater context including compliance, impacted resources, remediation guidance, specific code defects, and/or vulnerability metadata. Application Security Posture Findings can be reported by Threat & Vulnerability Management (TVM) tools, Application Security Posture Management (ASPM) tools, or other similar tools. Note: if the event producer is a security control, the <code>security_control</code> profile should be applied and its <code>attacks</code> information, if present, should be duplicated into the <code>finding_info</code> object. <br><strong>Note: </strong>If the Finding is an incident, i.e. requires incident workflow, also apply the <code>incident</code> profile or aggregate this finding into an <code>Incident Finding</code>.\n\n[UID:2007] Category: findings | Name: application_security_posture_finding\n\n**Constraints:**\n* at_least_one: `[application`,`compliance`,`remediation`,`vulnerabilities]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ApplicationSecurityPostureFinding {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the finding activity.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe finding activity name, as defined by the <code>activity_id</code>.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Related Application\n\nAn Application describes the details for an inventoried application as reported by an Application Security tool or other Developer-centric tooling. Applications can be defined as Kubernetes resources, Containerized resources, or application hosting-specific cloud sources such as AWS Elastic BeanStalk, AWS Lightsail, or Azure Logic Apps.\n\nrecommended"]
    #[serde(rename = "application")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub application: Option<Box<Application>>,
    #[doc = "Assignee\n\nThe details of the user assigned to an Incident.\n\noptional"]
    #[serde(rename = "assignee")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub assignee: Option<Box<User>>,
    #[doc = "Assignee Group\n\nThe details of the group assigned to an Incident.\n\noptional"]
    #[serde(rename = "assignee_group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub assignee_group: Option<Box<Group>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Findings</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Application Security Posture Finding</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Comment\n\nA user provided comment about the finding.\n\noptional"]
    #[serde(rename = "comment")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub comment: Option<String>,
    #[doc = "Related Compliance\n\nProvides compliance context to vulnerabilities and other weaknesses that are reported as part of an Application Security or Vulnerability Management tool's built-in compliance framework mapping.\n\nrecommended"]
    #[serde(rename = "compliance")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub compliance: Option<Box<Compliance>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nDescribes the affected device/host. If applicable, it can be used in conjunction with <code>Resource(s)</code>. <p> e.g. Specific details about an AWS EC2 instance, that is affected by the Finding.</p>\n\noptional"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe time of the most recent event included in the finding.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe time of the most recent event included in the finding.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Finding Information\n\nDescribes the supporting information about a generated finding.\n\nrequired"]
    #[serde(rename = "finding_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub finding_info: Option<Box<FindingInfo>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Impact\n\nThe impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "impact")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact: Option<String>,
    #[doc = "Impact ID\n\nThe normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.\n\nrecommended"]
    #[serde(rename = "impact_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact_id: Option<i64>,
    #[doc = "Impact Score\n\nThe impact as an integer value of the finding, valid range 0-100.\n\nrecommended"]
    #[serde(rename = "impact_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact_score: Option<i64>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Suspected Breach\n\nA determination based on analytics as to whether a potential breach was found.\n\noptional"]
    #[serde(rename = "is_suspected_breach")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_suspected_breach: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Priority\n\nThe priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "priority")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub priority: Option<String>,
    #[doc = "Priority ID\n\nThe normalized priority. Priority identifies the relative importance of the incident or finding. It is a measurement of urgency.\n\nrecommended"]
    #[serde(rename = "priority_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub priority_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Remediation Guidance\n\nDescribes the recommended remediation steps to address identified vulnerabilities or weaknesses.\n\nrecommended"]
    #[serde(rename = "remediation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub remediation: Option<Box<Remediation>>,
    #[doc = "Affected Resources\n\nDescribes details about the resource/resources that are affected by the vulnerability/vulnerabilities.\n\nrecommended"]
    #[serde(rename = "resources")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resources: Option<Vec<ResourceDetails>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source URL\n\nA Url link used to access the original incident.\n\nrecommended"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Start Time\n\nThe time of the least recent event included in the finding.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe time of the least recent event included in the finding.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized status identifier of the Finding, set by the consumer.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Ticket\n\nThe linked ticket in the ticketing system.\n\noptional"]
    #[serde(rename = "ticket")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ticket: Option<Box<Ticket>>,
    #[doc = "Tickets\n\nThe associated ticket(s) in the ticketing system. Each ticket contains details like ticket ID, status, etc.\n\noptional"]
    #[serde(rename = "tickets")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tickets: Option<Vec<Ticket>>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "Vendor Attributes\n\nThe Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-provided values and consumer-updated values, of key attributes like <code>severity_id</code>.<br>The original finding producer should not populate this object. It should be populated by consuming systems that support data mutability.\n\noptional"]
    #[serde(rename = "vendor_attributes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_attributes: Option<Box<VendorAttributes>>,
    #[doc = "Verdict\n\nThe verdict assigned to an Incident finding.\n\nrecommended"]
    #[serde(rename = "verdict")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub verdict: Option<String>,
    #[doc = "Verdict ID\n\nThe normalized verdict of an Incident.\n\nrecommended"]
    #[serde(rename = "verdict_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub verdict_id: Option<i64>,
    #[doc = "Vulnerabilities\n\nThis object describes vulnerabilities reported in a security finding.\n\nrecommended"]
    #[serde(rename = "vulnerabilities")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vulnerabilities: Option<Vec<Vulnerability>>,
}
#[doc = "Authentication\n\nAuthentication events report authentication session activities, including user attempts to log on or log off, regardless of success, as well as other key stages within the authentication process. These events are typically generated by authentication services, such as Kerberos, OIDC, or SAML, and may include information about the user, the authentication method used, and the status of the authentication attempt.\n\n[UID:3002] Category: iam | Name: authentication\n\n**Constraints:**\n* at_least_one: `[service`,`dst_endpoint]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Authentication {
    #[doc = "Account Switch Type\n\nThe account switch method, normalized to the caption of the account_switch_type_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "account_switch_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub account_switch_type: Option<String>,
    #[doc = "Account Switch Type ID\n\nThe normalized identifier of the account switch method.\n\nrecommended"]
    #[serde(rename = "account_switch_type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub account_switch_type_id: Option<i64>,
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\nrecommended"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authentication Factors\n\nDescribes a category of methods used for identity verification in an authentication attempt.\n\noptional"]
    #[serde(rename = "auth_factors")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub auth_factors: Option<Vec<AuthFactor>>,
    #[doc = "Auth Protocol\n\nThe authentication protocol as defined by the caption of <code>auth_protocol_id</code>. In the case of <code>Other</code>, it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "auth_protocol")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub auth_protocol: Option<String>,
    #[doc = "Auth Protocol ID\n\nThe normalized identifier of the authentication protocol used to create the user session.\n\nrecommended"]
    #[serde(rename = "auth_protocol_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub auth_protocol_id: Option<i64>,
    #[doc = "Authentication Token\n\nThe authentication token, ticket, or assertion, e.g. <code>Kerberos</code>, <code>OIDC</code>, <code>SAML</code>.\n\noptional"]
    #[serde(rename = "authentication_token")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authentication_token: Option<Box<AuthenticationToken>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Identity & Access Management</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Certificate\n\nThe certificate associated with the authentication or pre-authentication (Kerberos).\n\nrecommended"]
    #[serde(rename = "certificate")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub certificate: Option<Box<Certificate>>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Authentication</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe endpoint to which the authentication was targeted.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "HTTP Request\n\nDetails about the underlying HTTP request.\n\noptional"]
    #[serde(rename = "http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_request: Option<Box<HttpRequest>>,
    #[doc = "HTTP Response\n\nDetails about the underlying HTTP response.\n\noptional"]
    #[serde(rename = "http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_response: Option<Box<HttpResponse>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Cleartext Credentials\n\nIndicates whether the credentials were passed in clear text.<p><b>Note:</b> True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text.</p>\n\noptional"]
    #[serde(rename = "is_cleartext")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_cleartext: Option<bool>,
    #[doc = "Multi Factor Authentication\n\nIndicates whether Multi Factor Authentication was used during authentication.\n\nrecommended"]
    #[serde(rename = "is_mfa")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_mfa: Option<bool>,
    #[doc = "New Logon\n\nIndicates logon is from a device not seen before or a first time account logon.\n\noptional"]
    #[serde(rename = "is_new_logon")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_new_logon: Option<bool>,
    #[doc = "Remote\n\nThe attempted authentication is over a remote connection.\n\nrecommended"]
    #[serde(rename = "is_remote")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_remote: Option<bool>,
    #[doc = "Logon Process\n\nThe trusted process that validated the authentication credentials.\n\noptional"]
    #[serde(rename = "logon_process")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub logon_process: Option<Box<Process>>,
    #[doc = "Logon Type\n\nThe logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "logon_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub logon_type: Option<String>,
    #[doc = "Logon Type ID\n\nThe normalized logon type identifier.\n\nrecommended"]
    #[serde(rename = "logon_type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub logon_type_id: Option<i64>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Service\n\nThe service or gateway to which the user or process is being authenticated\n\nrecommended"]
    #[serde(rename = "service")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service: Option<Box<Service>>,
    #[doc = "Session\n\nThe authenticated user or service session.\n\nrecommended"]
    #[serde(rename = "session")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub session: Option<Box<Session>>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nDetails about the source of the IAM activity.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe details about the authentication request. For example, possible details for Windows logon or logoff events are:<ul><li>Success</li><ul><li>LOGOFF_USER_INITIATED</li><li>LOGOFF_OTHER</li></ul><li>Failure</li><ul><li>USER_DOES_NOT_EXIST</li><li>INVALID_CREDENTIALS</li><li>ACCOUNT_DISABLED</li><li>ACCOUNT_LOCKED_OUT</li><li>PASSWORD_EXPIRED</li></ul></ul>\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "User\n\nThe subject (user/role or account) to authenticate.\n\nrequired"]
    #[serde(rename = "user")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user: Option<Box<User>>,
}
#[doc = "Authorize Session\n\nAuthorize Session events report privileges or groups assigned to a new user session, usually at login time.\n\n[UID:3003] Category: iam | Name: authorize_session\n\n**Constraints:**\n* just_one: `[privileges`,`group]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct AuthorizeSession {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\nrecommended"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Identity & Access Management</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Authorize Session</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe Endpoint for which the user session was targeted.\n\noptional"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Group\n\nGroup that was assigned to the new user session.\n\nrecommended"]
    #[serde(rename = "group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub group: Option<Box<Group>>,
    #[doc = "HTTP Request\n\nDetails about the underlying HTTP request.\n\noptional"]
    #[serde(rename = "http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_request: Option<Box<HttpRequest>>,
    #[doc = "HTTP Response\n\nDetails about the underlying HTTP response.\n\noptional"]
    #[serde(rename = "http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_response: Option<Box<HttpResponse>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Privileges\n\nThe list of sensitive privileges, assigned to the new user session.\n\nrecommended"]
    #[serde(rename = "privileges")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub privileges: Option<Vec<String>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Session\n\nThe user session with the assigned privileges.\n\nrecommended"]
    #[serde(rename = "session")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub session: Option<Box<Session>>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nDetails about the source of the IAM activity.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "User\n\nThe user to which new privileges were assigned.\n\nrequired"]
    #[serde(rename = "user")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user: Option<Box<User>>,
}
#[doc = "Base Event\n\nThe base event is a generic and concrete event. It also defines a set of attributes available in most event classes. As a generic event that does not belong to any event category, it could be used to log events that are not otherwise defined by the schema.\n\n[UID:0] Category: other | Name: base_event"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct BaseEvent {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Base Event</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Cloud Resources Inventory Info\n\nCloud Resources Inventory Info events report cloud asset inventory data. This data can be either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.\n\n[UID:5023] Category: discovery | Name: cloud_resources_inventory_info\n\n**Constraints:**\n* at_least_one: `[cloud`,`container`,`database`,`databucket`,`idp`,`resources`,`table]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct CloudResourcesInventoryInfo {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Cloud Resources Inventory Info</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nCloud service provider or SaaS platform metadata about the cloud resource(s) that are being discovered by an inventory process.\n\nrecommended"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Container\n\nA cloud-based container image or running container discovered by an inventory process.\n\nrecommended"]
    #[serde(rename = "container")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub container: Option<Box<Container>>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Database\n\nA cloud-based database discovered by an inventory process.\n\nrecommended"]
    #[serde(rename = "database")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub database: Option<Box<Database>>,
    #[doc = "Databucket\n\nA cloud-based data bucket or other object storage discovered by an inventory process.\n\nrecommended"]
    #[serde(rename = "databucket")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub databucket: Option<Box<Databucket>>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Identity Provider\n\nThe Identity Provider that is being discovered by an inventory process, or that is related to the cloud resource(s) being discovered by an inventory process.\n\nrecommended"]
    #[serde(rename = "idp")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub idp: Option<Box<Idp>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Region\n\nThe cloud region where the resource is located, e.g., <code>us-isof-south-1</code>, <code>eastus2</code>, <code>us-central1</code>, etc.\n\nrecommended"]
    #[serde(rename = "region")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub region: Option<String>,
    #[doc = "Cloud Resources\n\nThe cloud resource(s) that are being discovered by an inventory process. Use this object if there is not a direct object match in the class.\n\nrecommended"]
    #[serde(rename = "resources")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resources: Option<Vec<ResourceDetails>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Table\n\nA cloud-based database table discovered by an inventory process.\n\nrecommended"]
    #[serde(rename = "table")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub table: Option<Box<Table>>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Compliance Finding\n\nCompliance Finding events describe results of evaluations performed against resources, to check compliance with various Industry Frameworks or Security Standards such as <code>NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001</code> etc. Note: if the event producer is a security control, the <code>security_control</code> profile should be applied and its <code>attacks</code> information, if present, should be duplicated into the <code>finding_info</code> object. <br><strong>Note: </strong>If the Finding is an incident, i.e. requires incident workflow, also apply the <code>incident</code> profile or aggregate this finding into an <code>Incident Finding</code>.\n\n[UID:2003] Category: findings | Name: compliance_finding"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ComplianceFinding {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the finding activity.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe finding activity name, as defined by the <code>activity_id</code>.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Assignee\n\nThe details of the user assigned to an Incident.\n\noptional"]
    #[serde(rename = "assignee")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub assignee: Option<Box<User>>,
    #[doc = "Assignee Group\n\nThe details of the group assigned to an Incident.\n\noptional"]
    #[serde(rename = "assignee_group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub assignee_group: Option<Box<Group>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Findings</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Compliance Finding</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Comment\n\nA user provided comment about the finding.\n\noptional"]
    #[serde(rename = "comment")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub comment: Option<String>,
    #[doc = "Compliance\n\nThe compliance object provides context to compliance findings (e.g., a check against a specific regulatory or best practice framework such as CIS, NIST etc.) and contains compliance related details.\n\nrequired"]
    #[serde(rename = "compliance")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub compliance: Option<Box<Compliance>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nDescribes the affected device/host. If applicable, it can be used in conjunction with <code>Resource(s)</code>. <p> e.g. Specific details about an AWS EC2 instance, that is affected by the Finding.</p>\n\noptional"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe time of the most recent event included in the finding.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe time of the most recent event included in the finding.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Evidence Artifacts\n\nDescribes various evidence artifacts associated with the compliance finding.\n\noptional"]
    #[serde(rename = "evidences")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub evidences: Option<Vec<Evidences>>,
    #[doc = "Finding Information\n\nDescribes the supporting information about a generated finding.\n\nrequired"]
    #[serde(rename = "finding_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub finding_info: Option<Box<FindingInfo>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Impact\n\nThe impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "impact")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact: Option<String>,
    #[doc = "Impact ID\n\nThe normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.\n\nrecommended"]
    #[serde(rename = "impact_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact_id: Option<i64>,
    #[doc = "Impact Score\n\nThe impact as an integer value of the finding, valid range 0-100.\n\nrecommended"]
    #[serde(rename = "impact_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact_score: Option<i64>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Suspected Breach\n\nA determination based on analytics as to whether a potential breach was found.\n\noptional"]
    #[serde(rename = "is_suspected_breach")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_suspected_breach: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Priority\n\nThe priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "priority")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub priority: Option<String>,
    #[doc = "Priority ID\n\nThe normalized priority. Priority identifies the relative importance of the incident or finding. It is a measurement of urgency.\n\nrecommended"]
    #[serde(rename = "priority_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub priority_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Remediation Guidance\n\nDescribes the recommended remediation steps to address identified issue(s).\n\nrecommended"]
    #[serde(rename = "remediation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub remediation: Option<Box<Remediation>>,
    #[doc = "Resource\n\nDescribes details about the resource that is the subject of the compliance check.\n\nrecommended"]
    #[serde(rename = "resource")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resource: Option<Box<ResourceDetails>>,
    #[doc = "Resources Array\n\nDescribes details about the resource/resources that are the subject of the compliance check.\n\nrecommended"]
    #[serde(rename = "resources")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resources: Option<Vec<ResourceDetails>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source URL\n\nA Url link used to access the original incident.\n\nrecommended"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Start Time\n\nThe time of the least recent event included in the finding.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe time of the least recent event included in the finding.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized status identifier of the Finding, set by the consumer.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Ticket\n\nThe linked ticket in the ticketing system.\n\noptional"]
    #[serde(rename = "ticket")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ticket: Option<Box<Ticket>>,
    #[doc = "Tickets\n\nThe associated ticket(s) in the ticketing system. Each ticket contains details like ticket ID, status, etc.\n\noptional"]
    #[serde(rename = "tickets")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tickets: Option<Vec<Ticket>>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "Vendor Attributes\n\nThe Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-provided values and consumer-updated values, of key attributes like <code>severity_id</code>.<br>The original finding producer should not populate this object. It should be populated by consuming systems that support data mutability.\n\noptional"]
    #[serde(rename = "vendor_attributes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_attributes: Option<Box<VendorAttributes>>,
    #[doc = "Verdict\n\nThe verdict assigned to an Incident finding.\n\nrecommended"]
    #[serde(rename = "verdict")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub verdict: Option<String>,
    #[doc = "Verdict ID\n\nThe normalized verdict of an Incident.\n\nrecommended"]
    #[serde(rename = "verdict_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub verdict_id: Option<i64>,
}
#[doc = "Device Config State\n\nDevice Config State events report device configuration data, device assessments, and/or CIS Benchmark results.\n\n[UID:5002] Category: discovery | Name: config_state"]
#[deprecated(note = "Use <code>Compliance Finding</code> class. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ConfigState {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Related Assessments\n\nA list of assessments associated with the device.\n\noptional"]
    #[serde(rename = "assessments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub assessments: Option<Vec<Assessment>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "CIS Benchmark Result\n\nThe CIS Benchmark Result object captures results generated from benchmark evaluations as defined by the Center for Internet Security (<a target='_blank' href='https://www.cisecurity.org/cis-benchmarks/'>CIS</a>).\n\nrecommended"]
    #[serde(rename = "cis_benchmark_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cis_benchmark_result: Option<Box<CisBenchmarkResult>>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Device Config State</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nThe device that is being discovered by an inventory process.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Data Security Finding\n\nA Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools. These detections or alerts can be created using fingerprinting, statistical analysis, machine learning or other methodologies. The finding describes the actors and endpoints who accessed or own the sensitive data, as well as the resources which store the sensitive data. Note: if the event producer is a security control, the <code>security_control</code> profile should be applied and its <code>attacks</code> information, if present, should be duplicated into the <code>finding_info</code> object. <br><strong>Note: </strong>If the Finding is an incident, i.e. requires incident workflow, also apply the <code>incident</code> profile  or aggregate this finding into an <code>Incident Finding</code>.\n\n[UID:2006] Category: findings | Name: data_security_finding"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct DataSecurityFinding {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the Data Security Finding activity.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe Data Security finding activity name, as defined by the <code>activity_id</code>.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nDescribes details about the actor implicated in the data security finding. Either an actor that owns a particular digital file or information store, or an actor which accessed classified or sensitive data.\n\nrecommended"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Assignee\n\nThe details of the user assigned to an Incident.\n\noptional"]
    #[serde(rename = "assignee")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub assignee: Option<Box<User>>,
    #[doc = "Assignee Group\n\nThe details of the group assigned to an Incident.\n\noptional"]
    #[serde(rename = "assignee_group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub assignee_group: Option<Box<Group>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Findings</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Data Security Finding</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Comment\n\nA user provided comment about the finding.\n\noptional"]
    #[serde(rename = "comment")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub comment: Option<String>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Data Security\n\nThe Data Security object describes the characteristics, techniques and content of a Data Loss Prevention (DLP), Data Loss Detection (DLD), Data Classification, or similar tools' finding, alert, or detection mechanism(s).\n\nrecommended"]
    #[serde(rename = "data_security")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_security: Option<Box<DataSecurity>>,
    #[doc = "Database\n\nDescribes the database where classified or sensitive data is stored in, or was accessed from. Databases are typically datastore services that contain an organized collection of structured and/or semi-structured data.\n\nrecommended"]
    #[serde(rename = "database")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub database: Option<Box<Database>>,
    #[doc = "Databucket\n\nDescribes the databucket where classified or sensitive data is stored in, or was accessed from. The data bucket object is a basic container that holds data, typically organized through the use of data partitions.\n\nrecommended"]
    #[serde(rename = "databucket")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub databucket: Option<Box<Databucket>>,
    #[doc = "Device\n\nDescribes the device where classified or sensitive data is stored in, or was accessed from.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nDescribes the endpoint where classified or sensitive data is stored in, or was accessed from.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe time of the most recent event included in the finding.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe time of the most recent event included in the finding.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "File\n\nDescribes a file that contains classified or sensitive data.\n\nrecommended"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Finding Information\n\nDescribes the supporting information about a generated finding.\n\nrequired"]
    #[serde(rename = "finding_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub finding_info: Option<Box<FindingInfo>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Impact\n\nThe impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "impact")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact: Option<String>,
    #[doc = "Impact ID\n\nThe normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.\n\noptional"]
    #[serde(rename = "impact_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact_id: Option<i64>,
    #[doc = "Impact Score\n\nThe impact as an integer value of the finding, valid range 0-100.\n\noptional"]
    #[serde(rename = "impact_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact_score: Option<i64>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. For example, an <code>activity_id</code> of 'Create' could constitute an alertable signal and the value would be <code>true</code>, while 'Close' likely would not and either omit the attribute or set its value to <code>false</code>.  Note that other events with the <code>security_control</code> profile may also be deemed alertable signals and may also carry <code>is_alert = true</code> attributes.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Suspected Breach\n\nA determination based on analytics as to whether a potential breach was found.\n\noptional"]
    #[serde(rename = "is_suspected_breach")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_suspected_breach: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Priority\n\nThe priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "priority")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub priority: Option<String>,
    #[doc = "Priority ID\n\nThe normalized priority. Priority identifies the relative importance of the incident or finding. It is a measurement of urgency.\n\nrecommended"]
    #[serde(rename = "priority_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub priority_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Additional Resources\n\nDescribes details about additional resources, where classified or sensitive data is stored in, or was accessed from. <p> You can populate this object, if the specific resource type objects available in the class (<code>database, databucket, table, file</code>) aren't sufficient; OR <br> You can also choose to duplicate <code>uid, name</code> of the specific resources objects, for a consistent access to resource uids across all findings.\n\nrecommended"]
    #[serde(rename = "resources")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resources: Option<Vec<ResourceDetails>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nDetails about the source endpoint where classified or sensitive data was accessed from.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Source URL\n\nA Url link used to access the original incident.\n\nrecommended"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Start Time\n\nThe time of the least recent event included in the finding.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe time of the least recent event included in the finding.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized status identifier of the Finding, set by the consumer.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Table\n\nDescribes the table where classified or sensitive data is stored in, or was accessed from. The table object represents a table within a structured relational database, warehouse, lake, or similar.\n\nrecommended"]
    #[serde(rename = "table")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub table: Option<Box<Table>>,
    #[doc = "Ticket\n\nThe linked ticket in the ticketing system.\n\noptional"]
    #[serde(rename = "ticket")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ticket: Option<Box<Ticket>>,
    #[doc = "Tickets\n\nThe associated ticket(s) in the ticketing system. Each ticket contains details like ticket ID, status, etc.\n\noptional"]
    #[serde(rename = "tickets")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tickets: Option<Vec<Ticket>>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "Vendor Attributes\n\nThe Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-provided values and consumer-updated values, of key attributes like <code>severity_id</code>.<br>The original finding producer should not populate this object. It should be populated by consuming systems that support data mutability.\n\noptional"]
    #[serde(rename = "vendor_attributes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_attributes: Option<Box<VendorAttributes>>,
    #[doc = "Verdict\n\nThe verdict assigned to an Incident finding.\n\nrecommended"]
    #[serde(rename = "verdict")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub verdict: Option<String>,
    #[doc = "Verdict ID\n\nThe normalized verdict of an Incident.\n\nrecommended"]
    #[serde(rename = "verdict_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub verdict_id: Option<i64>,
}
#[doc = "Datastore Activity\n\nDatastore events describe general activities (Read, Update, Query, Delete, etc.) which affect datastores or data within those datastores, e.g. (AWS RDS, AWS S3).\n\n[UID:6005] Category: application | Name: datastore_activity\n\n**Constraints:**\n* at_least_one: `[database`,`databucket`,`table]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct DatastoreActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\nrequired"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "AI Model\n\nThe AI Model object describes the characteristics of an AI/ML model. Examples include language models like GPT-4, embedding models like text-embedding-ada-002, and computer vision models like CLIP.\n\nrecommended"]
    #[serde(rename = "ai_model")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ai_model: Option<Box<AiModel>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Application Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Datastore Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Database\n\nThe database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.\n\nrecommended"]
    #[serde(rename = "database")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub database: Option<Box<Database>>,
    #[doc = "Databucket\n\nThe data bucket object is a basic container that holds data, typically organized through the use of data partitions.\n\nrecommended"]
    #[serde(rename = "databucket")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub databucket: Option<Box<Databucket>>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nDetails about the endpoint hosting the datastore application or service.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "HTTP Request\n\nDetails about the underlying http request.\n\nrecommended"]
    #[serde(rename = "http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_request: Option<Box<HttpRequest>>,
    #[doc = "HTTP Response\n\nDetails about the underlying http response.\n\nrecommended"]
    #[serde(rename = "http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_response: Option<Box<HttpResponse>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Message Context\n\nCommunication context for AI system interactions including protocols, roles, clients, and session information for MCP and other AI communication systems.\n\noptional"]
    #[serde(rename = "message_context")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message_context: Option<Box<MessageContext>>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Query Info\n\nThe query info object holds information related to data access within a datastore. To access, manipulate, delete, or retrieve data from a datastore, a database query must be written using a specific syntax.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nDetails about the source of the activity.\n\nrequired"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Table\n\nThe table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.\n\nrecommended"]
    #[serde(rename = "table")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub table: Option<Box<Table>>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Datastore Type\n\nThe datastore resource type (e.g. database, datastore, or table).\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Datastore Type ID\n\nThe normalized datastore resource type identifier.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Detection Finding\n\nA Detection Finding describes detections or alerts generated by security products using correlation engines, detection engines or other methodologies. Note: if the event producer is a security control, the <code>security_control</code> profile should be applied and its <code>attacks</code> information, if present, should be duplicated into the <code>finding_info</code> object. <br><strong>Note: </strong>If the Finding is an incident, i.e. requires incident workflow, also apply the <code>incident</code> profile  or aggregate this finding into an <code>Incident Finding</code>.\n\n[UID:2004] Category: findings | Name: detection_finding"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct DetectionFinding {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the finding activity.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe finding activity name, as defined by the <code>activity_id</code>.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "Anomaly Analyses\n\nDescribes baseline information about normal activity patterns, along with any detected deviations or anomalies that triggered this finding.\n\noptional"]
    #[serde(rename = "anomaly_analyses")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub anomaly_analyses: Option<Vec<AnomalyAnalysis>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Assignee\n\nThe details of the user assigned to an Incident.\n\noptional"]
    #[serde(rename = "assignee")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub assignee: Option<Box<User>>,
    #[doc = "Assignee Group\n\nThe details of the group assigned to an Incident.\n\noptional"]
    #[serde(rename = "assignee_group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub assignee_group: Option<Box<Group>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Findings</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Detection Finding</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Comment\n\nA user provided comment about the finding.\n\noptional"]
    #[serde(rename = "comment")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub comment: Option<String>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nDescribes the affected device/host. If applicable, it can be used in conjunction with <code>Resource(s)</code>. <p> e.g. Specific details about an AWS EC2 instance, that is affected by the Finding.</p>\n\noptional"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe time of the most recent event included in the finding.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe time of the most recent event included in the finding.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Evidence Artifacts\n\nDescribes various evidence artifacts associated to the activity/activities that triggered a security detection.\n\nrecommended"]
    #[serde(rename = "evidences")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub evidences: Option<Vec<Evidences>>,
    #[doc = "Finding Information\n\nDescribes the supporting information about a generated finding.\n\nrequired"]
    #[serde(rename = "finding_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub finding_info: Option<Box<FindingInfo>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Impact\n\nThe impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "impact")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact: Option<String>,
    #[doc = "Impact ID\n\nThe normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.\n\noptional"]
    #[serde(rename = "impact_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact_id: Option<i64>,
    #[doc = "Impact Score\n\nThe impact as an integer value of the finding, valid range 0-100.\n\noptional"]
    #[serde(rename = "impact_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact_score: Option<i64>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. For example, an <code>activity_id</code> of 'Create' could constitute an alertable signal and the value would be <code>true</code>, while 'Close' likely would not and either omit the attribute or set its value to <code>false</code>.  Note that other events with the <code>security_control</code> profile may also be deemed alertable signals and may also carry <code>is_alert = true</code> attributes.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Suspected Breach\n\nA determination based on analytics as to whether a potential breach was found.\n\noptional"]
    #[serde(rename = "is_suspected_breach")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_suspected_breach: Option<bool>,
    #[doc = "Malware\n\nDescribes malware reported in a Detection Finding.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about malware scan job that triggered this Detection Finding.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Priority\n\nThe priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "priority")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub priority: Option<String>,
    #[doc = "Priority ID\n\nThe normalized priority. Priority identifies the relative importance of the incident or finding. It is a measurement of urgency.\n\nrecommended"]
    #[serde(rename = "priority_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub priority_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Remediation Guidance\n\nDescribes the recommended remediation steps to address identified issue(s).\n\noptional"]
    #[serde(rename = "remediation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub remediation: Option<Box<Remediation>>,
    #[doc = "Affected Resources\n\nDescribes details about resources that were the target of the activity that triggered the finding.\n\nrecommended"]
    #[serde(rename = "resources")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resources: Option<Vec<ResourceDetails>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source URL\n\nA Url link used to access the original incident.\n\nrecommended"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Start Time\n\nThe time of the least recent event included in the finding.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe time of the least recent event included in the finding.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized status identifier of the Finding, set by the consumer.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Ticket\n\nThe linked ticket in the ticketing system.\n\noptional"]
    #[serde(rename = "ticket")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ticket: Option<Box<Ticket>>,
    #[doc = "Tickets\n\nThe associated ticket(s) in the ticketing system. Each ticket contains details like ticket ID, status, etc.\n\noptional"]
    #[serde(rename = "tickets")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tickets: Option<Vec<Ticket>>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "Vendor Attributes\n\nThe Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-provided values and consumer-updated values, of key attributes like <code>severity_id</code>.<br>The original finding producer should not populate this object. It should be populated by consuming systems that support data mutability.\n\noptional"]
    #[serde(rename = "vendor_attributes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_attributes: Option<Box<VendorAttributes>>,
    #[doc = "Verdict\n\nThe verdict assigned to an Incident finding.\n\nrecommended"]
    #[serde(rename = "verdict")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub verdict: Option<String>,
    #[doc = "Verdict ID\n\nThe normalized verdict of an Incident.\n\nrecommended"]
    #[serde(rename = "verdict_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub verdict_id: Option<i64>,
    #[doc = "Vulnerabilities\n\nDescribes vulnerabilities reported in a Detection Finding.\n\noptional"]
    #[serde(rename = "vulnerabilities")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vulnerabilities: Option<Vec<Vulnerability>>,
}
#[doc = "Device Config State Change\n\nDevice Config State Change events report state changes that impact the security of the device.\n\n[UID:5019] Category: discovery | Name: device_config_state_change"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct DeviceConfigStateChange {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Device Config State Change</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nThe device that is impacted by the state change.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Previous Security Level\n\nThe previous security level of the entity\n\nrecommended"]
    #[serde(rename = "prev_security_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub prev_security_level: Option<String>,
    #[doc = "Previous Security Level ID\n\nThe previous security level of the entity\n\nrecommended"]
    #[serde(rename = "prev_security_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub prev_security_level_id: Option<i64>,
    #[doc = "Previous Security States\n\nThe previous security states of the device.\n\nrecommended"]
    #[serde(rename = "prev_security_states")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub prev_security_states: Option<Vec<SecurityState>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Security Level\n\nThe current security level of the entity\n\nrecommended"]
    #[serde(rename = "security_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub security_level: Option<String>,
    #[doc = "Security Level ID\n\nThe current security level of the entity\n\nrecommended"]
    #[serde(rename = "security_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub security_level_id: Option<i64>,
    #[doc = "Security States\n\nThe current security states of the device.\n\nrecommended"]
    #[serde(rename = "security_states")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub security_states: Option<Vec<SecurityState>>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Config Change State\n\nThe Config Change Stat, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "state")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub state: Option<String>,
    #[doc = "Config Change State ID\n\nThe Config Change State of the managed entity.\n\nrecommended"]
    #[serde(rename = "state_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub state_id: Option<i64>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "DHCP Activity\n\nDHCP Activity events report MAC to IP assignment via DHCP from a client or server.\n\n[UID:4004] Category: network | Name: dhcp_activity\n\n**Constraints:**\n* at_least_one: `[dst_endpoint`,`src_endpoint]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct DhcpActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Application Name\n\nThe name of the application associated with the event or object.\n\noptional"]
    #[serde(rename = "app_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub app_name: Option<String>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Network Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>DHCP Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Connection Info\n\nThe network connection information.\n\nrecommended"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Cumulative Traffic\n\nThe cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both <code>traffic</code> for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.\n\noptional"]
    #[serde(rename = "cumulative_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cumulative_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe responder (server) of the DHCP connection.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Renewal\n\nIndicates whether this is a lease/session renewal event.\n\nrecommended"]
    #[serde(rename = "is_renewal")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_renewal: Option<bool>,
    #[doc = "JA4+ Fingerprints\n\nA list of the JA4+ network fingerprints.\n\noptional"]
    #[serde(rename = "ja4_fingerprint_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ja4_fingerprint_list: Option<Vec<Ja4Fingerprint>>,
    #[doc = "Lease Duration\n\nThis represents the length of the DHCP lease in seconds. This is present in DHCP Ack events.\n\nrecommended"]
    #[serde(rename = "lease_dur")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub lease_dur: Option<i64>,
    #[doc = "Load Balancer\n\nThe Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.\n\nrecommended"]
    #[serde(rename = "load_balancer")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub load_balancer: Option<Box<LoadBalancer>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "Observation Point\n\nIndicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the <code>observation_point_id</code>.\n\noptional"]
    #[serde(rename = "observation_point")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point: Option<String>,
    #[doc = "Observation Point ID\n\nThe normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.\n\noptional"]
    #[serde(rename = "observation_point_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point_id: Option<i64>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Proxy\n\nThe proxy (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "proxy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy: Option<Box<NetworkProxy>>,
    #[doc = "Proxy Connection Info\n\nThe connection information from the proxy server to the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Proxy Endpoint\n\nThe proxy (server) in a network connection.\n\noptional"]
    #[serde(rename = "proxy_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_endpoint: Option<Box<NetworkProxy>>,
    #[doc = "Proxy HTTP Request\n\nThe HTTP Request from the proxy server to the remote server.\n\noptional"]
    #[serde(rename = "proxy_http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_request: Option<Box<HttpRequest>>,
    #[doc = "Proxy HTTP Response\n\nThe HTTP Response from the remote server to the proxy server.\n\noptional"]
    #[serde(rename = "proxy_http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_response: Option<Box<HttpResponse>>,
    #[doc = "Proxy TLS\n\nThe TLS protocol negotiated between the proxy server and the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_tls: Option<Box<Tls>>,
    #[doc = "Proxy Traffic\n\nThe network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.\n\nrecommended"]
    #[serde(rename = "proxy_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Relay\n\nThe network relay that is associated with the event.\n\nrecommended"]
    #[serde(rename = "relay")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub relay: Option<Box<NetworkInterface>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nThe initiator (client) of the DHCP connection.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "TLS\n\nThe Transport Layer Security (TLS) attributes.\n\noptional"]
    #[serde(rename = "tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tls: Option<Box<Tls>>,
    #[doc = "Traffic\n\nThe network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use <code>cumulative_traffic</code> instead.\n\nrecommended"]
    #[serde(rename = "traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Transaction UID\n\nThe unique identifier of the transaction. This is typically a random number generated from the client to associate a dhcp request/response pair.\n\nrecommended"]
    #[serde(rename = "transaction_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub transaction_uid: Option<String>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "DNS Activity\n\nDNS Activity events report DNS queries and answers as seen on the network.\n\n[UID:4003] Category: network | Name: dns_activity\n\n**Constraints:**\n* at_least_one: `[dst_endpoint`,`src_endpoint]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct DnsActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "DNS Answer\n\nThe Domain Name System (DNS) answers.\n\nrecommended"]
    #[serde(rename = "answers")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub answers: Option<Vec<DnsAnswer>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Application Name\n\nThe name of the application associated with the event or object.\n\noptional"]
    #[serde(rename = "app_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub app_name: Option<String>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Network Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>DNS Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Connection Info\n\nThe network connection information.\n\noptional"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Cumulative Traffic\n\nThe cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both <code>traffic</code> for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.\n\noptional"]
    #[serde(rename = "cumulative_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cumulative_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe responder (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "JA4+ Fingerprints\n\nA list of the JA4+ network fingerprints.\n\noptional"]
    #[serde(rename = "ja4_fingerprint_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ja4_fingerprint_list: Option<Vec<Ja4Fingerprint>>,
    #[doc = "Load Balancer\n\nThe Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.\n\nrecommended"]
    #[serde(rename = "load_balancer")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub load_balancer: Option<Box<LoadBalancer>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "Observation Point\n\nIndicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the <code>observation_point_id</code>.\n\noptional"]
    #[serde(rename = "observation_point")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point: Option<String>,
    #[doc = "Observation Point ID\n\nThe normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.\n\noptional"]
    #[serde(rename = "observation_point_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point_id: Option<i64>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Proxy\n\nThe proxy (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "proxy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy: Option<Box<NetworkProxy>>,
    #[doc = "Proxy Connection Info\n\nThe connection information from the proxy server to the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Proxy Endpoint\n\nThe proxy (server) in a network connection.\n\noptional"]
    #[serde(rename = "proxy_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_endpoint: Option<Box<NetworkProxy>>,
    #[doc = "Proxy HTTP Request\n\nThe HTTP Request from the proxy server to the remote server.\n\noptional"]
    #[serde(rename = "proxy_http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_request: Option<Box<HttpRequest>>,
    #[doc = "Proxy HTTP Response\n\nThe HTTP Response from the remote server to the proxy server.\n\noptional"]
    #[serde(rename = "proxy_http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_response: Option<Box<HttpResponse>>,
    #[doc = "Proxy TLS\n\nThe TLS protocol negotiated between the proxy server and the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_tls: Option<Box<Tls>>,
    #[doc = "Proxy Traffic\n\nThe network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.\n\nrecommended"]
    #[serde(rename = "proxy_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "DNS Query\n\nThe Domain Name System (DNS) query.\n\nrecommended"]
    #[serde(rename = "query")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query: Option<Box<DnsQuery>>,
    #[doc = "Query Time\n\nThe Domain Name System (DNS) query time.\n\nrecommended"]
    #[serde(rename = "query_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_time: Option<i64>,
    #[doc = "Query Time\n\nThe Domain Name System (DNS) query time.\n\noptional"]
    #[serde(rename = "query_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_time_dt: Option<String>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Response Code\n\nThe DNS server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "rcode")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub rcode: Option<String>,
    #[doc = "Response Code ID\n\nThe normalized identifier of the DNS server response code. See <a target='_blank' href='https://datatracker.ietf.org/doc/html/rfc6895'>RFC-6895</a>.\n\nrecommended"]
    #[serde(rename = "rcode_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub rcode_id: Option<i64>,
    #[doc = "Response Time\n\nThe Domain Name System (DNS) response time.\n\nrecommended"]
    #[serde(rename = "response_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub response_time: Option<i64>,
    #[doc = "Response Time\n\nThe Domain Name System (DNS) response time.\n\noptional"]
    #[serde(rename = "response_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub response_time_dt: Option<String>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nThe initiator (client) of the network connection.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "TLS\n\nThe Transport Layer Security (TLS) attributes.\n\noptional"]
    #[serde(rename = "tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tls: Option<Box<Tls>>,
    #[doc = "Traffic\n\nThe network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use <code>cumulative_traffic</code> instead.\n\noptional"]
    #[serde(rename = "traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Drone Flights Activity\n\nDrone Flights Activity events report the activity of Unmanned Aerial Systems (UAS), their Operators, and mission-planning and authorization metadata as reported by the UAS platforms themselves, by Counter-UAS (CUAS) systems, or other remote monitoring or sensing infrastructure. Based on the Remote ID defined in Standard Specification for Remote ID and Tracking (ASTM Designation: F3411-22a) <a target='_blank' href='https://cdn.standards.iteh.ai/samples/112830/71297057ac42432880a203654f213709/ASTM-F3411-22a.pdf'>ASTM F3411-22a</a>\n\n[UID:8001] Category: unmanned_systems | Name: drone_flights_activity\n\n**Constraints:**\n* at_least_one: `[src_endpoint`,`unmanned_aerial_system`,`unmanned_system_operator`,`unmanned_system_operating_area]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct DroneFlightsActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authentication Type\n\nThe authentication type as defined by the caption of <code>auth_protocol_id</code>. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "auth_protocol")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub auth_protocol: Option<String>,
    #[doc = "Authentication Type ID\n\nThe normalized identifier of the authentication type used to authorize a flight plan or mission.\n\noptional"]
    #[serde(rename = "auth_protocol_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub auth_protocol_id: Option<i64>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Unmanned Systems</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Drone Flights Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Classification Type\n\nUA Classification - Allows a region to classify UAS in a regional specific manner. The format may differ from region to region.\n\noptional"]
    #[serde(rename = "classification")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub classification: Option<String>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Operation Description\n\nThis optional, free-text field enables the operator to describe the purpose of a flight, if so desired.\n\noptional"]
    #[serde(rename = "comment")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub comment: Option<String>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Connection Info\n\nThe network connection information.\n\nrecommended"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe destination network endpoint of the Unmanned Aerial System (UAS), Counter Unmanned Aerial System (CUAS) platform, or other unmanned systems monitoring and/or sensing infrastructure.\n\nrequired"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Remote ID Protocol\n\nThe networking protocol associated with the Remote ID device or beacon. E.g. <code>BLE</code>, <code>LTE</code>, <code>802.11</code>.\n\noptional"]
    #[serde(rename = "protocol_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub protocol_name: Option<String>,
    #[doc = "Proxy Endpoint\n\nThe proxy (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "proxy_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_endpoint: Option<Box<NetworkProxy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nThe source network endpoint of the Unmanned Aerial System (UAS), Counter Unmanned Aerial System (CUAS) platform, or other unmanned systems monitoring and/or sensing infrastructure.\n\noptional"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Operational Status\n\nThe normalized Operational status for the Unmanned Aerial System (UAS) normalized to the caption of the <code>status_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Operational Status ID\n\nThe normalized Operational status identifier for the Unmanned Aerial System (UAS).\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "TLS\n\nThe Transport Layer Security (TLS) attributes.\n\noptional"]
    #[serde(rename = "tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tls: Option<Box<Tls>>,
    #[doc = "Traffic\n\nTraffic refers to the amount of data transmitted from a Unmanned Aerial System (UAS) or Counter Unmanned Aerial System (UAS) (CUAS) system at a given point of time. Ex: <code>bytes_in</code> and <code>bytes_out</code>.\n\noptional"]
    #[serde(rename = "traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmanned Aerial System\n\nThe Unmanned Aerial System object describes the characteristics, Position Location Information (PLI), and other metadata of Unmanned Aerial Systems (UAS) and other unmanned and drone systems used in Remote ID. Remote ID is defined in the Standard Specification for Remote ID and Tracking (ASTM Designation: F3411-22a) <a target='_blank' href='https://cdn.standards.iteh.ai/samples/112830/71297057ac42432880a203654f213709/ASTM-F3411-22a.pdf'>ASTM F3411-22a</a>.\n\nrequired"]
    #[serde(rename = "unmanned_aerial_system")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmanned_aerial_system: Option<Box<UnmannedAerialSystem>>,
    #[doc = "UAS Operating Area\n\nThe UAS Operating Area object describes details about a precise area of operations for a UAS flight or mission.\n\nrecommended"]
    #[serde(rename = "unmanned_system_operating_area")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmanned_system_operating_area: Option<Box<UnmannedSystemOperatingArea>>,
    #[doc = "Unmanned Systems Operator\n\nThe human or machine operator of an Unmanned System.\n\nrequired"]
    #[serde(rename = "unmanned_system_operator")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmanned_system_operator: Option<Box<User>>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Email Activity\n\nEmail Activity events report SMTP protocol and email activities including those with embedded URLs and files. See the <code>Email</code> object for details.\n\n[UID:4009] Category: network | Name: email_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct EmailActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Attempt\n\nThe attempt number for attempting to deliver the email.\n\noptional"]
    #[serde(rename = "attempt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attempt: Option<i64>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Protocol Banner\n\nThe initial connection response that a messaging server receives after it connects to an email server.\n\noptional"]
    #[serde(rename = "banner")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub banner: Option<String>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Network Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Email Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Command\n\nThe command issued by the initiator (client), such as SMTP HELO or EHLO.\n\nrecommended"]
    #[serde(rename = "command")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub command: Option<String>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Direction\n\nThe direction of the email, as defined by the <code>direction_id</code> value.\n\noptional"]
    #[serde(rename = "direction")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub direction: Option<String>,
    #[doc = "Direction ID\n\n<p>The direction of the email relative to the scanning host or organization.</p>Email scanned at an internet gateway might be characterized as inbound to the organization from the Internet, outbound from the organization to the Internet, or internal within the organization. Email scanned at a workstation might be characterized as inbound to, or outbound from the workstation.\n\nrequired"]
    #[serde(rename = "direction_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub direction_id: Option<i64>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe responder (server) receiving the email.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "Email\n\nThe email object.\n\nrequired"]
    #[serde(rename = "email")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub email: Option<Box<Email>>,
    #[doc = "Email Authentication\n\nThe SPF, DKIM and DMARC attributes of an email.\n\nrecommended"]
    #[serde(rename = "email_auth")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub email_auth: Option<Box<EmailAuth>>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "From\n\nThe sender address from the transmission envelope. This reflects the actual sending party and may differ from the 'From' header in the message.\n\nrecommended"]
    #[serde(rename = "from")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub from: Option<String>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Message Trace UID\n\nThe identifier that tracks a message that travels through multiple points of a messaging service.\n\nrecommended"]
    #[serde(rename = "message_trace_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message_trace_uid: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Protocol Name\n\nThe Protocol Name specifies the email communication protocol, such as SMTP, IMAP, or POP3.\n\nrecommended"]
    #[serde(rename = "protocol_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub protocol_name: Option<String>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "SMTP Hello\n\nThe value of the SMTP HELO or EHLO command sent by the initiator (client).\n\nrecommended"]
    #[serde(rename = "smtp_hello")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub smtp_hello: Option<String>,
    #[doc = "Source Endpoint\n\nThe initiator (client) sending the email.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "To\n\nThe recipient address from the transmission envelope. This may differ from the 'To' header and represents where the message was actually delivered.\n\nrecommended"]
    #[serde(rename = "to")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub to: Option<Vec<String>>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Email File Activity\n\nEmail File Activity events report files within emails.\n\n[UID:4011] Category: network | Name: email_file_activity"]
#[deprecated(
    note = "Use the <code>Email Activity</code> class with the <code>email.files[]</code> array instead. (Since 1.3.0)"
)]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct EmailFileActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Network Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Email File Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "Email UID\n\nThe unique identifier of the email, used to correlate related email alert and activity events.\n\nrequired"]
    #[serde(rename = "email_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub email_uid: Option<String>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "File\n\nThe email file attachment.\n\nrequired"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Email URL Activity\n\nEmail URL Activity events report URLs within an email.\n\n[UID:4012] Category: network | Name: email_url_activity"]
#[deprecated(
    note = "Use the <code>Email Activity</code> class with the <code>email.urls[]</code> array instead. (Since 1.3.0)"
)]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct EmailUrlActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Network Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Email URL Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "Email UID\n\nThe unique identifier of the email, used to correlate related email alert and activity events.\n\nrequired"]
    #[serde(rename = "email_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub email_uid: Option<String>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "URL\n\nThe URL included in the email content.\n\nrequired"]
    #[serde(rename = "url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub url: Option<Box<Url>>,
}
#[doc = "Entity Management\n\nEntity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.\n\n[UID:3004] Category: iam | Name: entity_management"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct EntityManagement {
    #[doc = "Access List\n\nThe list of requested access rights.\n\noptional"]
    #[serde(rename = "access_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub access_list: Option<Vec<String>>,
    #[doc = "Access Mask\n\nThe access mask in a platform-native format.\n\noptional"]
    #[serde(rename = "access_mask")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub access_mask: Option<i64>,
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\nrecommended"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Identity & Access Management</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Entity Management</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Comment\n\nThe user provided comment about why the entity was changed.\n\nrecommended"]
    #[serde(rename = "comment")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub comment: Option<String>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Entity\n\nThe managed entity that is being acted upon.\n\nrequired"]
    #[serde(rename = "entity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub entity: Option<Box<ManagedEntity>>,
    #[doc = "Entity Result\n\nThe updated managed entity.\n\nrecommended"]
    #[serde(rename = "entity_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub entity_result: Option<Box<ManagedEntity>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "HTTP Request\n\nDetails about the underlying HTTP request.\n\noptional"]
    #[serde(rename = "http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_request: Option<Box<HttpRequest>>,
    #[doc = "HTTP Response\n\nDetails about the underlying HTTP response.\n\noptional"]
    #[serde(rename = "http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_response: Option<Box<HttpResponse>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nDetails about the source of the IAM activity.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Event Log Activity\n\nEvent Log Activity events report actions pertaining to the system's event logging service(s), such as disabling logging or clearing the log data.\n\n[UID:1008] Category: system | Name: event_log_actvity\n\n**Constraints:**\n* at_least_one: `[log_file`,`log_name`,`log_provider`,`log_type`,`log_type_id]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct EventLogActvity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor that performed the activity.\n\nrecommended"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>System Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Event Log Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nThe device that reported the event.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe <p style='display:inline;color:red'>targeted</p> endpoint for the event log activity.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "File\n\nThe file <p style='display:inline;color:red'>targeted by</p> the activity. Example: <code>/var/log/audit.log</code>\n\nrecommended"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Log Name\n\nThe name of the event log <p style='display:inline;color:red'>targeted by</p> the activity. Example: Windows <code>Security</code>.\n\nrecommended"]
    #[serde(rename = "log_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub log_name: Option<String>,
    #[doc = "Log Provider\n\nThe logging provider or logging service <p style='display:inline;color:red'>targeted by</p> the activity.<br />Example: <code>Microsoft-Windows-Security-Auditing</code>, <code>Auditd</code>, or <code>Syslog</code>.\n\nrecommended"]
    #[serde(rename = "log_provider")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub log_provider: Option<String>,
    #[doc = "Log Type\n\nThe log type, normalized to the caption of the <code>log_type_id</code> value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "log_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub log_type: Option<String>,
    #[doc = "Log Type ID\n\nThe normalized log type identifier.\n\nrecommended"]
    #[serde(rename = "log_type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub log_type_id: Option<i64>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nThe source endpoint for the event log activity.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br />Example: <code>0</code>, <code>8</code>, or <code>21</code> for <a target='_blank' href='https://learn.microsoft.com/en-us/previous-versions/windows/desktop/eventlogprov/cleareventlog-method-in-class-win32-nteventlogfile'>Windows ClearEventLog</a>.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event outcome.<br />Example: <code>Success</code>, <code>Privilege Missing</code>, or <code>Invalid Parameter</code> for <a target='_blank' href='https://learn.microsoft.com/en-us/previous-versions/windows/desktop/eventlogprov/cleareventlog-method-in-class-win32-nteventlogfile'>Windows ClearEventLog</a>.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Live Evidence Info\n\nData collected directly from devices that represents forensic information pulled, queried, or discovered from devices that may indicate malicious activity. It contains a number of child objects, each representing a distinct evidence domain (network connections, file artifacts, registry entries, etc.). When mapping raw telemetry data users should select Query Evidence and then the appropriate child object that best matches the evidence type.\n\n[UID:5040] Category: discovery | Name: evidence_info"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct EvidenceInfo {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Live Evidence Info</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host from which evidence was collected.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Query Evidence\n\nThe specific resulting evidence information that was queried or discovered based on the query type. Contains various child objects corresponding to the query_type_id values.\n\nrequired"]
    #[serde(rename = "query_evidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_evidence: Option<Box<QueryEvidence>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "File System Activity\n\nFile System Activity events report when a process performs an action on a file or folder.\n\n[UID:1001] Category: system | Name: file_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct FileActivity {
    #[doc = "Access Mask\n\nThe access mask in a platform-native format.\n\noptional"]
    #[serde(rename = "access_mask")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub access_mask: Option<i64>,
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor that performed the activity on the <code>file</code> object\n\nrequired"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>System Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>File System Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Component\n\n<p>The name or relative pathname of a sub-component of the data object, if applicable. </p>For example: <code>attachment.doc</code>, <code>attachment.zip/bad.doc</code>, or <code>part.mime/part.cab/part.uue/part.doc</code>.\n\nrecommended"]
    #[serde(rename = "component")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub component: Option<String>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Connection Identifier\n\nThe network connection identifier.\n\noptional"]
    #[serde(rename = "connection_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_uid: Option<String>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Create Mask\n\nThe original Windows mask that is required to create the object.\n\nrecommended"]
    #[serde(rename = "create_mask")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub create_mask: Option<String>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "File\n\nThe file that is the target of the activity.\n\nrequired"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "File Diff\n\nFile content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values.\n\nrecommended"]
    #[serde(rename = "file_diff")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file_diff: Option<String>,
    #[doc = "File Result\n\nThe resulting file object when the activity was allowed and successful.\n\nrecommended"]
    #[serde(rename = "file_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file_result: Option<Box<File>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "File Hosting Activity\n\nFile Hosting Activity events report the actions taken by file management applications, including file sharing servers like Sharepoint and services such as Box, MS OneDrive, Google Drive, or network file share services.\n\n[UID:6006] Category: application | Name: file_hosting"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct FileHosting {
    #[doc = "Access List\n\nThe list of requested access rights.\n\noptional"]
    #[serde(rename = "access_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub access_list: Option<Vec<String>>,
    #[doc = "Access Mask\n\nThe sum of hexadecimal values of requested access rights.\n\noptional"]
    #[serde(rename = "access_mask")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub access_mask: Option<i64>,
    #[doc = "Access Check Result\n\nThe list of access check results.\n\noptional"]
    #[serde(rename = "access_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub access_result: Option<serde_json::Value>,
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor that performed the activity on the target file.\n\nrequired"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Application Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>File Hosting Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Connection Info\n\nThe network connection information.\n\noptional"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe endpoint that received the activity on the target file.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Expiration Time\n\nThe share expiration time.\n\noptional"]
    #[serde(rename = "expiration_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expiration_time: Option<i64>,
    #[doc = "Expiration Time\n\nThe share expiration time.\n\noptional"]
    #[serde(rename = "expiration_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expiration_time_dt: Option<String>,
    #[doc = "File\n\nThe file that is the target of the activity.\n\nrequired"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "File Result\n\nThe resulting file object when the activity was allowed and successful.\n\noptional"]
    #[serde(rename = "file_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file_result: Option<Box<File>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "HTTP Request\n\nDetails about the underlying HTTP request.\n\nrecommended"]
    #[serde(rename = "http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_request: Option<Box<HttpRequest>>,
    #[doc = "HTTP Response\n\nDetails about the HTTP response, if available.\n\noptional"]
    #[serde(rename = "http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_response: Option<Box<HttpResponse>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Share\n\nThe share name.\n\noptional"]
    #[serde(rename = "share")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub share: Option<String>,
    #[doc = "Share Type\n\nThe share type, normalized to the caption of the share_type_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "share_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub share_type: Option<String>,
    #[doc = "Share Type ID\n\nThe normalized identifier of the share type.\n\noptional"]
    #[serde(rename = "share_type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub share_type_id: Option<i64>,
    #[doc = "Source Endpoint\n\nThe endpoint that performed the activity on the target file.\n\nrequired"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "File Query\n\nFile Query events report information about files that are present on the system.\n\n[UID:5007] Category: discovery | Name: file_query"]
#[deprecated(note = "Use the <code>Live Evidence Info</code> class. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct FileQuery {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>File Query</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "File\n\nThe file that is the target of the query.\n\nrequired"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "File Remediation Activity\n\nFile Remediation Activity events report on attempts at remediating files. It follows the MITRE countermeasures defined by the D3FEND™ <a target='_blank' href='https://d3fend.mitre.org/'>Matrix</a>. Sub-techniques will include File, such as File Removal or Restore File.\n\n[UID:7002] Category: remediation | Name: file_remediation_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct FileRemediationActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nMatches the MITRE D3FEND™ Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Remediation</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>File Remediation Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Command UID\n\nThe unique identifier of the remediation command that pertains to this event.\n\nrequired"]
    #[serde(rename = "command_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub command_uid: Option<String>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Countermeasures\n\nThe MITRE D3FEND™ Matrix Countermeasures associated with a remediation.\n\nrecommended"]
    #[serde(rename = "countermeasures")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub countermeasures: Option<Vec<D3fend>>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "File\n\nThe file that pertains to the remediation event.\n\nrequired"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Remediation Guidance\n\nDescribes the recommended remediation steps to address identified issue(s).\n\noptional"]
    #[serde(rename = "remediation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub remediation: Option<Box<Remediation>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Scan\n\nThe remediation scan that pertains to this event.\n\noptional"]
    #[serde(rename = "scan")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub scan: Option<Box<Scan>>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Folder Query\n\nFolder Query events report information about folders that are present on the system.\n\n[UID:5008] Category: discovery | Name: folder_query"]
#[deprecated(note = "Use the <code>Live Evidence Info</code> class. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct FolderQuery {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Folder Query</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Folder\n\nThe folder that is the target of the query.\n\nrequired"]
    #[serde(rename = "folder")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub folder: Option<Box<File>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "FTP Activity\n\nFile Transfer Protocol (FTP) Activity events report file transfers between a server and a client as seen on the network.\n\n[UID:4008] Category: network | Name: ftp_activity\n\n**Constraints:**\n* at_least_one: `[dst_endpoint`,`src_endpoint]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct FtpActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Application Name\n\nThe name of the application associated with the event or object.\n\noptional"]
    #[serde(rename = "app_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub app_name: Option<String>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Network Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>FTP Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Response Codes\n\nThe list of return codes to the FTP command.\n\nrecommended"]
    #[serde(rename = "codes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub codes: Option<Vec<i64>>,
    #[doc = "Command\n\nThe FTP command.\n\nrecommended"]
    #[serde(rename = "command")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub command: Option<String>,
    #[doc = "Command Responses\n\nThe list of responses to the FTP command.\n\nrecommended"]
    #[serde(rename = "command_responses")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub command_responses: Option<Vec<String>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Connection Info\n\nThe network connection information.\n\nrecommended"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Cumulative Traffic\n\nThe cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both <code>traffic</code> for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.\n\noptional"]
    #[serde(rename = "cumulative_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cumulative_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe responder (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "File\n\nThe file that is the target of the FTP activity.\n\noptional"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "JA4+ Fingerprints\n\nA list of the JA4+ network fingerprints.\n\noptional"]
    #[serde(rename = "ja4_fingerprint_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ja4_fingerprint_list: Option<Vec<Ja4Fingerprint>>,
    #[doc = "Load Balancer\n\nThe Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.\n\nrecommended"]
    #[serde(rename = "load_balancer")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub load_balancer: Option<Box<LoadBalancer>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Name\n\nThe name of the data affiliated with the command.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "Observation Point\n\nIndicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the <code>observation_point_id</code>.\n\noptional"]
    #[serde(rename = "observation_point")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point: Option<String>,
    #[doc = "Observation Point ID\n\nThe normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.\n\noptional"]
    #[serde(rename = "observation_point_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point_id: Option<i64>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Port\n\nThe dynamic port established for impending data transfers.\n\nrecommended"]
    #[serde(rename = "port")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub port: Option<i64>,
    #[doc = "Proxy\n\nThe proxy (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "proxy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy: Option<Box<NetworkProxy>>,
    #[doc = "Proxy Connection Info\n\nThe connection information from the proxy server to the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Proxy Endpoint\n\nThe proxy (server) in a network connection.\n\noptional"]
    #[serde(rename = "proxy_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_endpoint: Option<Box<NetworkProxy>>,
    #[doc = "Proxy HTTP Request\n\nThe HTTP Request from the proxy server to the remote server.\n\noptional"]
    #[serde(rename = "proxy_http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_request: Option<Box<HttpRequest>>,
    #[doc = "Proxy HTTP Response\n\nThe HTTP Response from the remote server to the proxy server.\n\noptional"]
    #[serde(rename = "proxy_http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_response: Option<Box<HttpResponse>>,
    #[doc = "Proxy TLS\n\nThe TLS protocol negotiated between the proxy server and the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_tls: Option<Box<Tls>>,
    #[doc = "Proxy Traffic\n\nThe network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.\n\nrecommended"]
    #[serde(rename = "proxy_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nThe initiator (client) of the network connection.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "TLS\n\nThe Transport Layer Security (TLS) attributes.\n\noptional"]
    #[serde(rename = "tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tls: Option<Box<Tls>>,
    #[doc = "Traffic\n\nThe network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use <code>cumulative_traffic</code> instead.\n\nrecommended"]
    #[serde(rename = "traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Type\n\nThe type of FTP network connection (e.g. active, passive).\n\nrecommended"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Group Management\n\nGroup Management events report management updates to a group, including updates to membership and permissions.\n\n[UID:3006] Category: iam | Name: group_management"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct GroupManagement {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\nrecommended"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Identity & Access Management</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Group Management</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Group\n\nGroup that was the target of the event.\n\nrequired"]
    #[serde(rename = "group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub group: Option<Box<Group>>,
    #[doc = "HTTP Request\n\nDetails about the underlying HTTP request.\n\noptional"]
    #[serde(rename = "http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_request: Option<Box<HttpRequest>>,
    #[doc = "HTTP Response\n\nDetails about the underlying HTTP response.\n\noptional"]
    #[serde(rename = "http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_response: Option<Box<HttpResponse>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Privileges\n\nA list of privileges assigned to the group.\n\nrecommended"]
    #[serde(rename = "privileges")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub privileges: Option<Vec<String>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Resource\n\nResource that the privileges give access to.\n\nrecommended"]
    #[serde(rename = "resource")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resource: Option<Box<ResourceDetails>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nDetails about the source of the IAM activity.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Subgroup\n\nA subgroup that was added to or removed from the group.\n\nrecommended"]
    #[serde(rename = "subgroup")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub subgroup: Option<Box<Group>>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "User\n\nA user that was added to or removed from the group.\n\nrecommended"]
    #[serde(rename = "user")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user: Option<Box<User>>,
}
#[doc = "HTTP Activity\n\nHTTP Activity events report HTTP connection and traffic information.\n\n[UID:4002] Category: network | Name: http_activity\n\n**Constraints:**\n* at_least_one: `[dst_endpoint`,`src_endpoint]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct HttpActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Application Name\n\nThe name of the application associated with the event or object.\n\noptional"]
    #[serde(rename = "app_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub app_name: Option<String>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Network Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>HTTP Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Connection Info\n\nThe network connection information.\n\nrecommended"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Cumulative Traffic\n\nThe cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both <code>traffic</code> for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.\n\noptional"]
    #[serde(rename = "cumulative_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cumulative_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe responder (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "File\n\nThe file that is the target of the HTTP activity.\n\noptional"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "HTTP Cookies\n\nThe cookies object describes details about HTTP cookies\n\nrecommended"]
    #[serde(rename = "http_cookies")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_cookies: Option<Vec<HttpCookie>>,
    #[doc = "HTTP Request\n\nThe HTTP Request Object documents attributes of a request made to a web server.\n\nrecommended"]
    #[serde(rename = "http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_request: Option<Box<HttpRequest>>,
    #[doc = "HTTP Response\n\nThe HTTP Response from a web server to a requester.\n\nrecommended"]
    #[serde(rename = "http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_response: Option<Box<HttpResponse>>,
    #[doc = "HTTP Status\n\nThe Hypertext Transfer Protocol (HTTP) <a target='_blank' href='https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml'>status code</a> returned to the client.\n\nrecommended"]
    #[serde(rename = "http_status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_status: Option<i64>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "JA4+ Fingerprints\n\nA list of the JA4+ network fingerprints.\n\noptional"]
    #[serde(rename = "ja4_fingerprint_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ja4_fingerprint_list: Option<Vec<Ja4Fingerprint>>,
    #[doc = "Load Balancer\n\nThe Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.\n\nrecommended"]
    #[serde(rename = "load_balancer")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub load_balancer: Option<Box<LoadBalancer>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "Observation Point\n\nIndicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the <code>observation_point_id</code>.\n\noptional"]
    #[serde(rename = "observation_point")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point: Option<String>,
    #[doc = "Observation Point ID\n\nThe normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.\n\noptional"]
    #[serde(rename = "observation_point_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point_id: Option<i64>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Proxy\n\nThe proxy (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "proxy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy: Option<Box<NetworkProxy>>,
    #[doc = "Proxy Connection Info\n\nThe connection information from the proxy server to the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Proxy Endpoint\n\nThe proxy (server) in a network connection.\n\noptional"]
    #[serde(rename = "proxy_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_endpoint: Option<Box<NetworkProxy>>,
    #[doc = "Proxy HTTP Request\n\nThe HTTP Request from the proxy server to the remote server.\n\noptional"]
    #[serde(rename = "proxy_http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_request: Option<Box<HttpRequest>>,
    #[doc = "Proxy HTTP Response\n\nThe HTTP Response from the remote server to the proxy server.\n\noptional"]
    #[serde(rename = "proxy_http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_response: Option<Box<HttpResponse>>,
    #[doc = "Proxy TLS\n\nThe TLS protocol negotiated between the proxy server and the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_tls: Option<Box<Tls>>,
    #[doc = "Proxy Traffic\n\nThe network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.\n\nrecommended"]
    #[serde(rename = "proxy_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nThe initiator (client) of the network connection.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "TLS\n\nThe Transport Layer Security (TLS) attributes.\n\noptional"]
    #[serde(rename = "tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tls: Option<Box<Tls>>,
    #[doc = "Trace\n\nThe trace object contains information about distributed traces which are critical to observability and describe how requests move through a system, capturing each step's timing and status.\n\nrecommended"]
    #[serde(rename = "trace")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub trace: Option<Box<Trace>>,
    #[doc = "Traffic\n\nThe network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use <code>cumulative_traffic</code> instead.\n\nrecommended"]
    #[serde(rename = "traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "IAM Analysis Finding\n\nThis finding represents an IAM analysis result, which evaluates IAM policies, access patterns, and IAM configurations for potential security risks. The analysis can focus on either an identity (user, role, service account) or a resource to assess permissions, access patterns, and security posture within the IAM domain. <br><strong>Note:</strong> Use <code>permission_analysis_results</code> for identity-centric analysis (evaluating what an identity can do) and <code>access_analysis_result</code> for resource-centric analysis (evaluating who can access a resource). These complement each other for comprehensive IAM security assessment.<br><strong>Note:</strong> If the Finding is an incident, i.e. requires incident workflow, also apply the <code>incident</code> profile or aggregate this finding into an <code>Incident Finding</code>.\n\n[UID:2008] Category: findings | Name: iam_analysis_finding\n\n**Constraints:**\n* at_least_one: `[access_analysis_result`,`applications`,`identity_activity_metrics`,`permission_analysis_results]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct IamAnalysisFinding {
    #[doc = "Access Analysis Result\n\nDescribes access relationships and pathways between identities, resources, focusing on who can access what and through which mechanisms. This evaluates access levels (read/write/admin), access types (direct, cross-account, public, federated), and the conditions under which access is granted. Use this for resource-centric security assessments such as external access discovery, public exposure analysis, etc.\n\noptional"]
    #[serde(rename = "access_analysis_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub access_analysis_result: Option<Box<AccessAnalysisResult>>,
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the finding activity.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe finding activity name, as defined by the <code>activity_id</code>.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Applications\n\nDetails about applications, services, or systems that are accessible based on the IAM analysis. For identity-centric analysis, this represents applications the identity can access. For resource-centric analysis, this represents applications that can access the resource.\n\nrecommended"]
    #[serde(rename = "applications")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub applications: Option<Vec<Application>>,
    #[doc = "Assignee\n\nThe details of the user assigned to an Incident.\n\noptional"]
    #[serde(rename = "assignee")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub assignee: Option<Box<User>>,
    #[doc = "Assignee Group\n\nThe details of the group assigned to an Incident.\n\noptional"]
    #[serde(rename = "assignee_group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub assignee_group: Option<Box<Group>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Findings</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>IAM Analysis Finding</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Comment\n\nA user provided comment about the finding.\n\noptional"]
    #[serde(rename = "comment")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub comment: Option<String>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nDescribes the affected device/host. If applicable, it can be used in conjunction with <code>Resource(s)</code>. <p> e.g. Specific details about an AWS EC2 instance, that is affected by the Finding.</p>\n\noptional"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe time of the most recent event included in the finding.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe time of the most recent event included in the finding.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Finding Information\n\nDescribes the supporting information about a generated finding.\n\nrequired"]
    #[serde(rename = "finding_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub finding_info: Option<Box<FindingInfo>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Identity Activity Metrics\n\nDescribes usage activity and other metrics of an Identity i.e. AWS IAM User, GCP IAM Principal, etc.\n\nrecommended"]
    #[serde(rename = "identity_activity_metrics")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub identity_activity_metrics: Option<Box<IdentityActivityMetrics>>,
    #[doc = "Impact\n\nThe impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "impact")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact: Option<String>,
    #[doc = "Impact ID\n\nThe normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.\n\nrecommended"]
    #[serde(rename = "impact_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact_id: Option<i64>,
    #[doc = "Impact Score\n\nThe impact as an integer value of the finding, valid range 0-100.\n\nrecommended"]
    #[serde(rename = "impact_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact_score: Option<i64>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Suspected Breach\n\nA determination based on analytics as to whether a potential breach was found.\n\noptional"]
    #[serde(rename = "is_suspected_breach")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_suspected_breach: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Permission Analysis Results\n\nDescribes analysis results of permissions, policies directly associated with an identity (user, role, or service account). This evaluates what permissions an identity has been granted through attached policies, which privileges are actively used versus unused, and identifies potential over-privileged access. Use this for identity-centric security assessments such as privilege audits, dormant permission discovery, and least-privilege compliance analysis.\n\nrecommended"]
    #[serde(rename = "permission_analysis_results")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub permission_analysis_results: Option<Vec<PermissionAnalysisResult>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Priority\n\nThe priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "priority")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub priority: Option<String>,
    #[doc = "Priority ID\n\nThe normalized priority. Priority identifies the relative importance of the incident or finding. It is a measurement of urgency.\n\nrecommended"]
    #[serde(rename = "priority_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub priority_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Remediation Guidance\n\nDescribes the recommended remediation steps to address identified issue(s).\n\noptional"]
    #[serde(rename = "remediation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub remediation: Option<Box<Remediation>>,
    #[doc = "Resources Array\n\nDetails about resources involved in the IAM analysis. For identity-centric analysis, this represents resources the identity can access. For resource-centric analysis, this represents the resource being analyzed and related resources in the access chain.\n\nrecommended"]
    #[serde(rename = "resources")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resources: Option<Vec<ResourceDetails>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source URL\n\nA Url link used to access the original incident.\n\nrecommended"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Start Time\n\nThe time of the least recent event included in the finding.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe time of the least recent event included in the finding.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized status identifier of the Finding, set by the consumer.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Ticket\n\nThe linked ticket in the ticketing system.\n\noptional"]
    #[serde(rename = "ticket")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ticket: Option<Box<Ticket>>,
    #[doc = "Tickets\n\nThe associated ticket(s) in the ticketing system. Each ticket contains details like ticket ID, status, etc.\n\noptional"]
    #[serde(rename = "tickets")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tickets: Option<Vec<Ticket>>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "User\n\nDetails about the identity (user, role, service account, or other principal) that is the subject of the IAM analysis. This provides context about the identity being evaluated for security risks and access patterns.\n\nrecommended"]
    #[serde(rename = "user")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user: Option<Box<User>>,
    #[doc = "Vendor Attributes\n\nThe Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-provided values and consumer-updated values, of key attributes like <code>severity_id</code>.<br>The original finding producer should not populate this object. It should be populated by consuming systems that support data mutability.\n\noptional"]
    #[serde(rename = "vendor_attributes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_attributes: Option<Box<VendorAttributes>>,
    #[doc = "Verdict\n\nThe verdict assigned to an Incident finding.\n\nrecommended"]
    #[serde(rename = "verdict")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub verdict: Option<String>,
    #[doc = "Verdict ID\n\nThe normalized verdict of an Incident.\n\nrecommended"]
    #[serde(rename = "verdict_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub verdict_id: Option<i64>,
}
#[doc = "Incident Finding\n\nAn Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics. <br><strong>Note: </strong><code>Incident Finding</code> implicitly includes the <code>incident</code> profile and it should be added to the <code>metadata.profiles[]</code> array.\n\n[UID:2005] Category: findings | Name: incident_finding\n\n**Constraints:**\n* at_least_one: `[assignee`,`assignee_group]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct IncidentFinding {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the Incident activity.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe Incident activity name, as defined by the <code>activity_id</code>.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Assignee\n\nThe details of the user assigned to an Incident.\n\noptional"]
    #[serde(rename = "assignee")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub assignee: Option<Box<User>>,
    #[doc = "Assignee Group\n\nThe details of the group assigned to an Incident.\n\noptional"]
    #[serde(rename = "assignee_group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub assignee_group: Option<Box<Group>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> objects describing the tactics, techniques & sub-techniques associated to the Incident.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Findings</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Incident Finding</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Comment\n\nAdditional user supplied details for updating or closing the incident.\n\noptional"]
    #[serde(rename = "comment")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub comment: Option<String>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Description\n\nThe short description of the Incident.\n\nrecommended"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe time of the most recent event included in the incident.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe time of the most recent event included in the incident.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Finding Information List\n\nA list of <code>finding_info</code> objects associated to an incident.\n\nrequired"]
    #[serde(rename = "finding_info_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub finding_info_list: Option<Vec<FindingInfo>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Impact\n\nThe impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "impact")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact: Option<String>,
    #[doc = "Impact ID\n\nThe normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.\n\nrecommended"]
    #[serde(rename = "impact_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact_id: Option<i64>,
    #[doc = "Impact Score\n\nThe impact as an integer value of the finding, valid range 0-100.\n\nrecommended"]
    #[serde(rename = "impact_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact_score: Option<i64>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Suspected Breach\n\nA determination based on analytics as to whether a potential breach was found.\n\noptional"]
    #[serde(rename = "is_suspected_breach")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_suspected_breach: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Priority\n\nThe priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "priority")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub priority: Option<String>,
    #[doc = "Priority ID\n\nThe normalized priority. Priority identifies the relative importance of the incident or finding. It is a measurement of urgency.\n\nrecommended"]
    #[serde(rename = "priority_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub priority_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source URL\n\nA Url link used to access the original incident.\n\nrecommended"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Start Time\n\nThe time of the least recent event included in the incident.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe time of the least recent event included in the incident.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe normalized status of the Incident normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized status identifier of the Incident.\n\nrequired"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Ticket\n\nThe linked ticket in the ticketing system.\n\noptional"]
    #[serde(rename = "ticket")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ticket: Option<Box<Ticket>>,
    #[doc = "Tickets\n\nThe associated ticket(s) in the ticketing system. Each ticket contains details like ticket ID, status, etc.\n\noptional"]
    #[serde(rename = "tickets")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tickets: Option<Vec<Ticket>>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "Vendor Attributes\n\nThe Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-provided values and consumer-updated values, of key attributes like <code>severity_id</code>.<br>The original finding producer should not populate this object. It should be populated by consuming systems that support data mutability.\n\noptional"]
    #[serde(rename = "vendor_attributes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_attributes: Option<Box<VendorAttributes>>,
    #[doc = "Verdict\n\nThe verdict assigned to an Incident finding.\n\nrecommended"]
    #[serde(rename = "verdict")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub verdict: Option<String>,
    #[doc = "Verdict ID\n\nThe normalized verdict of an Incident.\n\nrecommended"]
    #[serde(rename = "verdict_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub verdict_id: Option<i64>,
}
#[doc = "Device Inventory Info\n\nDevice Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.\n\n[UID:5001] Category: discovery | Name: inventory_info"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct InventoryInfo {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Device Inventory Info</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nThe device that is being discovered by an inventory process.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Job Query\n\nJob Query events report information about scheduled jobs.\n\n[UID:5010] Category: discovery | Name: job_query"]
#[deprecated(note = "Use the <code>Live Evidence Info</code> class. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct JobQuery {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Job Query</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Job\n\nThe job object that pertains to the event.\n\nrequired"]
    #[serde(rename = "job")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub job: Option<Box<Job>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Kernel Activity\n\nKernel Activity events report when an process creates, reads, or deletes a kernel resource.\n\n[UID:1003] Category: system | Name: kernel_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct KernelActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\nrequired"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>System Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Kernel Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Kernel\n\nThe target kernel resource.\n\nrequired"]
    #[serde(rename = "kernel")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub kernel: Option<Box<Kernel>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Kernel Extension Activity\n\nKernel Extension events report when a driver/extension is loaded or unloaded into the kernel\n\n[UID:1002] Category: system | Name: kernel_extension_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct KernelExtensionActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor process that loaded or unloaded the driver/extension.\n\nrequired"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>System Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Kernel Extension Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Kernel Driver\n\nThe driver that was loaded/unloaded into the kernel\n\nrequired"]
    #[serde(rename = "driver")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub driver: Option<Box<KernelDriver>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Kernel Object Query\n\nKernel Object Query events report information about discovered kernel resources.\n\n[UID:5006] Category: discovery | Name: kernel_object_query"]
#[deprecated(note = "Use the <code>Live Evidence Info</code> class. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct KernelObjectQuery {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Kernel Object Query</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Kernel\n\nThe kernel object that pertains to the event.\n\nrequired"]
    #[serde(rename = "kernel")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub kernel: Option<Box<Kernel>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Memory Activity\n\nMemory Activity events report when a process has memory allocated, read/modified, or other manipulation activities - such as a buffer overflow or turning off data execution protection (DEP).\n\n[UID:1004] Category: system | Name: memory_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct MemoryActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\nrequired"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "Actual Permissions\n\nThe permissions that were granted to access memory.\n\nrecommended"]
    #[serde(rename = "actual_permissions")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actual_permissions: Option<i64>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Base Address\n\nThe memory address that was access or requested.\n\nrecommended"]
    #[serde(rename = "base_address")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub base_address: Option<String>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>System Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Memory Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Process\n\nThe process that had memory allocated, read/written, or had other manipulation activities performed on it.\n\nrequired"]
    #[serde(rename = "process")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub process: Option<Box<Process>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Requested Permissions\n\nThe permissions mask that was requested to access memory.\n\nrecommended"]
    #[serde(rename = "requested_permissions")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub requested_permissions: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Size\n\nThe memory size that was access or requested.\n\nrecommended"]
    #[serde(rename = "size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub size: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Module Activity\n\nModule Activity events report when an endpoint process acts on a <code>module</code>.\n\n[UID:1005] Category: system | Name: module_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ModuleActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor that performed the activity on the target <code>module</code>. For example, the process that loaded a module into memory.\n\nrequired"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>System Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Module Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Module\n\nThe module that was loaded, unloaded, or invoked.\n\nrequired"]
    #[serde(rename = "module")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub module: Option<Box<Module>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Module Query\n\nModule Query events report information about loaded modules.\n\n[UID:5011] Category: discovery | Name: module_query"]
#[deprecated(note = "Use the <code>Live Evidence Info</code> class. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ModuleQuery {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Module Query</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Module\n\nThe module that pertains to the event.\n\nrequired"]
    #[serde(rename = "module")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub module: Option<Box<Module>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Process\n\nThe process that loaded the module.\n\nrequired"]
    #[serde(rename = "process")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub process: Option<Box<Process>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Network Activity\n\nNetwork Activity events report network connection and traffic activity.\n\n[UID:4001] Category: network | Name: network_activity\n\n**Constraints:**\n* at_least_one: `[dst_endpoint`,`src_endpoint]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct NetworkActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Application Name\n\nThe name of the application associated with the event or object.\n\noptional"]
    #[serde(rename = "app_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub app_name: Option<String>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Network Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Network Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Connection Info\n\nThe network connection information.\n\nrecommended"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Cumulative Traffic\n\nThe cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both <code>traffic</code> for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.\n\noptional"]
    #[serde(rename = "cumulative_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cumulative_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe responder of the network connection. In some contexts an event source cannot correctly identify the responder. Refer to <code>is_src_dst_assignment_known</code> for certainty.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Source/Destination Assignment Known\n\n<code>true</code> denotes that <code>src_endpoint</code> and <code>dst_endpoint</code> correctly identify the initiator and responder respectively. <code>false</code> denotes that the event source has arbitrarily assigned one peer to <code>src_endpoint</code> and the other to <code>dst_endpoint</code>, in other words that initiator and responder are not being asserted. This can occur, for example, when the event source is a network appliance that has not observed the initiation of a given connection. In the absence of this attribute, interpretation of the initiator and responder is implementation-specific.\n\nrecommended"]
    #[serde(rename = "is_src_dst_assignment_known")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_src_dst_assignment_known: Option<bool>,
    #[doc = "JA4+ Fingerprints\n\nA list of the JA4+ network fingerprints.\n\noptional"]
    #[serde(rename = "ja4_fingerprint_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ja4_fingerprint_list: Option<Vec<Ja4Fingerprint>>,
    #[doc = "Load Balancer\n\nThe Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.\n\nrecommended"]
    #[serde(rename = "load_balancer")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub load_balancer: Option<Box<LoadBalancer>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "Observation Point\n\nIndicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the <code>observation_point_id</code>.\n\noptional"]
    #[serde(rename = "observation_point")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point: Option<String>,
    #[doc = "Observation Point ID\n\nThe normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.\n\noptional"]
    #[serde(rename = "observation_point_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point_id: Option<i64>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Proxy\n\nThe proxy (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "proxy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy: Option<Box<NetworkProxy>>,
    #[doc = "Proxy Connection Info\n\nThe connection information from the proxy server to the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Proxy Endpoint\n\nThe proxy (server) in a network connection.\n\noptional"]
    #[serde(rename = "proxy_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_endpoint: Option<Box<NetworkProxy>>,
    #[doc = "Proxy HTTP Request\n\nThe HTTP Request from the proxy server to the remote server.\n\noptional"]
    #[serde(rename = "proxy_http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_request: Option<Box<HttpRequest>>,
    #[doc = "Proxy HTTP Response\n\nThe HTTP Response from the remote server to the proxy server.\n\noptional"]
    #[serde(rename = "proxy_http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_response: Option<Box<HttpResponse>>,
    #[doc = "Proxy TLS\n\nThe TLS protocol negotiated between the proxy server and the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_tls: Option<Box<Tls>>,
    #[doc = "Proxy Traffic\n\nThe network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.\n\nrecommended"]
    #[serde(rename = "proxy_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\n The initiator of the network connection. In some contexts an event source cannot correctly identify the initiator. Refer to <code>is_src_dst_assignment_known</code> for certainty.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "TLS\n\nThe Transport Layer Security (TLS) attributes.\n\noptional"]
    #[serde(rename = "tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tls: Option<Box<Tls>>,
    #[doc = "Traffic\n\nThe network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use <code>cumulative_traffic</code> instead.\n\nrecommended"]
    #[serde(rename = "traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "URL\n\nThe URL details relevant to the network traffic.\n\nrecommended"]
    #[serde(rename = "url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub url: Option<Box<Url>>,
}
#[doc = "Network Connection Query\n\nNetwork Connection Query events report information about active network connections.\n\n[UID:5012] Category: discovery | Name: network_connection_query"]
#[deprecated(note = "Use the <code>Live Evidence Info</code> class. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct NetworkConnectionQuery {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Network Connection Query</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Connection Info\n\nThe network connection information.\n\nrequired"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Process\n\nThe process that owns the socket.\n\nrequired"]
    #[serde(rename = "process")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub process: Option<Box<Process>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "State\n\nThe state of the socket, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "state")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub state: Option<String>,
    #[doc = "State ID\n\nThe state of the socket.\n\nrequired"]
    #[serde(rename = "state_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub state_id: Option<i64>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Network File Activity\n\nNetwork File Activity events report file activities traversing the network, including file storage services such as Box, MS OneDrive, or Google Drive.\n\n[UID:4010] Category: network | Name: network_file_activity\n\n**Constraints:**\n* at_least_one: `[dst_endpoint`,`src_endpoint]`\n"]
#[deprecated(
    note = "Use the new class: <code>'File Hosting Activity' in the 'Application'  category.</code> (Since 1.1.0)"
)]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct NetworkFileActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor that performed the activity on the target file.\n\nrequired"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Application Name\n\nThe name of the application associated with the event or object.\n\noptional"]
    #[serde(rename = "app_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub app_name: Option<String>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Network Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Network File Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Connection Info\n\nThe network connection information.\n\noptional"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Cumulative Traffic\n\nThe cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both <code>traffic</code> for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.\n\noptional"]
    #[serde(rename = "cumulative_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cumulative_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe endpoint that received the activity on the target file.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Expiration Time\n\nThe share expiration time.\n\noptional"]
    #[serde(rename = "expiration_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expiration_time: Option<i64>,
    #[doc = "Expiration Time\n\nThe share expiration time.\n\noptional"]
    #[serde(rename = "expiration_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expiration_time_dt: Option<String>,
    #[doc = "File\n\nThe file that is the target of the activity.\n\nrequired"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "JA4+ Fingerprints\n\nA list of the JA4+ network fingerprints.\n\noptional"]
    #[serde(rename = "ja4_fingerprint_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ja4_fingerprint_list: Option<Vec<Ja4Fingerprint>>,
    #[doc = "Load Balancer\n\nThe Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.\n\nrecommended"]
    #[serde(rename = "load_balancer")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub load_balancer: Option<Box<LoadBalancer>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "Observation Point\n\nIndicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the <code>observation_point_id</code>.\n\noptional"]
    #[serde(rename = "observation_point")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point: Option<String>,
    #[doc = "Observation Point ID\n\nThe normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.\n\noptional"]
    #[serde(rename = "observation_point_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point_id: Option<i64>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Proxy\n\nThe proxy (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "proxy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy: Option<Box<NetworkProxy>>,
    #[doc = "Proxy Connection Info\n\nThe connection information from the proxy server to the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Proxy Endpoint\n\nThe proxy (server) in a network connection.\n\noptional"]
    #[serde(rename = "proxy_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_endpoint: Option<Box<NetworkProxy>>,
    #[doc = "Proxy HTTP Request\n\nThe HTTP Request from the proxy server to the remote server.\n\noptional"]
    #[serde(rename = "proxy_http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_request: Option<Box<HttpRequest>>,
    #[doc = "Proxy HTTP Response\n\nThe HTTP Response from the remote server to the proxy server.\n\noptional"]
    #[serde(rename = "proxy_http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_response: Option<Box<HttpResponse>>,
    #[doc = "Proxy TLS\n\nThe TLS protocol negotiated between the proxy server and the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_tls: Option<Box<Tls>>,
    #[doc = "Proxy Traffic\n\nThe network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.\n\nrecommended"]
    #[serde(rename = "proxy_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nThe endpoint that performed the activity on the target file.\n\nrequired"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "TLS\n\nThe Transport Layer Security (TLS) attributes.\n\noptional"]
    #[serde(rename = "tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tls: Option<Box<Tls>>,
    #[doc = "Traffic\n\nThe network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use <code>cumulative_traffic</code> instead.\n\nrecommended"]
    #[serde(rename = "traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Network Remediation Activity\n\nNetwork Remediation Activity events report on attempts at remediating computer networks. It follows the MITRE countermeasures defined by the D3FEND™ <a target='_blank' href='https://d3fend.mitre.org/'>Matrix</a>. Techniques and Sub-techniques will include Network, such as Network Isolation or Network Traffic Filtering.\n\n[UID:7004] Category: remediation | Name: network_remediation_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct NetworkRemediationActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nMatches the MITRE D3FEND™ Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Remediation</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Network Remediation Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Command UID\n\nThe unique identifier of the remediation command that pertains to this event.\n\nrequired"]
    #[serde(rename = "command_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub command_uid: Option<String>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Connection Info\n\nThe network connection that pertains to the remediation event.\n\nrequired"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Countermeasures\n\nThe MITRE D3FEND™ Matrix Countermeasures associated with a remediation.\n\nrecommended"]
    #[serde(rename = "countermeasures")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub countermeasures: Option<Vec<D3fend>>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Remediation Guidance\n\nDescribes the recommended remediation steps to address identified issue(s).\n\noptional"]
    #[serde(rename = "remediation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub remediation: Option<Box<Remediation>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Scan\n\nThe remediation scan that pertains to this event.\n\noptional"]
    #[serde(rename = "scan")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub scan: Option<Box<Scan>>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Networks Query\n\nNetworks Query events report information about network adapters.\n\n[UID:5013] Category: discovery | Name: networks_query"]
#[deprecated(note = "Use the <code>Live Evidence Info</code> class. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct NetworksQuery {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Networks Query</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Network Interfaces\n\nThe physical or virtual network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.<p><b>Note:</b> The first element of the array is the network information that pertains to the event.</p>\n\nrequired"]
    #[serde(rename = "network_interfaces")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub network_interfaces: Option<Vec<NetworkInterface>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "NTP Activity\n\nThe Network Time Protocol (NTP) Activity events report instances of remote clients synchronizing their clocks with an NTP server, as observed on the network.\n\n[UID:4013] Category: network | Name: ntp_activity\n\n**Constraints:**\n* at_least_one: `[dst_endpoint`,`src_endpoint]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct NtpActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Application Name\n\nThe name of the application associated with the event or object.\n\noptional"]
    #[serde(rename = "app_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub app_name: Option<String>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Network Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>NTP Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Connection Info\n\nThe network connection information.\n\nrecommended"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Cumulative Traffic\n\nThe cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both <code>traffic</code> for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.\n\noptional"]
    #[serde(rename = "cumulative_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cumulative_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Root Delay\n\nThe total round-trip delay to the reference clock in milliseconds.\n\nrecommended"]
    #[serde(rename = "delay")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub delay: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Root Dispersion\n\nThe dispersion in the NTP protocol is the estimated time error or uncertainty relative to the reference clock in milliseconds.\n\nrecommended"]
    #[serde(rename = "dispersion")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dispersion: Option<i64>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe responder (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "JA4+ Fingerprints\n\nA list of the JA4+ network fingerprints.\n\noptional"]
    #[serde(rename = "ja4_fingerprint_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ja4_fingerprint_list: Option<Vec<Ja4Fingerprint>>,
    #[doc = "Load Balancer\n\nThe Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.\n\nrecommended"]
    #[serde(rename = "load_balancer")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub load_balancer: Option<Box<LoadBalancer>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "Observation Point\n\nIndicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the <code>observation_point_id</code>.\n\noptional"]
    #[serde(rename = "observation_point")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point: Option<String>,
    #[doc = "Observation Point ID\n\nThe normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.\n\noptional"]
    #[serde(rename = "observation_point_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point_id: Option<i64>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Precision\n\nThe NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905.\n\nrecommended"]
    #[serde(rename = "precision")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub precision: Option<i64>,
    #[doc = "Proxy\n\nThe proxy (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "proxy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy: Option<Box<NetworkProxy>>,
    #[doc = "Proxy Connection Info\n\nThe connection information from the proxy server to the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Proxy Endpoint\n\nThe proxy (server) in a network connection.\n\noptional"]
    #[serde(rename = "proxy_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_endpoint: Option<Box<NetworkProxy>>,
    #[doc = "Proxy HTTP Request\n\nThe HTTP Request from the proxy server to the remote server.\n\noptional"]
    #[serde(rename = "proxy_http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_request: Option<Box<HttpRequest>>,
    #[doc = "Proxy HTTP Response\n\nThe HTTP Response from the remote server to the proxy server.\n\noptional"]
    #[serde(rename = "proxy_http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_response: Option<Box<HttpResponse>>,
    #[doc = "Proxy TLS\n\nThe TLS protocol negotiated between the proxy server and the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_tls: Option<Box<Tls>>,
    #[doc = "Proxy Traffic\n\nThe network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.\n\nrecommended"]
    #[serde(rename = "proxy_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nThe initiator (client) of the network connection.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Stratum\n\nThe stratum level of the NTP server's time source, normalized to the caption of the stratum_id value.\n\nrecommended"]
    #[serde(rename = "stratum")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub stratum: Option<String>,
    #[doc = "Stratum ID\n\nThe normalized identifier of the stratum level, as defined in <a target='_blank' href='https://www.rfc-editor.org/rfc/rfc5905.html'>RFC-5905</a>.\n\nrecommended"]
    #[serde(rename = "stratum_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub stratum_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "TLS\n\nThe Transport Layer Security (TLS) attributes.\n\noptional"]
    #[serde(rename = "tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tls: Option<Box<Tls>>,
    #[doc = "Traffic\n\nThe network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use <code>cumulative_traffic</code> instead.\n\nrecommended"]
    #[serde(rename = "traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "Version\n\nThe version number of the NTP protocol.\n\nrequired"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "OSINT Inventory Info\n\nOSINT Inventory Info events report open source intelligence or threat intelligence inventory data that is either logged or proactively collected. For example, when collecting OSINT information from Threat Intelligence Platforms (TIPs) or Extended Detection and Response (XDR) platforms, or collecting data from OSINT or other generic threat intelligence and enrichment feeds such as APIs and datastores.\n\n[UID:5021] Category: discovery | Name: osint_inventory_info"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct OsintInventoryInfo {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor describes the process that was the source of the inventory activity. In the case of OSINT inventory data, that could be a particular process or script that is run to scrape the OSINT or threat intelligence data. For example, it could be a Python process that runs to pull data from a MISP or Shodan API.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>OSINT Inventory Info</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT that is being discovered by an inventory process.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Operating System Patch State\n\nOperating System Patch State reports the installation of an OS patch to a device and any associated knowledgebase articles.\n\n[UID:5004] Category: discovery | Name: patch_state\n\n**Constraints:**\n* at_least_one: `[device.os.sp_name`,`device.os.sp_ver`,`device.os.version]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct PatchState {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Operating System Patch State</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Knowledgebase Articles\n\nA list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.\n\nrecommended"]
    #[serde(rename = "kb_article_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub kb_article_list: Option<Vec<KbArticle>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Peripheral Activity\n\nPeripheral Activity events log a system's interactions with external, connectable, and detachable hardware. These events provide visibility into the external devices connected to and used by a system.\n\n[UID:1010] Category: system | Name: peripheral_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct PeripheralActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\nrequired"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>System Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Peripheral Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Peripheral Device\n\nThe peripheral device that is the subject of the activity.\n\nrequired"]
    #[serde(rename = "peripheral_device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub peripheral_device: Option<Box<PeripheralDevice>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Peripheral Device Query\n\nPeripheral Device Query events report information about peripheral devices.\n\n[UID:5014] Category: discovery | Name: peripheral_device_query"]
#[deprecated(note = "Use the <code>Live Evidence Info</code> class. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct PeripheralDeviceQuery {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Peripheral Device Query</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Peripheral Device\n\nThe peripheral device that triggered the event.\n\nrequired"]
    #[serde(rename = "peripheral_device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub peripheral_device: Option<Box<PeripheralDevice>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Process Activity\n\nProcess Activity events report when a process launches, injects, opens or terminates another process, successful or otherwise.\n\n[UID:1007] Category: system | Name: process_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ProcessActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor that performed the activity on the target <code>process</code>. For example, the process that started a new process or injected code into another process.\n\nrequired"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "Actual Permissions\n\nThe permissions that were granted to the process in a platform-native format.\n\nrecommended"]
    #[serde(rename = "actual_permissions")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actual_permissions: Option<i64>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>System Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Process Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Exit Code\n\nThe exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred.\n\nrecommended"]
    #[serde(rename = "exit_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub exit_code: Option<i64>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Injection Type\n\nThe process injection method, normalized to the caption of the injection_type_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "injection_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub injection_type: Option<String>,
    #[doc = "Injection Type ID\n\nThe normalized identifier of the process injection method.\n\nrecommended"]
    #[serde(rename = "injection_type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub injection_type_id: Option<i64>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Launch Type\n\nThe specific type of <code>Launch</code> activity, normalized to the caption of the <code>launch_type_id</code> value. In the case of <code>Other</code> it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "launch_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub launch_type: Option<String>,
    #[doc = "Launch Type ID\n\nThe normalized identifier for the specific type of <code>Launch</code> activity.\n\nrecommended"]
    #[serde(rename = "launch_type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub launch_type_id: Option<i64>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Module\n\nThe module that was injected by the actor process.\n\nrecommended"]
    #[serde(rename = "module")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub module: Option<Box<Module>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Process\n\nThe process that was launched, injected into, opened, or terminated.\n\nrequired"]
    #[serde(rename = "process")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub process: Option<Box<Process>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Requested Permissions\n\nThe permissions mask that was requested by the process.\n\nrecommended"]
    #[serde(rename = "requested_permissions")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub requested_permissions: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Process Query\n\nProcess Query events report information about running processes.\n\n[UID:5015] Category: discovery | Name: process_query"]
#[deprecated(note = "Use the <code>Live Evidence Info</code> class. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ProcessQuery {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Process Query</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Process\n\nThe process object.\n\nrequired"]
    #[serde(rename = "process")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub process: Option<Box<Process>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Process Remediation Activity\n\nProcess Remediation Activity events report on attempts at remediating processes. It follows the MITRE countermeasures defined by the D3FEND™ <a target='_blank' href='https://d3fend.mitre.org/'>Matrix</a>. Sub-techniques will include Process, such as Process Termination or Kernel-based Process Isolation.\n\n[UID:7003] Category: remediation | Name: process_remediation_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ProcessRemediationActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nMatches the MITRE D3FEND™ Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Remediation</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Process Remediation Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Command UID\n\nThe unique identifier of the remediation command that pertains to this event.\n\nrequired"]
    #[serde(rename = "command_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub command_uid: Option<String>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Countermeasures\n\nThe MITRE D3FEND™ Matrix Countermeasures associated with a remediation.\n\nrecommended"]
    #[serde(rename = "countermeasures")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub countermeasures: Option<Vec<D3fend>>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Process\n\nThe process that pertains to the remediation event.\n\nrequired"]
    #[serde(rename = "process")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub process: Option<Box<Process>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Remediation Guidance\n\nDescribes the recommended remediation steps to address identified issue(s).\n\noptional"]
    #[serde(rename = "remediation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub remediation: Option<Box<Remediation>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Scan\n\nThe remediation scan that pertains to this event.\n\noptional"]
    #[serde(rename = "scan")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub scan: Option<Box<Scan>>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "RDP Activity\n\nRemote Desktop Protocol (RDP) Activity events report post-authentication remote client connections between clients and servers over the network.\n\n[UID:4005] Category: network | Name: rdp_activity\n\n**Constraints:**\n* at_least_one: `[dst_endpoint`,`src_endpoint]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct RdpActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Application Name\n\nThe name of the application associated with the event or object.\n\noptional"]
    #[serde(rename = "app_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub app_name: Option<String>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Capabilities\n\nA list of RDP capabilities.\n\noptional"]
    #[serde(rename = "capabilities")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub capabilities: Option<Vec<String>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Network Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Certificate Chain\n\nThe list of observed certificates in an RDP TLS connection.\n\nrecommended"]
    #[serde(rename = "certificate_chain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub certificate_chain: Option<Vec<String>>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>RDP Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Connection Info\n\nThe remote desktop connection details, either connection-based or connectionless.\n\nrecommended"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Cumulative Traffic\n\nThe cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both <code>traffic</code> for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.\n\noptional"]
    #[serde(rename = "cumulative_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cumulative_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Device\n\nThe device instigating the RDP connection.\n\noptional"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe responder (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "File\n\nThe file that is the target of the RDP activity.\n\noptional"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Identifier Cookie\n\nThe client identifier cookie during client/server exchange.\n\noptional"]
    #[serde(rename = "identifier_cookie")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub identifier_cookie: Option<String>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "JA4+ Fingerprints\n\nA list of the JA4+ network fingerprints.\n\noptional"]
    #[serde(rename = "ja4_fingerprint_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ja4_fingerprint_list: Option<Vec<Ja4Fingerprint>>,
    #[doc = "Keyboard Information\n\nThe keyboard detailed information.\n\noptional"]
    #[serde(rename = "keyboard_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub keyboard_info: Option<Box<KeyboardInfo>>,
    #[doc = "Load Balancer\n\nThe Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.\n\nrecommended"]
    #[serde(rename = "load_balancer")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub load_balancer: Option<Box<LoadBalancer>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "Observation Point\n\nIndicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the <code>observation_point_id</code>.\n\noptional"]
    #[serde(rename = "observation_point")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point: Option<String>,
    #[doc = "Observation Point ID\n\nThe normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.\n\noptional"]
    #[serde(rename = "observation_point_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point_id: Option<i64>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "RDP Version\n\nThe Remote Desktop Protocol version.\n\nrecommended"]
    #[serde(rename = "protocol_ver")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub protocol_ver: Option<String>,
    #[doc = "Proxy\n\nThe proxy (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "proxy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy: Option<Box<NetworkProxy>>,
    #[doc = "Proxy Connection Info\n\nThe connection information from the proxy server to the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Proxy Endpoint\n\nThe proxy (server) in a network connection.\n\noptional"]
    #[serde(rename = "proxy_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_endpoint: Option<Box<NetworkProxy>>,
    #[doc = "Proxy HTTP Request\n\nThe HTTP Request from the proxy server to the remote server.\n\noptional"]
    #[serde(rename = "proxy_http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_request: Option<Box<HttpRequest>>,
    #[doc = "Proxy HTTP Response\n\nThe HTTP Response from the remote server to the proxy server.\n\noptional"]
    #[serde(rename = "proxy_http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_response: Option<Box<HttpResponse>>,
    #[doc = "Proxy TLS\n\nThe TLS protocol negotiated between the proxy server and the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_tls: Option<Box<Tls>>,
    #[doc = "Proxy Traffic\n\nThe network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.\n\nrecommended"]
    #[serde(rename = "proxy_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Remote Display\n\nThe remote display affiliated with the event\n\noptional"]
    #[serde(rename = "remote_display")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub remote_display: Option<Box<Display>>,
    #[doc = "API Request Details\n\nThe client request in an RDP network connection.\n\nrecommended"]
    #[serde(rename = "request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub request: Option<Box<Request>>,
    #[doc = "API Response Details\n\nThe server response in an RDP network connection.\n\nrecommended"]
    #[serde(rename = "response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub response: Option<Box<Response>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nThe initiator (client) of the network connection.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "TLS\n\nThe Transport Layer Security (TLS) attributes.\n\noptional"]
    #[serde(rename = "tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tls: Option<Box<Tls>>,
    #[doc = "Traffic\n\nThe network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use <code>cumulative_traffic</code> instead.\n\nrecommended"]
    #[serde(rename = "traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "User\n\nThe target user associated with the RDP activity.\n\nrecommended"]
    #[serde(rename = "user")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user: Option<Box<User>>,
}
#[doc = "Remediation Activity\n\nRemediation Activity events report on attempts at remediating a compromised device or computer network. It follows the MITRE countermeasures defined by the D3FEND™ <a target='_blank' href='https://d3fend.mitre.org/'>Matrix</a>.\n\n[UID:7001] Category: remediation | Name: remediation_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct RemediationActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nMatches the MITRE D3FEND™ Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Remediation</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Remediation Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Command UID\n\nThe unique identifier of the remediation command that pertains to this event.\n\nrequired"]
    #[serde(rename = "command_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub command_uid: Option<String>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Countermeasures\n\nThe MITRE D3FEND™ Matrix Countermeasures associated with a remediation.\n\nrecommended"]
    #[serde(rename = "countermeasures")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub countermeasures: Option<Vec<D3fend>>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Remediation Guidance\n\nDescribes the recommended remediation steps to address identified issue(s).\n\noptional"]
    #[serde(rename = "remediation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub remediation: Option<Box<Remediation>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Scan\n\nThe remediation scan that pertains to this event.\n\noptional"]
    #[serde(rename = "scan")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub scan: Option<Box<Scan>>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Scan Activity\n\nScan events report the start, completion, and results of a scan job. The scan event includes the number of items that were scanned and the number of detections that were resolved.\n\n[UID:6007] Category: application | Name: scan_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ScanActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Application Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Scan Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Command UID\n\nThe command identifier that is associated with this scan event.  This ID uniquely identifies the proactive scan command, e.g., if remotely initiated.\n\nrecommended"]
    #[serde(rename = "command_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub command_uid: Option<String>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe duration of the scan\n\nrecommended"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of the scan job.\n\nrecommended"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of the scan job.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Detections\n\nThe number of detections.\n\nrecommended"]
    #[serde(rename = "num_detections")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub num_detections: Option<i64>,
    #[doc = "Scanned Files\n\nThe number of files scanned.\n\nrecommended"]
    #[serde(rename = "num_files")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub num_files: Option<i64>,
    #[doc = "Scanned Folders\n\nThe number of folders scanned.\n\nrecommended"]
    #[serde(rename = "num_folders")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub num_folders: Option<i64>,
    #[doc = "Scanned Network Items\n\nThe number of network items scanned.\n\nrecommended"]
    #[serde(rename = "num_network_items")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub num_network_items: Option<i64>,
    #[doc = "Scanned Processes\n\nThe number of processes scanned.\n\nrecommended"]
    #[serde(rename = "num_processes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub num_processes: Option<i64>,
    #[doc = "Scanned Registry Items\n\nThe number of registry items scanned.\n\nrecommended"]
    #[serde(rename = "num_registry_items")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub num_registry_items: Option<i64>,
    #[doc = "Resolutions\n\nThe number of items that were resolved.\n\nrecommended"]
    #[serde(rename = "num_resolutions")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub num_resolutions: Option<i64>,
    #[doc = "Skipped\n\nThe number of skipped items.\n\nrecommended"]
    #[serde(rename = "num_skipped_items")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub num_skipped_items: Option<i64>,
    #[doc = "Trusted\n\nThe number of trusted items.\n\nrecommended"]
    #[serde(rename = "num_trusted_items")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub num_trusted_items: Option<i64>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy associated with this Scan event; required if the scan was initiated by a policy.\n\nrecommended"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Scan\n\nThe Scan object describes characteristics of the scan job.\n\nrequired"]
    #[serde(rename = "scan")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub scan: Option<Box<Scan>>,
    #[doc = "Schedule UID\n\nThe unique identifier of the schedule associated with a scan job.\n\nrecommended"]
    #[serde(rename = "schedule_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub schedule_uid: Option<String>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of the scan job.\n\nrecommended"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of the scan job.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Total\n\nThe total number of items that were scanned; zero if no items were scanned.\n\nrecommended"]
    #[serde(rename = "total")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub total: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Scheduled Job Activity\n\nScheduled Job Activity events report activities related to scheduled jobs or tasks.\n\n[UID:1006] Category: system | Name: scheduled_job_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ScheduledJobActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor that performed the activity on the <code>job</code> object.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>System Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Scheduled Job Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Job\n\nThe job object that pertains to the event.\n\nrequired"]
    #[serde(rename = "job")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub job: Option<Box<Job>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Script Activity\n\nScript Activity events report when a process executes a script.\n\n[UID:1009] Category: system | Name: script_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ScriptActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\nrequired"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>System Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Script Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Script\n\nThe script that was the target of the activity.\n\nrequired"]
    #[serde(rename = "script")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub script: Option<Box<Script>>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Security Finding\n\nSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products\n\n[UID:2001] Category: findings | Name: security_finding"]
#[deprecated(
    note = "Use the new specific classes according to the use-case: <code>Vulnerability Finding, Compliance Finding, Detection Finding, Incident Finding, Data Security Finding.</code> (Since 1.1.0)"
)]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct SecurityFinding {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "Analytic\n\nThe analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.\n\nrecommended"]
    #[serde(rename = "analytic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub analytic: Option<Box<Analytic>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> objects describing the tactics, techniques & sub-techniques associated to the Finding.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Findings</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "CIS CSC\n\nThe CIS Critical Security Controls is a list of top 20 actions and practices an organization’s security team can take on such that cyber attacks or malware, are minimized and prevented.\n\noptional"]
    #[serde(rename = "cis_csc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cis_csc: Option<Vec<CisCsc>>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Security Finding</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Compliance\n\nThe compliance object provides context to compliance findings (e.g., a check against a specific regulatory or best practice framework such as CIS, NIST etc.) and contains compliance related details.\n\noptional"]
    #[serde(rename = "compliance")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub compliance: Option<Box<Compliance>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\nrecommended"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Data Sources\n\nA list of data sources utilized in generation of the finding.\n\noptional"]
    #[serde(rename = "data_sources")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_sources: Option<Vec<String>>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Evidence\n\nThe data the finding exposes to the analyst.\n\noptional"]
    #[serde(rename = "evidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub evidence: Option<serde_json::Value>,
    #[doc = "Finding\n\nThe Finding object provides details about a finding/detection generated by a security tool.\n\nrequired"]
    #[serde(rename = "finding")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub finding: Option<Box<Finding>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Impact\n\nThe impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "impact")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact: Option<String>,
    #[doc = "Impact ID\n\nThe normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.\n\nrecommended"]
    #[serde(rename = "impact_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact_id: Option<i64>,
    #[doc = "Impact Score\n\nThe impact as an integer value of the finding, valid range 0-100.\n\nrecommended"]
    #[serde(rename = "impact_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact_score: Option<i64>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Kill Chain\n\nThe <a target='_blank' href='https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html'>Cyber Kill Chain®</a> provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.\n\noptional"]
    #[serde(rename = "kill_chain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub kill_chain: Option<Vec<KillChainPhase>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "NIST List\n\nThe NIST Cybersecurity Framework recommendations for managing the cybersecurity risk.\n\noptional"]
    #[serde(rename = "nist")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub nist: Option<Vec<String>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Process\n\nThe process object.\n\noptional"]
    #[serde(rename = "process")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub process: Option<Box<Process>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Resources Array\n\nDescribes details about resources that were affected by the activity/event.\n\nrecommended"]
    #[serde(rename = "resources")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resources: Option<Vec<ResourceDetails>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\nrecommended"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\nrecommended"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\nrecommended"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "State\n\nThe normalized state of a security finding.\n\noptional"]
    #[serde(rename = "state")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub state: Option<String>,
    #[doc = "State ID\n\nThe normalized state identifier of a security finding.\n\nrequired"]
    #[serde(rename = "state_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub state_id: Option<i64>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "Vulnerabilities\n\nThis object describes vulnerabilities reported in a security finding.\n\noptional"]
    #[serde(rename = "vulnerabilities")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vulnerabilities: Option<Vec<Vulnerability>>,
}
#[doc = "Service Query\n\nService Query events report information about running services.\n\n[UID:5016] Category: discovery | Name: service_query"]
#[deprecated(note = "Use the <code>Live Evidence Info</code> class. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ServiceQuery {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Service Query</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Service\n\nThe service that pertains to the event.\n\nrequired"]
    #[serde(rename = "service")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service: Option<Box<Service>>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "User Session Query\n\nUser Session Query events report information about existing user sessions.\n\n[UID:5017] Category: discovery | Name: session_query"]
#[deprecated(note = "Use the <code>Live Evidence Info</code> class. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct SessionQuery {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>User Session Query</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Session\n\nThe authenticated user or service session.\n\nrequired"]
    #[serde(rename = "session")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub session: Option<Box<Session>>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "SMB Activity\n\nServer Message Block (SMB) Protocol Activity events report client/server connections sharing resources within the network.\n\n[UID:4006] Category: network | Name: smb_activity\n\n**Constraints:**\n* at_least_one: `[dst_endpoint`,`src_endpoint]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct SmbActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Application Name\n\nThe name of the application associated with the event or object.\n\noptional"]
    #[serde(rename = "app_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub app_name: Option<String>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Network Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>SMB Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Client Dialects\n\nThe list of SMB dialects that the client speaks.\n\nrecommended"]
    #[serde(rename = "client_dialects")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub client_dialects: Option<Vec<String>>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Command\n\nThe command name (e.g. SMB2_COMMAND_CREATE, SMB1_COMMAND_WRITE_ANDX).\n\nrecommended"]
    #[serde(rename = "command")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub command: Option<String>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Connection Info\n\nThe network connection information.\n\nrecommended"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Cumulative Traffic\n\nThe cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both <code>traffic</code> for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.\n\noptional"]
    #[serde(rename = "cumulative_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cumulative_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Distributed Computing Environment/Remote Procedure Call (DCE/RPC)\n\nThe DCE/RPC object describes the remote procedure call system for distributed computing environments.\n\noptional"]
    #[serde(rename = "dce_rpc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dce_rpc: Option<Box<DceRpc>>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Dialect\n\nThe negotiated protocol dialect.\n\nrecommended"]
    #[serde(rename = "dialect")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dialect: Option<String>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe responder (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "File\n\nThe file that is the target of the SMB activity.\n\nrecommended"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "JA4+ Fingerprints\n\nA list of the JA4+ network fingerprints.\n\noptional"]
    #[serde(rename = "ja4_fingerprint_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ja4_fingerprint_list: Option<Vec<Ja4Fingerprint>>,
    #[doc = "Load Balancer\n\nThe Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.\n\nrecommended"]
    #[serde(rename = "load_balancer")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub load_balancer: Option<Box<LoadBalancer>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "Observation Point\n\nIndicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the <code>observation_point_id</code>.\n\noptional"]
    #[serde(rename = "observation_point")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point: Option<String>,
    #[doc = "Observation Point ID\n\nThe normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.\n\noptional"]
    #[serde(rename = "observation_point_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point_id: Option<i64>,
    #[doc = "Open Type\n\nIndicates how the file was opened (e.g. normal, delete on close).\n\nrecommended"]
    #[serde(rename = "open_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub open_type: Option<String>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Proxy\n\nThe proxy (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "proxy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy: Option<Box<NetworkProxy>>,
    #[doc = "Proxy Connection Info\n\nThe connection information from the proxy server to the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Proxy Endpoint\n\nThe proxy (server) in a network connection.\n\noptional"]
    #[serde(rename = "proxy_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_endpoint: Option<Box<NetworkProxy>>,
    #[doc = "Proxy HTTP Request\n\nThe HTTP Request from the proxy server to the remote server.\n\noptional"]
    #[serde(rename = "proxy_http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_request: Option<Box<HttpRequest>>,
    #[doc = "Proxy HTTP Response\n\nThe HTTP Response from the remote server to the proxy server.\n\noptional"]
    #[serde(rename = "proxy_http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_response: Option<Box<HttpResponse>>,
    #[doc = "Proxy TLS\n\nThe TLS protocol negotiated between the proxy server and the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_tls: Option<Box<Tls>>,
    #[doc = "Proxy Traffic\n\nThe network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.\n\nrecommended"]
    #[serde(rename = "proxy_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "API Response Details\n\nThe server response in an SMB network connection.\n\nrecommended"]
    #[serde(rename = "response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub response: Option<Box<Response>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Share\n\nThe SMB share name.\n\nrecommended"]
    #[serde(rename = "share")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub share: Option<String>,
    #[doc = "Share Type\n\nThe SMB share type, normalized to the caption of the share_type_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "share_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub share_type: Option<String>,
    #[doc = "Share Type ID\n\nThe normalized identifier of the SMB share type.\n\nrecommended"]
    #[serde(rename = "share_type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub share_type_id: Option<i64>,
    #[doc = "Source Endpoint\n\nThe initiator (client) of the network connection.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "TLS\n\nThe Transport Layer Security (TLS) attributes.\n\noptional"]
    #[serde(rename = "tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tls: Option<Box<Tls>>,
    #[doc = "Traffic\n\nThe network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use <code>cumulative_traffic</code> instead.\n\nrecommended"]
    #[serde(rename = "traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Tree UID\n\nThe tree id is a unique SMB identifier which represents an open connection to a share.\n\nrecommended"]
    #[serde(rename = "tree_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tree_uid: Option<String>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Software Inventory Info\n\nSoftware Inventory Info events report device software inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.\n\n[UID:5020] Category: discovery | Name: software_info"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct SoftwareInfo {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Software Inventory Info</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nThe device that is being discovered by an inventory process.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Software Package\n\nThe device software that is being discovered by an inventory process.\n\nrecommended"]
    #[serde(rename = "package")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub package: Option<Box<Package>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Product\n\nAdditional product attributes that have been discovered or enriched from a catalog or other external source.\n\noptional"]
    #[serde(rename = "product")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub product: Option<Box<Product>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Software Bill Of Materials\n\nThe Software Bill of Materials (SBOM) of the device software that is being discovered by an inventory process.\n\nrecommended"]
    #[serde(rename = "sbom")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub sbom: Option<Box<Sbom>>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "SSH Activity\n\nSSH Activity events report remote client connections to a server using the Secure Shell (SSH) Protocol.\n\n[UID:4007] Category: network | Name: ssh_activity\n\n**Constraints:**\n* at_least_one: `[dst_endpoint`,`src_endpoint]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct SshActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Application Name\n\nThe name of the application associated with the event or object.\n\noptional"]
    #[serde(rename = "app_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub app_name: Option<String>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authentication Type\n\nThe SSH authentication type, normalized to the caption of 'auth_type_id'. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "auth_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub auth_type: Option<String>,
    #[doc = "Authentication Type ID\n\nThe normalized identifier of the SSH authentication type.\n\nrecommended"]
    #[serde(rename = "auth_type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub auth_type_id: Option<i64>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Network Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>SSH Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Client HASSH\n\nThe Client HASSH fingerprinting object.\n\nrecommended"]
    #[serde(rename = "client_hassh")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub client_hassh: Option<Box<Hassh>>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Connection Info\n\nThe network connection information.\n\nrecommended"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Cumulative Traffic\n\nThe cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both <code>traffic</code> for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.\n\noptional"]
    #[serde(rename = "cumulative_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cumulative_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe responder (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "File\n\nThe file that is the target of the SSH activity.\n\noptional"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "JA4+ Fingerprints\n\nA list of the JA4+ network fingerprints.\n\noptional"]
    #[serde(rename = "ja4_fingerprint_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ja4_fingerprint_list: Option<Vec<Ja4Fingerprint>>,
    #[doc = "Load Balancer\n\nThe Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.\n\nrecommended"]
    #[serde(rename = "load_balancer")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub load_balancer: Option<Box<LoadBalancer>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "Observation Point\n\nIndicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the <code>observation_point_id</code>.\n\noptional"]
    #[serde(rename = "observation_point")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point: Option<String>,
    #[doc = "Observation Point ID\n\nThe normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.\n\noptional"]
    #[serde(rename = "observation_point_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point_id: Option<i64>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "SSH Version\n\nThe Secure Shell Protocol version.\n\nrecommended"]
    #[serde(rename = "protocol_ver")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub protocol_ver: Option<String>,
    #[doc = "Proxy\n\nThe proxy (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "proxy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy: Option<Box<NetworkProxy>>,
    #[doc = "Proxy Connection Info\n\nThe connection information from the proxy server to the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Proxy Endpoint\n\nThe proxy (server) in a network connection.\n\noptional"]
    #[serde(rename = "proxy_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_endpoint: Option<Box<NetworkProxy>>,
    #[doc = "Proxy HTTP Request\n\nThe HTTP Request from the proxy server to the remote server.\n\noptional"]
    #[serde(rename = "proxy_http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_request: Option<Box<HttpRequest>>,
    #[doc = "Proxy HTTP Response\n\nThe HTTP Response from the remote server to the proxy server.\n\noptional"]
    #[serde(rename = "proxy_http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_response: Option<Box<HttpResponse>>,
    #[doc = "Proxy TLS\n\nThe TLS protocol negotiated between the proxy server and the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_tls: Option<Box<Tls>>,
    #[doc = "Proxy Traffic\n\nThe network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.\n\nrecommended"]
    #[serde(rename = "proxy_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Server HASSH\n\nThe Server HASSH fingerprinting object.\n\nrecommended"]
    #[serde(rename = "server_hassh")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub server_hassh: Option<Box<Hassh>>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nThe initiator (client) of the network connection.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "TLS\n\nThe Transport Layer Security (TLS) attributes.\n\noptional"]
    #[serde(rename = "tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tls: Option<Box<Tls>>,
    #[doc = "Traffic\n\nThe network traffic for this observation period. Use when reporting: (1) delta values (bytes/packets transferred since the last observation), (2) instantaneous measurements at a specific point in time, or (3) standalone single-event metrics. This attribute represents a point-in-time measurement or incremental change, not a running total. For accumulated totals across multiple observations or the lifetime of a flow, use <code>cumulative_traffic</code> instead.\n\nrecommended"]
    #[serde(rename = "traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Startup Item Query\n\nStartup Item Query events report information about discovered items, e.g., application components that are generally configured to run automatically.\n\n[UID:5022] Category: discovery | Name: startup_item_query"]
#[deprecated(note = "Use the <code>Live Evidence Info</code> class. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct StartupItemQuery {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Startup Item Query</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Startup Item\n\nThe startup item object describes an application component that has associated startup criteria and configurations.\n\nrequired"]
    #[serde(rename = "startup_item")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub startup_item: Option<Box<StartupItem>>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Tunnel Activity\n\nTunnel Activity events report secure tunnel establishment (such as VPN), teardowns, renewals, and other network tunnel specific actions.\n\n[UID:4014] Category: network | Name: tunnel_activity\n\n**Constraints:**\n* at_least_one: `[dst_endpoint`,`src_endpoint]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct TunnelActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Application Name\n\nThe name of the application associated with the event or object.\n\noptional"]
    #[serde(rename = "app_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub app_name: Option<String>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Network Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Tunnel Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Connection Info\n\nThe tunnel connection information.\n\noptional"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Cumulative Traffic\n\nThe cumulative (running total) network traffic aggregated from the start of a flow or session. Use when reporting: (1) total accumulated bytes/packets since flow initiation, (2) combined aggregation models where both incremental deltas and running totals are reported together (populate both <code>traffic</code> for the delta and this attribute for the cumulative total), or (3) final summary metrics when a long-lived connection closes. This represents the sum of all activity from flow start to the current observation, not a delta or point-in-time value.\n\noptional"]
    #[serde(rename = "cumulative_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cumulative_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Device\n\nThe device that reported the event.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe server responding to the tunnel connection.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "JA4+ Fingerprints\n\nA list of the JA4+ network fingerprints.\n\noptional"]
    #[serde(rename = "ja4_fingerprint_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ja4_fingerprint_list: Option<Vec<Ja4Fingerprint>>,
    #[doc = "Load Balancer\n\nThe Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations.\n\nrecommended"]
    #[serde(rename = "load_balancer")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub load_balancer: Option<Box<LoadBalancer>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "Observation Point\n\nIndicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity. The value is normalized to the caption of the <code>observation_point_id</code>.\n\noptional"]
    #[serde(rename = "observation_point")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point: Option<String>,
    #[doc = "Observation Point ID\n\nThe normalized identifier of the observation point. The observation point identifier indicates whether the source network endpoint, destination network endpoint, or neither served as the observation point for the activity.\n\noptional"]
    #[serde(rename = "observation_point_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_point_id: Option<i64>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Tunnel Protocol\n\nThe networking protocol associated with the tunnel. E.g. <code>IPSec</code>, <code>SSL</code>, <code>GRE</code>.\n\noptional"]
    #[serde(rename = "protocol_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub protocol_name: Option<String>,
    #[doc = "Proxy\n\nThe proxy (server) in a network connection.\n\nrecommended"]
    #[serde(rename = "proxy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy: Option<Box<NetworkProxy>>,
    #[doc = "Proxy Connection Info\n\nThe connection information from the proxy server to the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Proxy Endpoint\n\nThe proxy (server) in a network connection.\n\noptional"]
    #[serde(rename = "proxy_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_endpoint: Option<Box<NetworkProxy>>,
    #[doc = "Proxy HTTP Request\n\nThe HTTP Request from the proxy server to the remote server.\n\noptional"]
    #[serde(rename = "proxy_http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_request: Option<Box<HttpRequest>>,
    #[doc = "Proxy HTTP Response\n\nThe HTTP Response from the remote server to the proxy server.\n\noptional"]
    #[serde(rename = "proxy_http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_response: Option<Box<HttpResponse>>,
    #[doc = "Proxy TLS\n\nThe TLS protocol negotiated between the proxy server and the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_tls: Option<Box<Tls>>,
    #[doc = "Proxy Traffic\n\nThe network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.\n\nrecommended"]
    #[serde(rename = "proxy_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Tunnel Session\n\nThe session associated with the tunnel.\n\nrecommended"]
    #[serde(rename = "session")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub session: Option<Box<Session>>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nThe initiator (client) of the tunnel connection.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "TLS\n\nThe Transport Layer Security (TLS) attributes.\n\noptional"]
    #[serde(rename = "tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tls: Option<Box<Tls>>,
    #[doc = "Traffic\n\nTraffic refers to the amount of data moving across the tunnel at a given point of time. Ex: <code>bytes_in</code> and <code>bytes_out</code>.\n\noptional"]
    #[serde(rename = "traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Tunnel Interface\n\nThe information about the virtual tunnel interface, e.g. <code>utun0</code>. This is usually associated with the private (rfc-1918) ip of the tunnel.\n\nrecommended"]
    #[serde(rename = "tunnel_interface")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tunnel_interface: Option<Box<NetworkInterface>>,
    #[doc = "Type\n\nThe tunnel type. Example: <code>Split</code> or <code>Full</code>.\n\nrecommended"]
    #[serde(rename = "tunnel_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tunnel_type: Option<String>,
    #[doc = "Type\n\nThe normalized tunnel type ID.\n\nrecommended"]
    #[serde(rename = "tunnel_type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tunnel_type_id: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "User\n\nThe user associated with the tunnel activity.\n\nrecommended"]
    #[serde(rename = "user")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user: Option<Box<User>>,
}
#[doc = "User Access Management\n\nUser Access Management events report management updates to a user's privileges.\n\n[UID:3005] Category: iam | Name: user_access"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct UserAccess {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\nrecommended"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Identity & Access Management</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>User Access Management</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "HTTP Request\n\nDetails about the underlying HTTP request.\n\noptional"]
    #[serde(rename = "http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_request: Option<Box<HttpRequest>>,
    #[doc = "HTTP Response\n\nDetails about the underlying HTTP response.\n\noptional"]
    #[serde(rename = "http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_response: Option<Box<HttpResponse>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Privileges\n\nList of privileges assigned to a user.\n\nrequired"]
    #[serde(rename = "privileges")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub privileges: Option<Vec<String>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Resource\n\nResource that the privileges give access to.\n\nrecommended"]
    #[serde(rename = "resource")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resource: Option<Box<ResourceDetails>>,
    #[doc = "Resources Array\n\nResources that the privileges give access to.\n\nrecommended"]
    #[serde(rename = "resources")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resources: Option<Vec<ResourceDetails>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nDetails about the source of the IAM activity.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "User\n\nUser to which privileges were assigned.\n\nrequired"]
    #[serde(rename = "user")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user: Option<Box<User>>,
}
#[doc = "User Inventory Info\n\nUser Inventory Info events report user inventory data that is either logged or proactively collected. For example, when collecting user information from Active Directory entries.\n\n[UID:5003] Category: discovery | Name: user_inventory"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct UserInventory {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor describes the process that was the source of the inventory activity. In the case of user inventory data, that could be a particular process or script that is run to scrape the user data. For example, it could be a powershell process that runs to pull data from the Azure AD graph API.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>User Inventory Info</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "User\n\nThe user that is being discovered by an inventory process.\n\nrequired"]
    #[serde(rename = "user")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user: Option<Box<User>>,
}
#[doc = "User Query\n\nUser Query events report user data that have been discovered, queried, polled or searched. This event differs from User Inventory as it describes the result of a targeted search by filtering a subset of user attributes.\n\n[UID:5018] Category: discovery | Name: user_query"]
#[deprecated(note = "Use the <code>Live Evidence Info</code> class. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct UserQuery {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>User Query</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "User\n\nThe user that pertains to the event or object.\n\nrequired"]
    #[serde(rename = "user")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user: Option<Box<User>>,
}
#[doc = "Vulnerability Finding\n\nThe Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Note: if the event producer is a security control, the <code>security_control</code> profile should be applied and its <code>attacks</code> information, if present, should be duplicated into the <code>finding_info</code> object. <br><strong>Note: </strong>If the Finding is an incident, i.e. requires incident workflow, also apply the <code>incident</code> profile  or aggregate this finding into an <code>Incident Finding</code>.\n\n[UID:2002] Category: findings | Name: vulnerability_finding"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct VulnerabilityFinding {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the finding activity.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe finding activity name, as defined by the <code>activity_id</code>.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Assignee\n\nThe details of the user assigned to an Incident.\n\noptional"]
    #[serde(rename = "assignee")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub assignee: Option<Box<User>>,
    #[doc = "Assignee Group\n\nThe details of the group assigned to an Incident.\n\noptional"]
    #[serde(rename = "assignee_group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub assignee_group: Option<Box<Group>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Findings</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Vulnerability Finding</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Comment\n\nA user provided comment about the finding.\n\noptional"]
    #[serde(rename = "comment")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub comment: Option<String>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nDescribes the affected device/host. If applicable, it can be used in conjunction with <code>Resource(s)</code>. <p> e.g. Specific details about an AWS EC2 instance, that is affected by the Finding.</p>\n\noptional"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe time of the most recent event included in the finding.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe time of the most recent event included in the finding.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Finding Information\n\nDescribes the supporting information about a generated finding.\n\nrequired"]
    #[serde(rename = "finding_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub finding_info: Option<Box<FindingInfo>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Impact\n\nThe impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "impact")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact: Option<String>,
    #[doc = "Impact ID\n\nThe normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.\n\nrecommended"]
    #[serde(rename = "impact_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact_id: Option<i64>,
    #[doc = "Impact Score\n\nThe impact as an integer value of the finding, valid range 0-100.\n\nrecommended"]
    #[serde(rename = "impact_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub impact_score: Option<i64>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Suspected Breach\n\nA determination based on analytics as to whether a potential breach was found.\n\noptional"]
    #[serde(rename = "is_suspected_breach")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_suspected_breach: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Priority\n\nThe priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "priority")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub priority: Option<String>,
    #[doc = "Priority ID\n\nThe normalized priority. Priority identifies the relative importance of the incident or finding. It is a measurement of urgency.\n\nrecommended"]
    #[serde(rename = "priority_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub priority_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Resource\n\nDescribes details about the resource that is affected by the vulnerability/vulnerabilities.\n\nrecommended"]
    #[serde(rename = "resource")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resource: Option<Box<ResourceDetails>>,
    #[doc = "Affected Resources\n\nDescribes details about the resource/resources that are affected by the vulnerability/vulnerabilities.\n\nrecommended"]
    #[serde(rename = "resources")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resources: Option<Vec<ResourceDetails>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source URL\n\nA Url link used to access the original incident.\n\nrecommended"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Start Time\n\nThe time of the least recent event included in the finding.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe time of the least recent event included in the finding.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized status identifier of the Finding, set by the consumer.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Ticket\n\nThe linked ticket in the ticketing system.\n\noptional"]
    #[serde(rename = "ticket")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ticket: Option<Box<Ticket>>,
    #[doc = "Tickets\n\nThe associated ticket(s) in the ticketing system. Each ticket contains details like ticket ID, status, etc.\n\noptional"]
    #[serde(rename = "tickets")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tickets: Option<Vec<Ticket>>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "Vendor Attributes\n\nThe Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-provided values and consumer-updated values, of key attributes like <code>severity_id</code>.<br>The original finding producer should not populate this object. It should be populated by consuming systems that support data mutability.\n\noptional"]
    #[serde(rename = "vendor_attributes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_attributes: Option<Box<VendorAttributes>>,
    #[doc = "Verdict\n\nThe verdict assigned to an Incident finding.\n\nrecommended"]
    #[serde(rename = "verdict")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub verdict: Option<String>,
    #[doc = "Verdict ID\n\nThe normalized verdict of an Incident.\n\nrecommended"]
    #[serde(rename = "verdict_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub verdict_id: Option<i64>,
    #[doc = "Vulnerabilities\n\nThis object describes vulnerabilities reported in a security finding.\n\nrequired"]
    #[serde(rename = "vulnerabilities")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vulnerabilities: Option<Vec<Vulnerability>>,
}
#[doc = "Web Resource Access Activity\n\nWeb Resource Access Activity events describe successful/failed attempts to access a web resource over HTTP.\n\n[UID:6004] Category: application | Name: web_resource_access_activity"]
#[deprecated(
    note = "Use the <code>Web Resources Activity</code> class with the <code>Security Control</code> and/or <code>Network Proxy</code> profile instead. (Since 1.1.0)"
)]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct WebResourceAccessActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Application Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Web Resource Access Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "HTTP Request\n\nDetails about the underlying HTTP request.\n\nrequired"]
    #[serde(rename = "http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_request: Option<Box<HttpRequest>>,
    #[doc = "HTTP Response\n\nDetails about the HTTP response, if available.\n\noptional"]
    #[serde(rename = "http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_response: Option<Box<HttpResponse>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Proxy\n\nDetails about the proxy service, if available.\n\noptional"]
    #[serde(rename = "proxy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy: Option<Box<NetworkProxy>>,
    #[doc = "Proxy Connection Info\n\nThe connection information from the proxy server to the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Proxy Endpoint\n\nThe proxy (server) in a network connection.\n\noptional"]
    #[serde(rename = "proxy_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_endpoint: Option<Box<NetworkProxy>>,
    #[doc = "Proxy HTTP Request\n\nThe HTTP Request from the proxy server to the remote server.\n\noptional"]
    #[serde(rename = "proxy_http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_request: Option<Box<HttpRequest>>,
    #[doc = "Proxy HTTP Response\n\nThe HTTP Response from the remote server to the proxy server.\n\noptional"]
    #[serde(rename = "proxy_http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_response: Option<Box<HttpResponse>>,
    #[doc = "Proxy TLS\n\nThe TLS protocol negotiated between the proxy server and the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_tls: Option<Box<Tls>>,
    #[doc = "Proxy Traffic\n\nThe network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.\n\nrecommended"]
    #[serde(rename = "proxy_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nDetails about the source endpoint of the request.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "TLS\n\nThe Transport Layer Security (TLS) attributes, if available.\n\noptional"]
    #[serde(rename = "tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tls: Option<Box<Tls>>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "Web Resources\n\nDetails about the resource that is the target of the activity.\n\nrequired"]
    #[serde(rename = "web_resources")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub web_resources: Option<Vec<WebResource>>,
}
#[doc = "Web Resources Activity\n\nWeb Resources Activity events describe actions executed on a set of Web Resources.\n\n[UID:6001] Category: application | Name: web_resources_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct WebResourcesActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Application Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Web Resources Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Destination Endpoint\n\nDetails about server providing the web resources.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "HTTP Request\n\nDetails about the underlying HTTP request.\n\nrecommended"]
    #[serde(rename = "http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_request: Option<Box<HttpRequest>>,
    #[doc = "HTTP Response\n\nDetails about the HTTP response, if available.\n\noptional"]
    #[serde(rename = "http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_response: Option<Box<HttpResponse>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Proxy Connection Info\n\nThe connection information from the proxy server to the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Proxy Endpoint\n\nThe proxy (server) in a network connection.\n\noptional"]
    #[serde(rename = "proxy_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_endpoint: Option<Box<NetworkProxy>>,
    #[doc = "Proxy HTTP Request\n\nThe HTTP Request from the proxy server to the remote server.\n\noptional"]
    #[serde(rename = "proxy_http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_request: Option<Box<HttpRequest>>,
    #[doc = "Proxy HTTP Response\n\nThe HTTP Response from the remote server to the proxy server.\n\noptional"]
    #[serde(rename = "proxy_http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_http_response: Option<Box<HttpResponse>>,
    #[doc = "Proxy TLS\n\nThe TLS protocol negotiated between the proxy server and the remote server.\n\nrecommended"]
    #[serde(rename = "proxy_tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_tls: Option<Box<Tls>>,
    #[doc = "Proxy Traffic\n\nThe network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.\n\nrecommended"]
    #[serde(rename = "proxy_traffic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_traffic: Option<Box<NetworkTraffic>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Source Endpoint\n\nDetails about the endpoint from which the request originated.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "TLS\n\nThe Transport Layer Security (TLS) attributes, if available.\n\noptional"]
    #[serde(rename = "tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tls: Option<Box<Tls>>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "Web Resources\n\nDescribes details about web resources that were affected by an activity/event.\n\nrequired"]
    #[serde(rename = "web_resources")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub web_resources: Option<Vec<WebResource>>,
    #[doc = "Web Resources Result\n\nThe results of the activity on web resources. It should contain the new values of the changed attributes of the web resources.\n\nrecommended"]
    #[serde(rename = "web_resources_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub web_resources_result: Option<Vec<WebResource>>,
}
#[doc = "Prefetch Query\n\nPrefetch Query events report information about Windows prefetch files.\n\n[UID:205019] Category: discovery | Name: prefetch_query"]
#[deprecated(
    note = "Use the <code>Evidence Info</code> class with the <code>Query Evidence</code> object populated with <code>File</code> instead. (Since 1.5.0)"
)]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct WinPrefetchQuery {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Prefetch Query</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Last Run\n\nThe prefetch file last run time.\n\nrecommended"]
    #[serde(rename = "last_run_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_run_time: Option<i64>,
    #[doc = "Last Run\n\nThe prefetch file last run time.\n\noptional"]
    #[serde(rename = "last_run_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_run_time_dt: Option<String>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Name\n\nThe name of the prefetch file that is the target of the query.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Run Count\n\nThe prefetch file run count.\n\nrecommended"]
    #[serde(rename = "run_count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub run_count: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Registry Key Activity\n\nRegistry Key Activity events report when a process performs an action on a Windows registry key.\n\n[UID:201001] Category: system | Name: registry_key_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct WinRegistryKeyActivity {
    #[doc = "Access Mask\n\nThe access mask in a platform-native format.\n\nrecommended"]
    #[serde(rename = "access_mask")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub access_mask: Option<i64>,
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor that performed the activity on the <code>reg_key</code> object.\n\nrequired"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>System Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Registry Key Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Create Mask\n\nThe original Windows mask that is required to create the object.\n\nrecommended"]
    #[serde(rename = "create_mask")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub create_mask: Option<String>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "Open Mask\n\nThe Windows options needed to open a registry key.\n\nrecommended"]
    #[serde(rename = "open_mask")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub open_mask: Option<i64>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Previous Registry Key\n\nThe registry key before the mutation\n\nrecommended"]
    #[serde(rename = "prev_reg_key")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub prev_reg_key: Option<Box<WinRegKey>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Registry Key\n\nThe registry key.\n\nrequired"]
    #[serde(rename = "reg_key")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reg_key: Option<Box<WinRegKey>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Registry Key Query\n\nRegistry Key Query events report information about discovered Windows registry keys.\n\n[UID:205004] Category: discovery | Name: registry_key_query"]
#[deprecated(
    note = "Use the <code>Evidence Info</code> class with the <code>Query Evidence</code> object populated with <code>Registry Key</code> instead. (Since 1.5.0)"
)]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct WinRegistryKeyQuery {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Registry Key Query</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Registry Key\n\nThe registry key that pertains to the event.\n\nrequired"]
    #[serde(rename = "reg_key")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reg_key: Option<Box<WinRegKey>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Registry Value Activity\n\nRegistry Value Activity events reports when a process performs an action on a Windows registry value.\n\n[UID:201002] Category: system | Name: registry_value_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct WinRegistryValueActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor that performed the activity on the <code>reg_value</code> object.\n\nrequired"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>System Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Registry Value Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Previous Registry Value\n\nThe registry value before the mutation\n\noptional"]
    #[serde(rename = "prev_reg_value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub prev_reg_value: Option<Box<WinRegValue>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Registry Value\n\nThe registry value.\n\nrequired"]
    #[serde(rename = "reg_value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reg_value: Option<Box<WinRegValue>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Registry Value Query\n\nRegistry Value Query events report information about discovered Windows registry values.\n\n[UID:205005] Category: discovery | Name: registry_value_query"]
#[deprecated(
    note = "Use the <code>Evidence Info</code> class with the <code>Query Evidence</code> object populated with <code>Registry Value</code> instead. (Since 1.5.0)"
)]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct WinRegistryValueQuery {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\noptional"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>Discovery</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Registry Value Query</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Query Info\n\nThe search details associated with the query request.\n\nrecommended"]
    #[serde(rename = "query_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_info: Option<Box<QueryInfo>>,
    #[doc = "Query Result\n\nThe result of the query.\n\nrecommended"]
    #[serde(rename = "query_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result: Option<String>,
    #[doc = "Query Result ID\n\nThe normalized identifier of the query result.\n\nrequired"]
    #[serde(rename = "query_result_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_result_id: Option<i64>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Registry Value\n\nThe registry value that pertains to the event.\n\nrequired"]
    #[serde(rename = "reg_value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reg_value: Option<Box<WinRegValue>>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
}
#[doc = "Windows Resource Activity\n\nWindows Resource Activity events report when a process accesses a Windows managed resource object, successful or otherwise.\n\n[UID:201003] Category: system | Name: windows_resource_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct WinWindowsResourceActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\nrequired"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>System Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Windows Resource Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "Windows Resource\n\nThe Windows resource object that was accessed, such as a mutant or timer.\n\nrequired"]
    #[serde(rename = "win_resource")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub win_resource: Option<Box<WinWinResource>>,
}
#[doc = "Windows Service Activity\n\nWindows Service Activity events report when a process interacts with the Service Control Manager.\n\n[UID:201004] Category: system | Name: windows_service_activity"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct WinWindowsServiceActivity {
    #[doc = "Action\n\nThe normalized caption of <code>action_id</code>.\n\noptional"]
    #[serde(rename = "action")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action: Option<String>,
    #[doc = "Action ID\n\nThe action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to <code>disposition_id</code> for the outcome of the action.\n\nrecommended"]
    #[serde(rename = "action_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub action_id: Option<i64>,
    #[doc = "Activity ID\n\nThe normalized identifier of the activity that triggered the event.\n\nrequired"]
    #[serde(rename = "activity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_id: Option<i64>,
    #[doc = "Activity\n\nThe event activity name, as defined by the activity_id.\n\noptional"]
    #[serde(rename = "activity_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub activity_name: Option<String>,
    #[doc = "Actor\n\nThe actor object describes details about the user/role/process that was the source of the activity. Note that this is not the threat actor of a campaign but may be part of a campaign.\n\nrequired"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about a typical API (Application Programming Interface) call.\n\noptional"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Category\n\nThe event category name, as defined by category_uid value: <code>System Activity</code>.\n\noptional"]
    #[serde(rename = "category_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_name: Option<String>,
    #[doc = "Category ID\n\nThe category unique identifier of the event.\n\nrequired"]
    #[serde(rename = "category_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_uid: Option<i64>,
    #[doc = "Class\n\nThe event class name, as defined by class_uid value: <code>Windows Service Activity</code>.\n\noptional"]
    #[serde(rename = "class_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_name: Option<String>,
    #[doc = "Class ID\n\nThe unique identifier of a class. A class describes the attributes available in an event.\n\nrequired"]
    #[serde(rename = "class_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class_uid: Option<i64>,
    #[doc = "Cloud\n\nDescribes details about the Cloud environment where the event or finding was created.\n\nrequired"]
    #[serde(rename = "cloud")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud: Option<Box<Cloud>>,
    #[doc = "Confidence\n\nThe confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Confidence Score\n\nThe confidence score as reported by the event source.\n\noptional"]
    #[serde(rename = "confidence_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_score: Option<i64>,
    #[doc = "Count\n\nThe number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrequired"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Disposition\n\nThe disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "disposition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition: Option<String>,
    #[doc = "Disposition ID\n\nDescribes the outcome or action taken by a security control, such as access control checks, malware detections or various types of policy violations.\n\nrecommended"]
    #[serde(rename = "disposition_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub disposition_id: Option<i64>,
    #[doc = "Duration Milliseconds\n\nThe event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of a time period, or the time of the most recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Enrichments\n\nThe additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>\n\noptional"]
    #[serde(rename = "enrichments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enrichments: Option<Vec<Enrichment>>,
    #[doc = "Firewall Rule\n\nThe firewall rule that pertains to the control that triggered the event, if applicable.\n\noptional"]
    #[serde(rename = "firewall_rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub firewall_rule: Option<Box<FirewallRule>>,
    #[doc = "Alert\n\nIndicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.\n\nrecommended"]
    #[serde(rename = "is_alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_alert: Option<bool>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Malware Scan Info\n\nDescribes details about the scan job that identified malware on the target system.\n\noptional"]
    #[serde(rename = "malware_scan_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware_scan_info: Option<Box<MalwareScanInfo>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metadata\n\nThe metadata associated with the event or a finding.\n\nrequired"]
    #[serde(rename = "metadata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata: Option<Box<Metadata>>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\nrecommended"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\nrequired"]
    #[serde(rename = "osint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub osint: Option<Vec<Osint>>,
    #[doc = "Policy\n\nThe policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Raw Data\n\nThe raw event/finding data as received from the source.\n\noptional"]
    #[serde(rename = "raw_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data: Option<String>,
    #[doc = "Raw Data Hash\n\nThe hash, which describes the content of the raw_data field.\n\noptional"]
    #[serde(rename = "raw_data_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_hash: Option<Box<Fingerprint>>,
    #[doc = "Raw Data Size\n\nThe size of the raw data which was transformed into an OCSF event, in bytes.\n\noptional"]
    #[serde(rename = "raw_data_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_data_size: Option<i64>,
    #[doc = "Risk Details\n\nDescribes the risk associated with the finding.\n\noptional"]
    #[serde(rename = "risk_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_details: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrequired"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of a time period, or the time of the least recent event included in the aggregate event.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status\n\nThe event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.\n\nrecommended"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional information about the event/finding outcome.\n\nrecommended"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status ID\n\nThe normalized identifier of the event status.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\nrequired"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nThe normalized event occurrence time or the finding creation time.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Timezone Offset\n\nThe number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.\n\nrecommended"]
    #[serde(rename = "timezone_offset")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timezone_offset: Option<i64>,
    #[doc = "Type Name\n\nThe event/finding type name, as defined by the type_uid.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.\n\nrequired"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unmapped Data\n\nThe attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.\n\noptional"]
    #[serde(rename = "unmapped")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unmapped: Option<serde_json::Value>,
    #[doc = "Windows Service\n\nThe Windows service.\n\nrequired"]
    #[serde(rename = "win_service")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub win_service: Option<Box<WinWinService>>,
}
#[doc = "Access Analysis Result\n\nThe Access Analysis Result object describes access relationships and pathways between identities, resources, focusing on who can access what and through which mechanisms. This evaluates access levels (read/write/admin), access types (direct, cross-account, public, federated), and the conditions under which access is granted. Use this for resource-centric security assessments such as external access discovery, public exposure analysis, etc.\n\n[] Category:  | Name: access_analysis_result"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct AccessAnalysisResult {
    #[doc = "Access Level\n\nThe generalized access level or permission scope granted to the identity through the analyzed policy configuration. Common examples include Read, Write, List, Delete, Admin, or custom permission levels.\n\nrecommended"]
    #[serde(rename = "access_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub access_level: Option<String>,
    #[doc = "Access Type\n\nThe type or category of access being granted to the identity. This describes the nature of the access relationship, such as cross-account access, public access, federated access, or third-party integration access. Examples include 'Cross-Account', 'Public', 'Federated', 'Service-to-Service', etc.\n\noptional"]
    #[serde(rename = "access_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub access_type: Option<String>,
    #[doc = "Accessors\n\nThe identities that are granted access through the analyzed policy configuration. This identifies the specific entity that can exercise the permissions and helps assess the access relationship and potential security implications. Examples include user accounts, service principals, roles, account identifiers, or system identities.\n\nrequired"]
    #[serde(rename = "accessors")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub accessors: Option<Vec<User>>,
    #[doc = "Additional Restrictions\n\nDetails about supplementary restrictions and guardrails that may limit the granted access, applied through additional policy types such as Resource Control Policies (RCPs) and Service Control Policies (SCPs) in AWS, or other policy constraints.\n\noptional"]
    #[serde(rename = "additional_restrictions")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub additional_restrictions: Option<Vec<AdditionalRestriction>>,
    #[doc = "Condition Keys\n\nThe condition keys and their values that constrain when and how the granted access can be exercised. These conditions define the circumstances under which the access relationship is valid and the privileges can be used. Examples: IP address restrictions like 'aws:SourceIp:192.0.2.0/24', time-based constraints like 'aws:RequestedRegion:us-east-1', MFA requirements like 'aws:MultiFactorAuthPresent:true', or custom conditions based on resource tags and request context.\n\noptional"]
    #[serde(rename = "condition_keys")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub condition_keys: Option<Vec<KeyValueObject>>,
    #[doc = "Granted Privileges\n\nThe specific privileges, actions, or permissions that are granted through the analyzed access relationship. This includes the actual operations that the accessor can perform on the target resource. Examples: AWS actions like 'sts:AssumeRole', 's3:GetObject', 'ec2:DescribeInstances'; Azure actions like 'Microsoft.Storage/storageAccounts/read'; or GCP permissions like 'storage.objects.get'.\n\noptional"]
    #[serde(rename = "granted_privileges")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub granted_privileges: Option<Vec<String>>,
}
#[doc = "Account\n\nThe Account object contains details about the account that initiated or performed a specific activity within a system or application. Additionally, the Account object refers to logical Cloud and Software-as-a-Service (SaaS) based containers such as AWS Accounts, Azure Subscriptions, Oracle Cloud Compartments, Google Cloud Projects, and otherwise.\n\n[] Category:  | Name: account\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Account {
    #[doc = "Labels\n\nThe list of labels associated to the account.\n\noptional"]
    #[serde(rename = "labels")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub labels: Option<Vec<String>>,
    #[doc = "Name\n\nThe name of the account (e.g. <code> GCP Project name </code>, <code> Linux Account name </code> or <code> AWS Account name</code>).\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Tags\n\nThe list of tags; <code>{key:value}</code> pairs associated to the account.\n\noptional"]
    #[serde(rename = "tags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tags: Option<Vec<KeyValueObject>>,
    #[doc = "Type\n\nThe account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe normalized account type identifier.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier of the account (e.g. <code> AWS Account ID </code>, <code> OCID </code>, <code> GCP Project ID </code>, <code> Azure Subscription ID </code>, <code> Google Workspace Customer ID </code>, or <code> M365 Tenant UID</code>).\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Actor\n\nThe Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity. Note that Actor is not the threat actor of a campaign but may be part of a campaign.\n\n[] Category:  | Name: actor\n\n**Constraints:**\n* at_least_one: `[process`,`user`,`invoked_by`,`session`,`app_name`,`app_uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Actor {
    #[doc = "Application Name\n\nThe client application or service that initiated the activity. This can be in conjunction with the <code>user</code> if present.  Note that <code>app_name</code> is distinct from the <code>process</code> if present.\n\noptional"]
    #[serde(rename = "app_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub app_name: Option<String>,
    #[doc = "Application ID\n\nThe unique identifier of the client application or service that initiated the activity. This can be in conjunction with the <code>user</code> if present. Note that <code>app_name</code> is distinct from the <code>process.pid</code> or <code>process.uid</code> if present.\n\noptional"]
    #[serde(rename = "app_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub app_uid: Option<String>,
    #[doc = "Authorization Information\n\nProvides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.\n\noptional"]
    #[serde(rename = "authorizations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub authorizations: Option<Vec<Authorization>>,
    #[doc = "Identity Provider\n\nThis object describes details about the Identity Provider used.\n\noptional"]
    #[serde(rename = "idp")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub idp: Option<Box<Idp>>,
    #[doc = "Invoked by\n\nThe name of the service that invoked the activity as described in the event.\n\noptional"]
    #[serde(rename = "invoked_by")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub invoked_by: Option<String>,
    #[doc = "Process\n\nThe process that initiated the activity.\n\nrecommended"]
    #[serde(rename = "process")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub process: Option<Box<Process>>,
    #[doc = "Session\n\nThe user session from which the activity was initiated.\n\noptional"]
    #[serde(rename = "session")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub session: Option<Box<Session>>,
    #[doc = "User\n\nThe user that initiated the activity or the user context from which the activity was initiated.\n\nrecommended"]
    #[serde(rename = "user")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user: Option<Box<User>>,
}
#[doc = "Additional Restriction\n\nThe Additional Restriction object describes supplementary access controls and guardrails that constrain or limit granted permissions beyond the primary policy. These restrictions are typically applied through hierarchical policy frameworks, organizational controls, or conditional access mechanisms. Examples include AWS Service Control Policies (SCPs), Resource Control Policies (RCPs), Azure Management Group policies, GCP Organization policies, conditional access policies, IP restrictions, time-based constraints, and MFA requirements.\n\n[] Category:  | Name: additional_restriction"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct AdditionalRestriction {
    #[doc = "Policy\n\nDetailed information about the policy document that defines this restriction, including policy metadata, type, scope, and the specific rules or conditions that implement the access control.\n\nrequired"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Status\n\nThe current status of the policy restriction, normalized to the caption of the <code>status_id</code> enum value.\n\noptional"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status ID\n\nThe normalized status identifier indicating the applicability of this policy restriction.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
}
#[doc = "Advisory\n\nThe Advisory object represents publicly disclosed cybersecurity vulnerabilities defined in a Security advisory. e.g. <code> Microsoft KB Article</code>, <code>Apple Security Advisory</code>, or a <code>GitHub Security Advisory (GHSA)</code>\n\n[] Category:  | Name: advisory"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Advisory {
    #[doc = "Average Timespan\n\nThe average time to patch.\n\noptional"]
    #[serde(rename = "avg_timespan")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub avg_timespan: Option<Box<Timespan>>,
    #[doc = "Patch Bulletin\n\nThe Advisory bulletin identifier.\n\noptional"]
    #[serde(rename = "bulletin")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub bulletin: Option<String>,
    #[doc = "Classification\n\nThe vendors classification of the Advisory.\n\noptional"]
    #[serde(rename = "classification")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub classification: Option<String>,
    #[doc = "Created Time\n\nThe time when the Advisory record was created.\n\nrecommended"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the Advisory record was created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Description\n\nA brief description of the Advisory Record.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Install State\n\nThe install state of the Advisory.\n\nrecommended"]
    #[serde(rename = "install_state")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub install_state: Option<String>,
    #[doc = "Install State ID\n\nThe normalized install state ID of the Advisory.\n\nrecommended"]
    #[serde(rename = "install_state_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub install_state_id: Option<i64>,
    #[doc = "The patch is superseded.\n\nThe Advisory has been replaced by another.\n\noptional"]
    #[serde(rename = "is_superseded")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_superseded: Option<bool>,
    #[doc = "Modified Time\n\nThe time when the Advisory record was last updated.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe time when the Advisory record was last updated.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "OS\n\nThe operating system the Advisory applies to.\n\nrecommended"]
    #[serde(rename = "os")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub os: Option<Box<Os>>,
    #[doc = "Product\n\nThe product where the vulnerability was discovered.\n\noptional"]
    #[serde(rename = "product")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub product: Option<Box<Product>>,
    #[doc = "References\n\nA list of reference URLs with additional information about the vulnerabilities disclosed in the Advisory.\n\nrecommended"]
    #[serde(rename = "references")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub references: Option<Vec<String>>,
    #[doc = "Related CVEs\n\nA list of Common Vulnerabilities and Exposures <a target='_blank' href='https://cve.mitre.org/'>(CVE)</a> identifiers related to the vulnerabilities disclosed in the Advisory.\n\noptional"]
    #[serde(rename = "related_cves")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub related_cves: Option<Vec<Cve>>,
    #[doc = "Related CWEs\n\nA list of Common Weakness Enumeration <a target='_blank' href='https://cwe.mitre.org/'>(CWE)</a> identifiers related to the vulnerabilities disclosed in the Advisory.\n\noptional"]
    #[serde(rename = "related_cwes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub related_cwes: Option<Vec<Cwe>>,
    #[doc = "Size\n\nThe size in bytes for the Advisory. Usually populated for a KB Article patch.\n\noptional"]
    #[serde(rename = "size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub size: Option<i64>,
    #[doc = "Source URL\n\nThe Advisory link from the source vendor.\n\noptional"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Title\n\nA title or a brief phrase summarizing the Advisory.\n\nrecommended"]
    #[serde(rename = "title")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub title: Option<String>,
    #[doc = "Advisory ID\n\nThe unique identifier assigned to the advisory or disclosed vulnerability, e.g, <code>GHSA-5mrr-rgp6-x4gr</code>.\n\nrequired"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Affected Code\n\nThe Affected Code object describes details about a code block identified as vulnerable.\n\n[] Category:  | Name: affected_code"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct AffectedCode {
    #[doc = "End Column\n\nThe column number of the last part of the assessed code identified as vulnerable.\n\nrecommended"]
    #[serde(rename = "end_column")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_column: Option<i64>,
    #[doc = "End Line\n\nThe line number of the last line of code block identified as vulnerable.\n\nrecommended"]
    #[serde(rename = "end_line")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_line: Option<i64>,
    #[doc = "File\n\nDetails about the file that contains the affected code block.\n\nrequired"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Owner\n\nDetails about the user that owns the affected file.\n\noptional"]
    #[serde(rename = "owner")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub owner: Option<Box<User>>,
    #[doc = "Remediation Guidance\n\nDescribes the recommended remediation steps to address identified issue(s).\n\noptional"]
    #[serde(rename = "remediation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub remediation: Option<Box<Remediation>>,
    #[doc = "Related Rule\n\nDetails about the specific rule, e.g., those defined as part of a larger <code>policy</code>, that triggered the finding.\n\nrecommended"]
    #[serde(rename = "rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub rule: Option<Box<Rule>>,
    #[doc = "Start Column\n\nThe column number of the first part of the assessed code identified as vulnerable.\n\nrecommended"]
    #[serde(rename = "start_column")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_column: Option<i64>,
    #[doc = "Start Line\n\nThe line number of the first line of code block identified as vulnerable.\n\nrecommended"]
    #[serde(rename = "start_line")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_line: Option<i64>,
}
#[doc = "Affected Software Package\n\nThe Affected Package object describes details about a software package identified as affected by a vulnerability/vulnerabilities.\n\n[] Category:  | Name: affected_package"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct AffectedPackage {
    #[doc = "Architecture\n\nArchitecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on.\n\nrecommended"]
    #[serde(rename = "architecture")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub architecture: Option<String>,
    #[doc = "The product CPE identifier\n\nThe Common Platform Enumeration (CPE) name as described by (<a target='_blank' href='https://nvd.nist.gov/products/cpe'>NIST</a>) For example: <code>cpe:/a:apple:safari:16.2</code>.\n\noptional"]
    #[serde(rename = "cpe_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cpe_name: Option<String>,
    #[doc = "Epoch\n\nThe software package epoch. Epoch is a way to define weighted dependencies based on version numbers.\n\noptional"]
    #[serde(rename = "epoch")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub epoch: Option<i64>,
    #[doc = "Fixed In Version\n\nThe software package version in which a reported vulnerability was patched/fixed.\n\noptional"]
    #[serde(rename = "fixed_in_version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub fixed_in_version: Option<String>,
    #[doc = "Hash\n\nCryptographic hash to identify the binary instance of a software component. This can include any component such file, package, or library.\n\noptional"]
    #[serde(rename = "hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hash: Option<Box<Fingerprint>>,
    #[doc = "Software License\n\nThe software license applied to this package.\n\noptional"]
    #[serde(rename = "license")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub license: Option<String>,
    #[doc = "Software License URL\n\nThe URL pointing to the license applied on package or software. This is typically a <code>LICENSE.md</code> file within a repository.\n\noptional"]
    #[serde(rename = "license_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub license_url: Option<String>,
    #[doc = "Name\n\nThe software package name.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Package Manager\n\nThe software packager manager utilized to manage a package on a system, e.g. npm, yum, dpkg etc.\n\noptional"]
    #[serde(rename = "package_manager")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub package_manager: Option<String>,
    #[doc = "Package Manager URL\n\nThe URL of the package or library at the package manager, or the specific URL or URI of an internal package manager link such as <code>AWS CodeArtifact</code> or <code>Artifactory</code>.\n\noptional"]
    #[serde(rename = "package_manager_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub package_manager_url: Option<String>,
    #[doc = "Path\n\nThe installation path of the affected package.\n\noptional"]
    #[serde(rename = "path")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub path: Option<String>,
    #[doc = "Package URL\n\nA purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.\n\noptional"]
    #[serde(rename = "purl")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub purl: Option<String>,
    #[doc = "Software Release Details\n\nRelease is the number of times a version of the software has been packaged.\n\noptional"]
    #[serde(rename = "release")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub release: Option<String>,
    #[doc = "Remediation Guidance\n\nDescribes the recommended remediation steps to address identified issue(s).\n\noptional"]
    #[serde(rename = "remediation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub remediation: Option<Box<Remediation>>,
    #[doc = "Source URL\n\nThe link to the specific library or package such as within <code>GitHub</code>, this is different from the link to the package manager where the library or package is hosted.\n\noptional"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Type\n\nThe type of software package, normalized to the caption of the <code>type_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe type of software package.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Package UID\n\nA unique identifier for the package or library reported by the source tool. E.g., the <code>libId</code> within the <code>sbom</code> field of an OX Security Issue or the SPDX <code>components.*.bom-ref</code>.\n\noptional"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Vendor Name\n\nThe name of the vendor who published the software package.\n\noptional"]
    #[serde(rename = "vendor_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_name: Option<String>,
    #[doc = "Version\n\nThe software package version.\n\nrequired"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Agent\n\nAn Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action. These activities and possible actions are defined by the upstream system controlling the Agent and its intended purpose. For instance, an Agent can include Endpoint Detection & Response (EDR) agents, backup/disaster recovery sensors, Application Performance Monitoring or profiling sensors, and similar software.\n\n[] Category:  | Name: agent\n\n**Constraints:**\n* at_least_one: `[uid`,`name]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Agent {
    #[doc = "Agent Name\n\nThe name of the agent or sensor. For example: <code>AWS SSM Agent</code>.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Agent Policies\n\nDescribes the various policies that may be applied or enforced by an agent or sensor. E.g., Conditional Access, prevention, auto-update, tamper protection, destination configuration, etc.\n\noptional"]
    #[serde(rename = "policies")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policies: Option<Vec<Policy>>,
    #[doc = "Agent Type\n\nThe normalized caption of the type_id value for the agent or sensor. In the case of 'Other' or 'Unknown', it is defined by the event source.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe normalized representation of an agent or sensor. E.g., EDR, vulnerability management, APM, backup & recovery, etc.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Agent ID\n\nThe UID of the agent or sensor, sometimes known as a Sensor ID or <code>aid</code>.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Alternate Agent ID\n\nAn alternative or contextual identifier for the agent or sensor, such as a configuration, organization, or license UID.\n\noptional"]
    #[serde(rename = "uid_alt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid_alt: Option<String>,
    #[doc = "Vendor Name\n\nThe company or author who created the agent or sensor. For example: <code>Crowdstrike</code>.\n\noptional"]
    #[serde(rename = "vendor_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_name: Option<String>,
    #[doc = "Agent Version\n\nThe semantic version of the agent or sensor, e.g., <code>7.101.50.0</code>.\n\noptional"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "AI Model\n\nThe AI Model object describes the characteristics of an AI/ML model. Examples include language models like GPT-4, embedding models like text-embedding-ada-002, and computer vision models like CLIP.\n\n[] Category:  | Name: ai_model\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct AiModel {
    #[doc = "AI Provider\n\nAI service provider or organization name. For example: <code>OpenAI</code>, <code>Anthropic</code>, <code>Google</code>, or <code>Internal</code>.\n\nrequired"]
    #[serde(rename = "ai_provider")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ai_provider: Option<String>,
    #[doc = "Name\n\nHuman-readable model name. For example: <code>gpt-4o</code>, <code>claude-3-sonnet</code>, or <code>text-embedding-ada-002</code>.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the AI model.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Version\n\nModel version identifier. For example: <code>2024-05-13</code>, <code>v2.1.0</code>, or <code>beta</code>.\n\nrecommended"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Aircraft\n\nThe Aircraft object represents any aircraft or otherwise airborne asset such as an unmanned system, airplane, balloon, spacecraft, or otherwise. The Aircraft object is intended to normalized data captured or otherwise logged from active radar, passive radar, multi-spectral systems, or the Automatic Dependant Broadcast - Surveillance (ADS-B), and/or Mode S systems.\n\n[] Category:  | Name: aircraft\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Aircraft {
    #[doc = "Geo Location\n\nThe detailed geographical location usually associated with an IP address.\n\nrecommended"]
    #[serde(rename = "location")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub location: Option<Box<Location>>,
    #[doc = "Model\n\nThe model name of the aircraft or unmanned system.\n\noptional"]
    #[serde(rename = "model")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub model: Option<String>,
    #[doc = "Name\n\nThe name of the aircraft, such as the such as the flight name or callsign.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Serial Number\n\nThe serial number of the aircraft.\n\noptional"]
    #[serde(rename = "serial_number")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub serial_number: Option<String>,
    #[doc = "Speed\n\nGround speed of flight. This value is provided in meters per second with a minimum resolution of 0.25 m/s. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: 255 m/s</code>.\n\noptional"]
    #[serde(rename = "speed")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub speed: Option<String>,
    #[doc = "Speed Accuracy\n\nProvides quality/containment on horizontal ground speed. Measured in meters/second.\n\noptional"]
    #[serde(rename = "speed_accuracy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub speed_accuracy: Option<String>,
    #[doc = "Track Direction\n\nDirection of flight expressed as a “True North-based” ground track angle. This value is provided in clockwise degrees with a minimum resolution of 1 degree. If aircraft is not moving horizontally, use the “Unknown” value\n\noptional"]
    #[serde(rename = "track_direction")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub track_direction: Option<String>,
    #[doc = "Unique ID\n\nThe primary identification identifier for an aircraft, such as the 24-bit International Civil Aviation Organization (ICAO) identifier of the aircraft, as 6 hex digits.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Alternate ID\n\nA secondary identification identifier for an aircraft, such as the 4-digit squawk (octal representation).\n\noptional"]
    #[serde(rename = "uid_alt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid_alt: Option<String>,
    #[doc = "Vertical Speed\n\nVertical speed upward relative to the WGS-84 datum, measured in meters per second. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: 63 m/s</code>.\n\noptional"]
    #[serde(rename = "vertical_speed")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vertical_speed: Option<String>,
}
#[doc = "Analysis Target\n\nThe analysis target defines the scope of monitored activities, specifying what entity, system or process is analyzed for activity patterns.\n\n[] Category:  | Name: analysis_target"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct AnalysisTarget {
    #[doc = "Name\n\nThe specific name or identifier of the analysis target, such as the username of a User Account, the name of a Kubernetes Cluster, the identifier of a Network Namespace, or the name of an Application Component.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Type\n\nThe category of the analysis target, such as User Account, Kubernetes Cluster, Network Namespace, or Application Component.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
}
#[doc = "Analytic\n\nThe Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.\n\n[] Category:  | Name: analytic\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Analytic {
    #[doc = "Algorithm\n\nThe algorithm used by the underlying analytic to generate the finding.\n\noptional"]
    #[serde(rename = "algorithm")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub algorithm: Option<String>,
    #[doc = "Category\n\nThe analytic category.\n\noptional"]
    #[serde(rename = "category")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category: Option<String>,
    #[doc = "Description\n\nThe description of the analytic that generated the finding.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Name\n\nThe name of the analytic that generated the finding.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Related Analytics\n\nOther analytics related to this analytic.\n\noptional"]
    #[serde(rename = "related_analytics")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub related_analytics: Option<Vec<Analytic>>,
    #[doc = "State\n\nThe Analytic state.\n\noptional"]
    #[serde(rename = "state")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub state: Option<String>,
    #[doc = "State ID\n\nThe Analytic state identifier.\n\noptional"]
    #[serde(rename = "state_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub state_id: Option<i64>,
    #[doc = "Type\n\nThe analytic type.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe analytic type ID.\n\nrequired"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier of the analytic that generated the finding.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Version\n\nThe analytic version. For example: <code>1.1</code>.\n\noptional"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Anomaly\n\nDescribes an anomaly or deviation detected in a system. Anomalies are unexpected activity patterns that could indicate potential issues needing attention.\n\n[] Category:  | Name: anomaly"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Anomaly {
    #[doc = "Observation Parameter\n\nThe specific parameter, metric or property where the anomaly was observed. Examples include: CPU usage percentage, API response time in milliseconds, HTTP error rate, memory utilization, network latency, transaction volume, etc. This helps identify the exact aspect of the system exhibiting anomalous behavior.\n\nrequired"]
    #[serde(rename = "observation_parameter")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_parameter: Option<String>,
    #[doc = "Observation Type\n\nThe type of analysis methodology used to detect the anomaly. This indicates how the anomaly was identified through different analytical approaches. Common types include: Frequency Analysis, Time Pattern Analysis, Volume Analysis, Sequence Analysis, Distribution Analysis, etc.\n\nrecommended"]
    #[serde(rename = "observation_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_type: Option<String>,
    #[doc = "Observations\n\nDetails about the observed anomaly or observations that were flagged as anomalous compared to expected baseline behavior.\n\nrequired"]
    #[serde(rename = "observations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observations: Option<Vec<Observation>>,
    #[doc = "Observed Pattern\n\nThe specific pattern identified within the observation type. For Frequency Analysis, this could be 'FREQUENT', 'INFREQUENT', 'RARE', or 'UNSEEN'. For Time Pattern Analysis, this could be 'BUSINESS_HOURS', 'OFF_HOURS', or 'UNUSUAL_TIME'. For Volume Analysis, this could be 'NORMAL_VOLUME', 'HIGH_VOLUME', or 'SURGE'. The pattern values are specific to each observation type and indicate how the observed behavior relates to the baseline.\n\nrecommended"]
    #[serde(rename = "observed_pattern")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observed_pattern: Option<String>,
}
#[doc = "Anomaly Analysis\n\nDescribes the analysis of activity patterns and anomalies of target entities to identify potential security threats, performance issues, or other deviations from established baselines. This includes monitoring and analyzing user interactions, API usage, resource utilization, access patterns and other measured indicators.\n\n[] Category:  | Name: anomaly_analysis"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct AnomalyAnalysis {
    #[doc = "Analysis Targets\n\nThe analysis targets define the scope of monitored activities, specifying what entities, systems or processes are analyzed for activity patterns.\n\nrequired"]
    #[serde(rename = "analysis_targets")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub analysis_targets: Option<Vec<AnalysisTarget>>,
    #[doc = "Anomalies\n\nList of detected activities that significantly deviate from the established baselines. This can include unusual access patterns, unexpected user-agents, abnormal API usage, suspicious traffic spikes, unauthorized access attempts, and other activities that may indicate potential security threats or system issues.\n\nrequired"]
    #[serde(rename = "anomalies")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub anomalies: Option<Vec<Anomaly>>,
    #[doc = "Baselines\n\nList of established patterns representing normal activity that serve as reference points for anomaly detection. This includes typical user interaction patterns like common user-agents, expected API access frequencies and patterns, standard resource utilization levels, and regular traffic flows. These baselines help establish what constitutes 'normal' activity in the system.\n\nrecommended"]
    #[serde(rename = "baselines")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub baselines: Option<Vec<Baseline>>,
}
#[doc = "API\n\nThe API, or Application Programming Interface, object represents  information pertaining to an API request and response.\n\n[] Category:  | Name: api"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Api {
    #[doc = "Group\n\nThe information pertaining to the API group.\n\noptional"]
    #[serde(rename = "group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub group: Option<Box<Group>>,
    #[doc = "Operation\n\nVerb/Operation associated with the request\n\nrequired"]
    #[serde(rename = "operation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub operation: Option<String>,
    #[doc = "API Request Details\n\nDetails pertaining to the API request.\n\nrecommended"]
    #[serde(rename = "request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub request: Option<Box<Request>>,
    #[doc = "API Response Details\n\nDetails pertaining to the API response.\n\nrecommended"]
    #[serde(rename = "response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub response: Option<Box<Response>>,
    #[doc = "Service\n\nThe information pertaining to the API service.\n\noptional"]
    #[serde(rename = "service")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service: Option<Box<Service>>,
    #[doc = "Version\n\nThe version of the API service.\n\noptional"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Application\n\nAn Application describes the details for an inventoried application as reported by an Application Security tool or other Developer-centric tooling. Applications can be defined as Kubernetes resources, Containerized resources, or application hosting-specific cloud sources such as AWS Elastic BeanStalk, AWS Lightsail, or Azure Logic Apps.\n\n[] Category:  | Name: application\n\n**Constraints:**\n* at_least_one: `[uid`,`name]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Application {
    #[doc = "Business Criticality\n\nThe criticality of the application as defined by the event source.\n\noptional"]
    #[serde(rename = "criticality")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub criticality: Option<String>,
    #[doc = "Data\n\nAdditional data describing the application.\n\noptional"]
    #[serde(rename = "data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data: Option<serde_json::Value>,
    #[doc = "Application Description\n\nA description or commentary for an application, usually retrieved from an upstream system.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Group\n\nThe name of the related application or associated resource group.\n\noptional"]
    #[serde(rename = "group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub group: Option<Box<Group>>,
    #[doc = "Hostname\n\nThe fully qualified name of the application.\n\noptional"]
    #[serde(rename = "hostname")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hostname: Option<String>,
    #[doc = "Labels\n\nThe list of labels associated to the application.\n\noptional"]
    #[serde(rename = "labels")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub labels: Option<Vec<String>>,
    #[doc = "Application Name\n\nThe name of the application.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Owner\n\nThe identity of the service or user account that owns the application.\n\nrecommended"]
    #[serde(rename = "owner")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub owner: Option<Box<User>>,
    #[doc = "Region\n\nThe cloud region of the resource.\n\noptional"]
    #[serde(rename = "region")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub region: Option<String>,
    #[doc = "Application Relationship\n\nA graph representation showing how this application relates to and interacts with other entities in the environment. This can include parent/child relationships, dependencies, or other connections.\n\noptional"]
    #[serde(rename = "resource_relationship")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resource_relationship: Option<Box<Graph>>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Related SBOM\n\nThe Software Bill of Materials (SBOM) associated with the application\n\noptional"]
    #[serde(rename = "sbom")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub sbom: Option<Box<Sbom>>,
    #[doc = "Tags\n\nThe list of tags; <code>{key:value}</code> pairs associated to the application.\n\noptional"]
    #[serde(rename = "tags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tags: Option<Vec<KeyValueObject>>,
    #[doc = "Application Type\n\nThe type of application as defined by the event source, e.g., <code>GitHub</code>, <code>Azure Logic App</code>, or <code>Amazon Elastic BeanStalk</code>.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Application ID\n\nThe unique identifier for the application.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Application Alternative ID\n\nAn alternative or contextual identifier for the application, such as a configuration, organization, or license UID.\n\noptional"]
    #[serde(rename = "uid_alt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid_alt: Option<String>,
    #[doc = "URL\n\nThe URL of the application.\n\noptional"]
    #[serde(rename = "url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub url: Option<Box<Url>>,
    #[doc = "Application Version\n\nThe semantic version of the application, e.g., <code>1.7.4</code>.\n\noptional"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Assessment\n\nThe Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate <code>os_signals</code> from CrowdStrike Falcon Zero Trust Assessments, or account for <code>Datastore</code> configurations from Cyera, or capture details of Microsoft Intune configuration policies.\n\n[] Category:  | Name: assessment\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Assessment {
    #[doc = "Category\n\nThe category that the assessment is part of. For example: <code>Prevention</code> or <code>Windows 10</code>.\n\noptional"]
    #[serde(rename = "category")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category: Option<String>,
    #[doc = "Description\n\nThe description of the assessment criteria, or a description of the specific configuration or signal the assessment is targeting.\n\nrecommended"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Meets Criteria\n\nDetermines whether the assessment against the specific configuration or signal meets the assessments criteria. For example, if the assessment checks if a <code>Datastore</code> is encrypted or not, having encryption would be evaluated as <code>true</code>.\n\nrequired"]
    #[serde(rename = "meets_criteria")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub meets_criteria: Option<bool>,
    #[doc = "Name\n\nThe name of the configuration or signal being assessed. For example: <code>Kernel Mode Code Integrity (KMCI)</code> or <code>publicAccessibilityState</code>.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Assessment Policy\n\nThe details of any policy associated with an assessment.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Unique ID\n\nThe unique identifier of the configuration or signal being assessed. For example: the <code>signal_id</code>.\n\noptional"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "MITRE ATT&CK® & ATLAS™\n\nThe MITRE ATT&CK® & ATLAS™ object describes the tactic, technique, sub-technique & mitigation associated to an attack.\n\n[] Category:  | Name: attack\n\n**Constraints:**\n* at_least_one: `[tactic`,`technique`,`sub_technique]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Attack {
    #[doc = "MITRE Mitigation\n\nThe Mitigation object describes the MITRE ATT&CK® or ATLAS™ Mitigation ID and/or name that is associated to an attack.\n\noptional"]
    #[serde(rename = "mitigation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub mitigation: Option<Box<Mitigation>>,
    #[doc = "MITRE Sub-technique\n\nThe Sub-technique object describes the MITRE ATT&CK® or ATLAS™ Sub-technique ID and/or name associated to an attack.\n\nrecommended"]
    #[serde(rename = "sub_technique")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub sub_technique: Option<Box<SubTechnique>>,
    #[doc = "MITRE Tactic\n\nThe Tactic object describes the MITRE ATT&CK® or ATLAS™ Tactic ID and/or name that is associated to an attack.\n\nrecommended"]
    #[serde(rename = "tactic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tactic: Option<Box<Tactic>>,
    #[doc = "Tactics\n\nThe Tactic object describes the tactic ID and/or tactic name that are associated with the attack technique, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK® Matrix</a>.\n\noptional"]
    #[serde(rename = "tactics")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tactics: Option<Vec<Tactic>>,
    #[doc = "MITRE Technique\n\nThe Technique object describes the MITRE ATT&CK® or ATLAS™ Technique ID and/or name associated to an attack.\n\nrecommended"]
    #[serde(rename = "technique")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub technique: Option<Box<Technique>>,
    #[doc = "Version\n\nThe ATT&CK® or ATLAS™ Matrix version.\n\nrecommended"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Authentication Factor\n\nAn Authentication Factor object describes a category of methods used for identity verification in an authentication attempt.\n\n[] Category:  | Name: auth_factor"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct AuthFactor {
    #[doc = "Device\n\nDevice used to complete an authentication request.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Email Address\n\nThe email address used in an email-based authentication factor.\n\noptional"]
    #[serde(rename = "email_addr")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub email_addr: Option<String>,
    #[doc = "Factor Type\n\nThe type of authentication factor used in an authentication attempt.\n\nrecommended"]
    #[serde(rename = "factor_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub factor_type: Option<String>,
    #[doc = "Factor Type ID\n\nThe normalized identifier for the authentication factor.\n\nrequired"]
    #[serde(rename = "factor_type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub factor_type_id: Option<i64>,
    #[doc = "HMAC-based One-time Password (HOTP)\n\nWhether the authentication factor is an HMAC-based One-time Password (HOTP).\n\nrecommended"]
    #[serde(rename = "is_hotp")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_hotp: Option<bool>,
    #[doc = "Time-based One-time Password (TOTP)\n\nWhether the authentication factor is a Time-based One-time Password (TOTP).\n\nrecommended"]
    #[serde(rename = "is_totp")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_totp: Option<bool>,
    #[doc = "Phone Number\n\nThe phone number used for a telephony-based authentication request.\n\noptional"]
    #[serde(rename = "phone_number")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub phone_number: Option<String>,
    #[doc = "Provider\n\nThe name of provider for an authentication factor.\n\nrecommended"]
    #[serde(rename = "provider")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub provider: Option<String>,
    #[doc = "Security Questions\n\nThe question(s) provided to user for a question-based authentication factor.\n\noptional"]
    #[serde(rename = "security_questions")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub security_questions: Option<Vec<String>>,
}
#[doc = "Authentication Token\n\nThe Authentication Token object represents standardized authentication tokens, tickets, or assertions that conform to established authentication protocols such as Kerberos, OIDC, and SAML. These tokens are issued by authentication servers and identity providers and carry protocol-specific metadata, lifecycle information, and security attributes defined by their respective specifications.\n\n[] Category:  | Name: authentication_token"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct AuthenticationToken {
    #[doc = "Created Time\n\nThe time that the authentication token was created.\n\nrecommended"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time that the authentication token was created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Encryption Details\n\nThe encryption details of the authentication token.\n\nrecommended"]
    #[serde(rename = "encryption_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub encryption_details: Option<Box<EncryptionDetails>>,
    #[doc = "Expiration Time\n\nThe expiration time of the authentication token.\n\noptional"]
    #[serde(rename = "expiration_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expiration_time: Option<i64>,
    #[doc = "Expiration Time\n\nThe expiration time of the authentication token.\n\noptional"]
    #[serde(rename = "expiration_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expiration_time_dt: Option<String>,
    #[doc = "Renewable\n\nIndicates whether the authentication token is renewable.\n\noptional"]
    #[serde(rename = "is_renewable")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_renewable: Option<bool>,
    #[doc = "Kerberos Flags\n\nA bitmask, either in hexadecimal or decimal form, which encodes various attributes or permissions associated with a Kerberos ticket. These flags delineate specific characteristics of the ticket, such as its renewability or forwardability.\n\nrecommended"]
    #[serde(rename = "kerberos_flags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub kerberos_flags: Option<String>,
    #[doc = "Type\n\nThe type of the authentication token.\n\nrecommended"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe normalized authentication token type identifier.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
}
#[doc = "Authorization Result\n\nThe Authorization Result object provides details about the authorization outcome and associated policies related to activity.\n\n[] Category:  | Name: authorization"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Authorization {
    #[doc = "Authorization Decision/Outcome\n\nAuthorization Result/outcome, e.g. allowed, denied.\n\nrecommended"]
    #[serde(rename = "decision")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub decision: Option<String>,
    #[doc = "Policy\n\nDetails about the Identity/Access management policies that are applicable.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
}
#[doc = "Autonomous System\n\nAn autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.\n\n[] Category:  | Name: autonomous_system\n\n**Constraints:**\n* at_least_one: `[number`,`name]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct AutonomousSystem {
    #[doc = "Name\n\nOrganization name for the Autonomous System.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Number\n\nUnique number that the AS is identified by.\n\nrecommended"]
    #[serde(rename = "number")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub number: Option<i64>,
}
#[doc = "Baseline\n\nDescribes the baseline or expected behavior of a system, service, or component based on historical observations and measurements. It establishes reference points for comparison to detect anomalies, trends, and deviations from typical patterns.\n\n[] Category:  | Name: baseline"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Baseline {
    #[doc = "Observation Parameter\n\nThe specific parameter or property being monitored. Examples include: CPU usage percentage, API response time in milliseconds, HTTP error rate, memory utilization, network latency, transaction volume, etc.\n\nrequired"]
    #[serde(rename = "observation_parameter")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_parameter: Option<String>,
    #[doc = "Observation Type\n\nThe type of analysis being performed to establish baseline behavior. Common types include: Frequency Analysis, Time Pattern Analysis, Volume Analysis, Sequence Analysis, Distribution Analysis, etc.\n\nrecommended"]
    #[serde(rename = "observation_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observation_type: Option<String>,
    #[doc = "Observations\n\nCollection of actual measured values, data points and observations recorded for this baseline.\n\nrequired"]
    #[serde(rename = "observations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observations: Option<Vec<Observation>>,
    #[doc = "Observed Pattern\n\nThe specific pattern identified within the observation type. For Frequency Analysis, this could be 'FREQUENT', 'INFREQUENT', 'RARE', or 'UNSEEN'. For Time Pattern Analysis, this could be 'BUSINESS_HOURS', 'OFF_HOURS', or 'UNUSUAL_TIME'. For Volume Analysis, this could be 'NORMAL_VOLUME', 'HIGH_VOLUME', or 'SURGE'. The pattern values are specific to each observation type and indicate the baseline behavior.\n\nrecommended"]
    #[serde(rename = "observed_pattern")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observed_pattern: Option<String>,
}
#[doc = "Campaign\n\nCampaign represent organized efforts by threat actors to achieve malicious objectives over a period, often characterized by shared tactics, techniques, and procedures (TTPs).\n\n[] Category:  | Name: campaign"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Campaign {
    #[doc = "Name\n\nThe name of a specific campaign associated with a cyber threat.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
}
#[doc = "Digital Certificate\n\nThe Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key. It serves as a means to establish trust in the authenticity and integrity of the public key and the associated entity.\n\n[] Category:  | Name: certificate"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Certificate {
    #[doc = "Created Time\n\nThe time when the certificate was created.\n\nrecommended"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the certificate was created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Expiration Time\n\nThe expiration time of the certificate.\n\nrecommended"]
    #[serde(rename = "expiration_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expiration_time: Option<i64>,
    #[doc = "Expiration Time\n\nThe expiration time of the certificate.\n\noptional"]
    #[serde(rename = "expiration_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expiration_time_dt: Option<String>,
    #[doc = "Fingerprints\n\nThe fingerprint list of the certificate.\n\nrecommended"]
    #[serde(rename = "fingerprints")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub fingerprints: Option<Vec<Fingerprint>>,
    #[doc = "Certificate Self-Signed\n\nDenotes whether a digital certificate is self-signed or signed by a known certificate authority (CA).\n\nrecommended"]
    #[serde(rename = "is_self_signed")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_self_signed: Option<bool>,
    #[doc = "Issuer Distinguished Name\n\nThe certificate issuer distinguished name.\n\nrequired"]
    #[serde(rename = "issuer")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub issuer: Option<String>,
    #[doc = "Subject Alternative Names\n\nThe list of subject alternative names that are secured by a specific certificate.\n\noptional"]
    #[serde(rename = "sans")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub sans: Option<Vec<San>>,
    #[doc = "Certificate Serial Number\n\nThe serial number of the certificate used to create the digital signature.\n\nrequired"]
    #[serde(rename = "serial_number")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub serial_number: Option<String>,
    #[doc = "Subject Distinguished Name\n\nThe certificate subject distinguished name.\n\nrecommended"]
    #[serde(rename = "subject")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub subject: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the certificate.\n\noptional"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Version\n\nThe certificate version.\n\nrecommended"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Check\n\nThe check object defines a specific, testable compliance verification point that evaluates a target device against a standard, framework, or custom requirement. While checks are typically associated with formal standards (like CIS, NIST, or ISO), they can also represent custom or organizational requirements. When mapped to controls, checks can evaluate specific control_parameters to determine compliance status, but neither the control mapping nor control_parameters are required for a valid check.\n\n[] Category:  | Name: check"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Check {
    #[doc = "Description\n\nThe detailed description of the compliance check, explaining the security requirement, vulnerability, or configuration being assessed. For example, CIS: <code>The cramfs filesystem type is a compressed read-only Linux filesystem. Removing support for unneeded filesystem types reduces the local attack surface.</code> or DISA STIG: <code>Unauthorized access to the information system by foreign entities may result in loss or compromise of data.</code>\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Name\n\nThe name or title of the compliance check. For example, CIS: <code>Ensure mounting of cramfs filesystems is disabled</code> or DISA STIG: <code>The Ubuntu operating system must implement DoD-approved encryption to protect the confidentiality of remote access sessions</code>.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Severity\n\nThe severity level as defined in the source document. For example CIS Benchmarks, valid values are: <code>Level 1</code> (security-forward, essential settings), <code>Level 2</code> (security-focused environment, more restrictive), or <code>Scored/Not Scored</code> (whether compliance can be automatically checked). For DISA STIG, valid values are: <code>CAT I</code> (maps to severity_id 5/Critical), <code>CAT II</code> (maps to severity_id 4/High), or <code>CAT III</code> (maps to severity_id 3/Medium).\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\nThe normalized severity identifier that maps severity levels to standard severity levels. For example CIS Benchmark: <code>Level 2</code> maps to <code>4</code> (High), <code>Level 1</code> maps to <code>3</code> (Medium). For DISA STIG: <code>CAT I</code> maps to <code>5</code> (Critical), <code>CAT II</code> maps to <code>4</code> (High), and <code>CAT III</code> maps to <code>3</code> (Medium).\n\noptional"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Compliance Standards: List\n\nThe regulatory or industry standard this check is associated with. E.g., <code>PCI DSS 3.2.1</code>, <code>HIPAA Security Rule</code>, <code>NIST SP 800-53 Rev. 5</code>, or <code>ISO/IEC 27001:2013</code>.\n\nrecommended"]
    #[serde(rename = "standards")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub standards: Option<Vec<String>>,
    #[doc = "Status\n\nThe resultant status of the compliance check normalized to the caption of the <code>status_id</code> value. For example, CIS Benchmark: <code>Pass</code> when all requirements are met, <code>Fail</code> when requirements are not met, or DISA STIG: <code>NotAFinding</code> (maps to status_id 1/Pass), <code>Open</code> (maps to status_id 3/Fail).\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status ID\n\nThe normalized status identifier of the compliance check.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier of the compliance check within its standard or framework. For example, CIS Benchmark identifier <code>1.1.1.1</code>, DISA STIG identifier <code>V-230234</code>, or NIST control identifier <code>AC-17(2)</code>.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Version\n\nThe check version. For example, CIS Benchmark: <code>1.1.0</code> for Amazon Linux 2 or DISA STIG: <code>V2R1</code> for Windows 10.\n\noptional"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "CIS Benchmark\n\nThe CIS Benchmark object describes best practices for securely configuring IT systems, software, networks, and cloud infrastructure as defined by the <a target='_blank' href='https://www.cisecurity.org/cis-benchmarks/'>Center for Internet Security</a>. See also <a target='_blank' href='https://www.cisecurity.org/insights/blog/getting-to-know-the-cis-benchmarks'>Getting to Know the CIS Benchmarks</a>.\n\n[] Category:  | Name: cis_benchmark"]
#[deprecated(note = "Use the Compliance object with Checks object instead. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct CisBenchmark {
    #[doc = "CIS Controls\n\nThe CIS Critical Security Controls is a prioritized set of actions to protect your organization and data from cyber-attack vectors.\n\nrecommended"]
    #[serde(rename = "cis_controls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cis_controls: Option<Vec<CisControl>>,
    #[doc = "Description\n\nThe CIS Benchmark description. For example: <i>The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.</i>\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Name\n\nThe CIS Benchmark name. For example: <i>Ensure mounting of cramfs filesystems is disabled.</i>\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
}
#[doc = "CIS Benchmark Result\n\nThe CIS Benchmark Result object contains information as defined by the Center for Internet Security (<a target='_blank' href='https://www.cisecurity.org/cis-benchmarks/'>CIS</a>) benchmark result. CIS Benchmarks are a collection of best practices for securely configuring IT systems, software, networks, and cloud infrastructure.\n\n[] Category:  | Name: cis_benchmark_result"]
#[deprecated(note = "Use the Compliance object with Checks object instead. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct CisBenchmarkResult {
    #[doc = "Description\n\nThe CIS benchmark description.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Name\n\nThe CIS benchmark name.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Remediation Guidance\n\nDescribes the recommended remediation steps to address identified issue(s).\n\noptional"]
    #[serde(rename = "remediation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub remediation: Option<Box<Remediation>>,
    #[doc = "Rule\n\nThe CIS benchmark rule.\n\noptional"]
    #[serde(rename = "rule")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub rule: Option<Box<Rule>>,
}
#[doc = "CIS Control\n\nThe CIS Control (aka Critical Security Control) object describes a prioritized set of actions to protect your organization and data from cyber-attack vectors. The <a target='_blank' href='https://www.cisecurity.org/controls'>CIS Controls</a> are defined by the Center for Internet Security.\n\n[] Category:  | Name: cis_control"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct CisControl {
    #[doc = "Description\n\nThe CIS Control description. For example: <i>Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.</i>\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Name\n\nThe CIS Control name. For example: <i>4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software.</i>\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Version\n\nThe CIS Control version. For example: <i>v8</i>.\n\nrecommended"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "CIS CSC\n\nThe CIS Critical Security Control (CSC) contains information as defined by the Center for Internet Security Critical Security Control <a target='_blank' href='https://www.cisecurity.org/controls'>(CIS CSC)</a>. Prioritized set of actions to protect your organization and data from cyber-attack vectors.\n\n[] Category:  | Name: cis_csc"]
#[deprecated(note = "Use the cis_control object instead. (Since 1.5.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct CisCsc {
    #[doc = "Security Control\n\nA Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls.\n\nrequired"]
    #[serde(rename = "control")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub control: Option<String>,
    #[doc = "Version\n\nThe CIS critical security control version.\n\nrecommended"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Classifier Details\n\nThe Classifier Details object describes details about the classifier used for data classification.\n\n[] Category:  | Name: classifier_details"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ClassifierDetails {
    #[doc = "Name\n\nThe name of the classifier.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Type\n\nThe type of the classifier.\n\nrequired"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the classifier.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Cloud\n\nThe Cloud object describes the cloud computing environment where an event or finding originated. It provides comprehensive context about the cloud infrastructure, including the cloud service provider, account or subscription details, organizational structure, geographic regions, availability zones, and logical partitions.\n\n[] Category:  | Name: cloud"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Cloud {
    #[doc = "Account\n\nThe Account object containing details about the cloud account, subscription, or billing unit where the event or finding was created. This object includes properties such as the account name, unique identifier, type, labels, and tags.<br/><br/><strong>Examples:</strong><ul><li><strong>AWS:</strong> Account object with <code>name</code>, <code>uid</code> (Account ID), <code>type</code>, and other account properties</li><li><strong>Azure:</strong> Subscription object with <code>name</code>, <code>uid</code> (Subscription ID), <code>type</code>, and subscription metadata</li><li><strong>GCP:</strong> Project object with <code>name</code>, <code>uid</code> (Project ID), <code>type</code>, and project attributes</li><li><strong>Oracle Cloud:</strong> Compartment object with <code>name</code>, <code>uid</code> (Tenancy OCID), <code>type</code>, and compartment details</li></ul>\n\noptional"]
    #[serde(rename = "account")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub account: Option<Box<Account>>,
    #[doc = "Cloud Partition\n\nThe logical grouping or isolated segment within a cloud provider's infrastructure where the event or finding was created, often used for compliance, governance, or regional separation.<br/><br/><strong>Examples:</strong><ul><li><strong>AWS:</strong> Partition where the event occurred (<code>aws</code>, <code>aws-cn</code>, <code>aws-us-gov</code>)</li><li><strong>Azure:</strong> Cloud environment where the event occurred (<code>AzureCloud</code>, <code>AzureUSGovernment</code>, <code>AzureChinaCloud</code>)</li></ul>\n\noptional"]
    #[serde(rename = "cloud_partition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud_partition: Option<String>,
    #[doc = "Organization\n\nThe Organization object containing details about the organizational unit or management structure that governs the account, subscription, or project where the event or finding was created. This object includes properties such as the organization name, unique identifier, type, and other organizational metadata.<br/><br/><strong>Examples:</strong><ul><li><strong>AWS:</strong> Organization object with <code>name</code>, <code>uid</code> (Organization ID), <code>type</code>, and other organizational properties</li><li><strong>Azure:</strong> Management Group object with <code>name</code>, <code>uid</code> (Management Group ID), <code>type</code>, and management group metadata</li><li><strong>GCP:</strong> Organization object with <code>name</code>, <code>uid</code> (Organization ID), <code>type</code>, and organizational attributes</li><li><strong>Oracle Cloud:</strong> Tenancy object with <code>name</code>, <code>uid</code> (Tenancy OCID), <code>type</code>, and tenancy details</li></ul>\n\noptional"]
    #[serde(rename = "org")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub org: Option<Box<Organization>>,
    #[doc = "Project ID\n\nThe unique identifier of a Cloud project.\n\noptional"]
    #[serde(rename = "project_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub project_uid: Option<String>,
    #[doc = "Provider\n\nThe unique name of the Cloud services provider where the event or finding was created, such as AWS, MS Azure, GCP, etc.\n\nrequired"]
    #[serde(rename = "provider")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub provider: Option<String>,
    #[doc = "Region\n\nThe cloud region where the event or finding was created, as defined by the cloud provider.<br/><br/><strong>Examples:</strong><ul><li><strong>AWS:</strong> Region where the event occurred (<code>us-east-1</code>, <code>eu-west-1</code>)</li><li><strong>Azure:</strong> Region where the event occurred (<code>East US</code>, <code>West Europe</code>)</li><li><strong>GCP:</strong> Region where the event occurred (<code>us-central1</code>, <code>europe-west1</code>)</li><li><strong>Oracle Cloud:</strong> Region where the event occurred (<code>us-ashburn-1</code>, <code>uk-london-1</code>)</li></ul>\n\nrecommended"]
    #[serde(rename = "region")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub region: Option<String>,
    #[doc = "Cloud Availability Zone\n\nThe availability zone in the cloud region where the event or finding was created, as defined by the cloud provider.<br/><br/><strong>Examples:</strong><ul><li><strong>AWS:</strong> Availability zone where the event occurred (<code>us-east-1a</code>, <code>us-east-1b</code>)</li><li><strong>Azure:</strong> Availability zone where the event occurred (<code>1</code>, <code>2</code>, <code>3</code> within a region)</li><li><strong>GCP:</strong> Availability zone where the event occurred (<code>us-central1-a</code>, <code>us-central1-b</code>)</li><li><strong>Oracle Cloud:</strong> Availability zone where the event occurred (<code>AD-1</code>, <code>AD-2</code>, <code>AD-3</code>)</li></ul>\n\noptional"]
    #[serde(rename = "zone")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub zone: Option<String>,
}
#[doc = "Compliance\n\nThe Compliance object contains information about Industry and Regulatory Framework standards, controls and requirements or details about custom assessments utilized in a compliance evaluation. Standards define broad security frameworks, controls represent specific security requirements within those frameworks, and checks are the testable verification points used to determine if controls are properly implemented.\n\n[] Category:  | Name: compliance"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Compliance {
    #[doc = "Assessments\n\nA list of assessments associated with the compliance requirements evaluation.\n\noptional"]
    #[serde(rename = "assessments")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub assessments: Option<Vec<Assessment>>,
    #[doc = "Category\n\nThe category a control framework pertains to, as reported by the source tool, such as <code>Asset Management</code> or <code>Risk Assessment</code>.\n\noptional"]
    #[serde(rename = "category")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category: Option<String>,
    #[doc = "Compliance Checks\n\nA list of compliance checks associated with specific industry standards or frameworks. Each check represents an individual rule or requirement that has been evaluated against a target device. Checks typically include details such as the check name (e.g., CIS: 'Ensure mounting of cramfs filesystems is disabled' or DISA STIG descriptive titles), unique identifiers (such as CIS identifier '1.1.1.1' or DISA STIG identifier 'V-230234'), descriptions (detailed explanations of security requirements or vulnerability discussions), and version information.\n\noptional"]
    #[serde(rename = "checks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub checks: Option<Vec<Check>>,
    #[doc = "Compliance Standard References\n\nA list of reference KB articles that provide information to help organizations understand, interpret, and implement compliance standards. They provide guidance, best practices, and examples.\n\noptional"]
    #[serde(rename = "compliance_references")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub compliance_references: Option<Vec<KbArticle>>,
    #[doc = "Compliance Standards: Details\n\nA list of established guidelines or criteria that define specific requirements an organization must follow.\n\noptional"]
    #[serde(rename = "compliance_standards")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub compliance_standards: Option<Vec<KbArticle>>,
    #[doc = "Security Control\n\nA Control is a prescriptive, actionable set of specifications that strengthens device posture. The control specifies required security measures, while the specific implementation values are defined in control_parameters. E.g., CIS AWS Foundations Benchmark 1.2.0 - Control 2.1 - Ensure CloudTrail is enabled in all regions\n\nrecommended"]
    #[serde(rename = "control")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub control: Option<String>,
    #[doc = "Control Parameters\n\nThe list of control parameters evaluated in a Compliance check. E.g., parameters for CloudTrail configuration might include <code>multiRegionTrailEnabled: true</code>, <code>logFileValidationEnabled: true</code>, and <code>requiredRegions: [us-east-1, us-west-2]</code>\n\noptional"]
    #[serde(rename = "control_parameters")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub control_parameters: Option<Vec<KeyValueObject>>,
    #[doc = "Description\n\nThe description or criteria of a control.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Compliance Requirements\n\nThe specific compliance requirements being evaluated. E.g., <code>PCI DSS Requirement 8.2.3 - Passwords must meet minimum complexity requirements</code> or <code>HIPAA Security Rule 164.312(a)(2)(iv) - Implement encryption and decryption mechanisms</code>\n\noptional"]
    #[serde(rename = "requirements")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub requirements: Option<Vec<String>>,
    #[doc = "Compliance Standards: List\n\nThe regulatory or industry standards being evaluated for compliance.\n\nrecommended"]
    #[serde(rename = "standards")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub standards: Option<Vec<String>>,
    #[doc = "Status\n\nThe resultant status of the compliance check normalized to the caption of the <code>status_id</code> value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Code\n\nThe resultant status code of the compliance check.\n\noptional"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Status Detail\n\nThe contextual description of the <code>status, status_code</code> values.\n\noptional"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Status Details\n\nA list of contextual descriptions of the <code>status, status_code</code> values.\n\noptional"]
    #[serde(rename = "status_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_details: Option<Vec<String>>,
    #[doc = "Status ID\n\nThe normalized status identifier of the compliance check.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
}
#[doc = "Container\n\nThe Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.\n\n[] Category:  | Name: container\n\n**Constraints:**\n* at_least_one: `[uid`,`name]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Container {
    #[doc = "Hash\n\nCommit hash of image created for docker or the SHA256 hash of the container. For example: <code>13550340a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de</code>.\n\nrecommended"]
    #[serde(rename = "hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hash: Option<Box<Fingerprint>>,
    #[doc = "Image\n\nThe container image used as a template to run the container.\n\nrecommended"]
    #[serde(rename = "image")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub image: Option<Box<Image>>,
    #[doc = "Labels\n\nThe list of labels associated to the container.\n\noptional"]
    #[serde(rename = "labels")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub labels: Option<Vec<String>>,
    #[doc = "Name\n\nThe container name.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Network Driver\n\nThe network driver used by the container. For example, bridge, overlay, host, none, etc.\n\noptional"]
    #[serde(rename = "network_driver")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub network_driver: Option<String>,
    #[doc = "Orchestrator\n\nThe orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift.\n\noptional"]
    #[serde(rename = "orchestrator")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub orchestrator: Option<String>,
    #[doc = "Pod UUID\n\nThe unique identifier of the pod (or equivalent) that the container is executing on.\n\noptional"]
    #[serde(rename = "pod_uuid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub pod_uuid: Option<String>,
    #[doc = "Runtime\n\nThe backend running the container, such as containerd or cri-o.\n\noptional"]
    #[serde(rename = "runtime")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub runtime: Option<String>,
    #[doc = "Size\n\nThe size of the container image.\n\nrecommended"]
    #[serde(rename = "size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub size: Option<i64>,
    #[doc = "Image Tag\n\nThe tag used by the container. It can indicate version, format, OS.\n\noptional"]
    #[serde(rename = "tag")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tag: Option<String>,
    #[doc = "Tags\n\nThe list of tags; <code>{key:value}</code> pairs associated to the container.\n\noptional"]
    #[serde(rename = "tags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tags: Option<Vec<KeyValueObject>>,
    #[doc = "Unique ID\n\nThe full container unique identifier for this instantiation of the container. For example: <code>ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf</code>.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "CVE\n\nThe Common Vulnerabilities and Exposures (CVE) object represents publicly disclosed cybersecurity vulnerabilities defined in CVE Program catalog (<a target='_blank' href='https://cve.mitre.org/'>CVE</a>). There is one CVE Record for each vulnerability in the catalog.\n\n[] Category:  | Name: cve"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Cve {
    #[doc = "Created Time\n\nThe Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.\n\nrecommended"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "CVSS Score\n\nThe CVSS object details Common Vulnerability Scoring System (<a target='_blank' href='https://www.first.org/cvss/'>CVSS</a>) scores from the advisory that are related to the vulnerability.\n\nrecommended"]
    #[serde(rename = "cvss")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cvss: Option<Vec<Cvss>>,
    #[doc = "CWE\n\nThe CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack. The CWE object is based on the <a target='_blank' href='https://cwe.mitre.org/'>Common Weakness Enumeration (CWE)</a> catalog.\n\noptional"]
    #[serde(rename = "cwe")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cwe: Option<Box<Cwe>>,
    #[doc = "CWE UID\n\nThe <a target='_blank' href='https://cwe.mitre.org/'>Common Weakness Enumeration (CWE)</a> unique identifier. For example: <code>CWE-787</code>.\n\noptional"]
    #[serde(rename = "cwe_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cwe_uid: Option<String>,
    #[doc = "CWE URL\n\nCommon Weakness Enumeration (CWE) definition URL. For example: <code>https://cwe.mitre.org/data/definitions/787.html</code>.\n\noptional"]
    #[serde(rename = "cwe_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cwe_url: Option<String>,
    #[doc = "Description\n\nA brief description of the CVE Record.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "EPSS\n\nThe Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. EPSS is a community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in-the-wild. (<a target='_blank' href='https://www.first.org/epss/'>EPSS</a>).\n\noptional"]
    #[serde(rename = "epss")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub epss: Option<Box<Epss>>,
    #[doc = "Modified Time\n\nThe Record Modified Date identifies when the CVE record was last updated.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe Record Modified Date identifies when the CVE record was last updated.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Product\n\nThe product where the vulnerability was discovered.\n\noptional"]
    #[serde(rename = "product")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub product: Option<Box<Product>>,
    #[doc = "References\n\nA list of reference URLs with additional information about the CVE Record.\n\nrecommended"]
    #[serde(rename = "references")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub references: Option<Vec<String>>,
    #[doc = "Related CWEs\n\nDescribes the Common Weakness Enumeration <a target='_blank' href='https://cwe.mitre.org/'>(CWE)</a> details related to the CVE Record.\n\noptional"]
    #[serde(rename = "related_cwes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub related_cwes: Option<Vec<Cwe>>,
    #[doc = "Title\n\nA title or a brief phrase summarizing the CVE record.\n\nrecommended"]
    #[serde(rename = "title")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub title: Option<String>,
    #[doc = "Vulnerability Type\n\n<p>The vulnerability type as selected from a large dropdown menu during CVE refinement.</p>Most frequently used vulnerability types are: <code>DoS</code>, <code>Code Execution</code>, <code>Overflow</code>, <code>Memory Corruption</code>, <code>Sql Injection</code>, <code>XSS</code>, <code>Directory Traversal</code>, <code>Http Response Splitting</code>, <code>Bypass something</code>, <code>Gain Information</code>, <code>Gain Privileges</code>, <code>CSRF</code>, <code>File Inclusion</code>. For more information see <a target='_blank' href='https://www.cvedetails.com/vulnerabilities-by-types.php'>Vulnerabilities By Type</a> distributions.\n\nrecommended"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "CVE ID\n\nThe Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: <code>CVE-2021-12345</code>.\n\nrequired"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "CVSS Score\n\nThe Common Vulnerability Scoring System (<a target='_blank' href='https://www.first.org/cvss/'>CVSS</a>) object provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.\n\n[] Category:  | Name: cvss"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Cvss {
    #[doc = "Base Score\n\nThe CVSS base score. For example: <code>9.1</code>.\n\nrequired"]
    #[serde(rename = "base_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub base_score: Option<f64>,
    #[doc = "CVSS Depth\n\nThe CVSS depth represents a depth of the equation used to calculate CVSS score.\n\nrecommended"]
    #[serde(rename = "depth")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub depth: Option<String>,
    #[doc = "Metrics\n\nThe Common Vulnerability Scoring System metrics. This attribute contains information on the CVE's impact. If the CVE has been analyzed, this attribute will contain any CVSSv2 or CVSSv3 information associated with the vulnerability. For example: <code>{ {\"Access Vector\", \"Network\"}, {\"Access Complexity\", \"Low\"}, ...}</code>.\n\noptional"]
    #[serde(rename = "metrics")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metrics: Option<Vec<Metric>>,
    #[doc = "Overall Score\n\nThe CVSS overall score, impacted by base, temporal, and environmental metrics. For example: <code>9.1</code>.\n\nrecommended"]
    #[serde(rename = "overall_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub overall_score: Option<f64>,
    #[doc = "Severity\n\n<p>The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score.</p><strong>CVSS v2.0</strong><ul><li>Low (0.0 – 3.9)</li><li>Medium (4.0 – 6.9)</li><li>High (7.0 – 10.0)</li></ul></p><strong>CVSS v3.0</strong><ul><li>None (0.0)</li><li>Low (0.1 - 3.9)</li><li>Medium (4.0 - 6.9)</li><li>High (7.0 - 8.9)</li><li>Critical (9.0 - 10.0)</li></ul>\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Source URL\n\nThe source URL for the CVSS score. For example: <code>https://nvd.nist.gov/vuln/detail/CVE-2021-44228</code>\n\noptional"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Vector String\n\nThe CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: <code>3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H</code>.\n\noptional"]
    #[serde(rename = "vector_string")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vector_string: Option<String>,
    #[doc = "Vendor Name\n\nThe vendor that provided the CVSS score. For example: <code>NVD, REDHAT</code> etc.\n\nrecommended"]
    #[serde(rename = "vendor_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_name: Option<String>,
    #[doc = "Version\n\nThe CVSS version. For example: <code>3.1</code>.\n\nrequired"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "CWE\n\nThe CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack. The CWE object is based on the <a target='_blank' href='https://cwe.mitre.org/'>Common Weakness Enumeration (CWE)</a> catalog.\n\n[] Category:  | Name: cwe"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Cwe {
    #[doc = "Caption\n\nThe caption assigned to the Common Weakness Enumeration unique identifier.\n\noptional"]
    #[serde(rename = "caption")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub caption: Option<String>,
    #[doc = "Source URL\n\nURL pointing to the CWE Specification. For more information see <a target='_blank' href='https://cwe.mitre.org/'>CWE.</a>\n\noptional"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "CWE ID\n\nThe Common Weakness Enumeration unique number assigned to a specific weakness. A CWE Identifier begins \"CWE\" followed by a sequence of digits that acts as a unique identifier. For example: <code>CWE-123</code>.\n\nrequired"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "MITRE D3FEND™ Tactic\n\nThe MITRE D3FEND™ Tactic object describes the tactic ID and/or name that is associated to an attack.\n\n[] Category:  | Name: d3f_tactic\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct D3fTactic {
    #[doc = "Name\n\nThe tactic name that is associated with the defensive technique. For example: <code>Isolate</code>.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Source URL\n\nThe versioned permalink of the defensive tactic. For example: <code>https://d3fend.mitre.org/tactic/d3f:Isolate/</code>.\n\noptional"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the defensive tactic.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "MITRE D3FEND™ Technique\n\nThe MITRE D3FEND™ Technique object describes the leaf defensive technique ID and/or name associated to a countermeasure.\n\n[] Category:  | Name: d3f_technique\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct D3fTechnique {
    #[doc = "Name\n\nThe name of the defensive technique. For example: <code>IO Port Restriction</code>.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Source URL\n\nThe versioned permalink of the defensive technique. For example: <code>https://d3fend.mitre.org/technique/d3f:IOPortRestriction/</code>.\n\noptional"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the defensive technique. For example: <code>D3-IOPR</code>.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "MITRE D3FEND™\n\nThe MITRE D3FEND™ object describes the tactic & technique associated with a countermeasure.\n\n[] Category:  | Name: d3fend\n\n**Constraints:**\n* at_least_one: `[d3f_tactic`,`d3f_technique]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct D3fend {
    #[doc = "MITRE D3FEND™ Tactic\n\nThe Tactic object describes the tactic ID and/or name that is associated with a countermeasure.\n\nrecommended"]
    #[serde(rename = "d3f_tactic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub d3f_tactic: Option<Box<D3fTactic>>,
    #[doc = "MITRE D3FEND™ Technique\n\nThe Technique object describes the technique ID and/or name associated with a countermeasure.\n\nrecommended"]
    #[serde(rename = "d3f_technique")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub d3f_technique: Option<Box<D3fTechnique>>,
    #[doc = "Version\n\nThe D3FEND™ Matrix version.\n\nrecommended"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Data Classification\n\nThe Data Classification object includes information about data classification levels and data category types.\n\n[] Category:  | Name: data_classification\n\n**Constraints:**\n* at_least_one: `[category_id`,`confidentiality_id]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct DataClassification {
    #[doc = "Category\n\nThe name of the data classification category that data matched into, e.g. Financial, Personal, Governmental, etc.\n\noptional"]
    #[serde(rename = "category")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category: Option<String>,
    #[doc = "Category ID\n\nThe normalized identifier of the data classification category.\n\nrecommended"]
    #[serde(rename = "category_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_id: Option<i64>,
    #[doc = "Classifier Details\n\nDescribes details about the classifier used for data classification.\n\nrecommended"]
    #[serde(rename = "classifier_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub classifier_details: Option<Box<ClassifierDetails>>,
    #[doc = "Confidentiality\n\nThe file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidentiality")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidentiality: Option<String>,
    #[doc = "Confidentiality ID\n\nThe normalized identifier of the file content confidentiality indicator.\n\nrecommended"]
    #[serde(rename = "confidentiality_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidentiality_id: Option<i64>,
    #[doc = "Discovery Details\n\nDetails about the data discovered by classification job.\n\noptional"]
    #[serde(rename = "discovery_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub discovery_details: Option<Vec<DiscoveryDetails>>,
    #[doc = "Policy\n\nDetails about the data policy that governs data handling and security measures related to classification.\n\noptional"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Size\n\nSize of the data classified.\n\noptional"]
    #[serde(rename = "size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub size: Option<i64>,
    #[doc = "Source URL\n\nThe source URL pointing towards the full classification job details.\n\noptional"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Status\n\nThe resultant status of the classification job normalized to the caption of the <code>status_id</code> value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Details\n\nThe contextual description of the <code>status, status_id</code> value.\n\noptional"]
    #[serde(rename = "status_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_details: Option<Vec<String>>,
    #[doc = "Status ID\n\nThe normalized status identifier of the classification job.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Total\n\nThe total count of discovered entities, by the classification job.\n\noptional"]
    #[serde(rename = "total")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub total: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier of the classification job.\n\noptional"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Data Security\n\nThe Data Security object describes the characteristics, techniques and content of a Data Loss Prevention (DLP), Data Loss Detection (DLD), Data Classification, or similar tools' finding, alert, or detection mechanism(s).\n\n[] Category:  | Name: data_security\n\n**Constraints:**\n* at_least_one: `[category_id`,`confidentiality_id]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct DataSecurity {
    #[doc = "Category\n\nThe name of the data classification category that data matched into, e.g. Financial, Personal, Governmental, etc.\n\noptional"]
    #[serde(rename = "category")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category: Option<String>,
    #[doc = "Category ID\n\nThe normalized identifier of the data classification category.\n\nrecommended"]
    #[serde(rename = "category_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_id: Option<i64>,
    #[doc = "Classifier Details\n\nDescribes details about the classifier used for data classification.\n\nrecommended"]
    #[serde(rename = "classifier_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub classifier_details: Option<Box<ClassifierDetails>>,
    #[doc = "Confidentiality\n\nThe file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidentiality")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidentiality: Option<String>,
    #[doc = "Confidentiality ID\n\nThe normalized identifier of the file content confidentiality indicator.\n\nrecommended"]
    #[serde(rename = "confidentiality_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidentiality_id: Option<i64>,
    #[doc = "Data Lifecycle State\n\nThe name of the stage or state that the data was in. E.g., Data-at-Rest, Data-in-Transit, etc.\n\noptional"]
    #[serde(rename = "data_lifecycle_state")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_lifecycle_state: Option<String>,
    #[doc = "Data Lifecycle State ID\n\nThe stage or state that the data was in when it was assessed or scanned by a data security tool.\n\nrecommended"]
    #[serde(rename = "data_lifecycle_state_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_lifecycle_state_id: Option<i64>,
    #[doc = "Detection Pattern\n\nSpecific pattern, algorithm, fingerprint, or model used for detection.\n\nrecommended"]
    #[serde(rename = "detection_pattern")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub detection_pattern: Option<String>,
    #[doc = "Detection System\n\nThe name of the type of data security tool or system that the finding, detection, or alert originated from. E.g., Endpoint, Secure Email Gateway, etc.\n\noptional"]
    #[serde(rename = "detection_system")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub detection_system: Option<String>,
    #[doc = "Detection System ID\n\nThe type of data security tool or system that the finding, detection, or alert originated from.\n\nrecommended"]
    #[serde(rename = "detection_system_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub detection_system_id: Option<i64>,
    #[doc = "Discovery Details\n\nDetails about the data discovered by classification job.\n\noptional"]
    #[serde(rename = "discovery_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub discovery_details: Option<Vec<DiscoveryDetails>>,
    #[doc = "Pattern Match\n\nA text, binary, file name, or datastore that matched against a detection rule.\n\noptional"]
    #[serde(rename = "pattern_match")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub pattern_match: Option<String>,
    #[doc = "Policy\n\nDetails about the policy that triggered the finding.\n\nrecommended"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Size\n\nSize of the data classified.\n\noptional"]
    #[serde(rename = "size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub size: Option<i64>,
    #[doc = "Source URL\n\nThe source URL pointing towards the full classification job details.\n\noptional"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Status\n\nThe resultant status of the classification job normalized to the caption of the <code>status_id</code> value. In the case of 'Other', it is defined by the event source.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Details\n\nThe contextual description of the <code>status, status_id</code> value.\n\noptional"]
    #[serde(rename = "status_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_details: Option<Vec<String>>,
    #[doc = "Status ID\n\nThe normalized status identifier of the classification job.\n\nrecommended"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Total\n\nThe total count of discovered entities, by the classification job.\n\noptional"]
    #[serde(rename = "total")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub total: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier of the classification job.\n\noptional"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Database\n\nThe database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.\n\n[] Category:  | Name: database\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Database {
    #[doc = "Created Time\n\nThe time when the database was known to have been created.\n\noptional"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the database was known to have been created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Data Classification\n\nThe Data Classification object includes information about data classification levels and data category types.\n\nrecommended"]
    #[serde(rename = "data_classification")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classification: Option<Box<DataClassification>>,
    #[doc = "Data Classification\n\nA list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.\n\nrecommended"]
    #[serde(rename = "data_classifications")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classifications: Option<Vec<DataClassification>>,
    #[doc = "Description\n\nThe description of the database.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Embedding Model\n\nModel used for creating embeddings (if applicable). For example: <code>text-embedding-ada-002</code> or <code>all-MiniLM-L6-v2</code>.\n\noptional"]
    #[serde(rename = "embedding_model")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub embedding_model: Option<String>,
    #[doc = "Groups\n\nThe group names to which the database belongs.\n\noptional"]
    #[serde(rename = "groups")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub groups: Option<Vec<Group>>,
    #[doc = "Modified Time\n\nThe most recent time when any changes, updates, or modifications were made within the database.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe most recent time when any changes, updates, or modifications were made within the database.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Name\n\nThe database name, ordinarily as assigned by a database administrator.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Size\n\nThe size of the database in bytes.\n\noptional"]
    #[serde(rename = "size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub size: Option<i64>,
    #[doc = "Type\n\nThe database type.\n\nrecommended"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe normalized identifier of the database type.\n\nrequired"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier of the database.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Databucket\n\nThe databucket object is a basic container that holds data, typically organized through the use of data partitions.\n\n[] Category:  | Name: databucket\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Databucket {
    #[doc = "Agent List\n\nA list of <code>agent</code> objects associated with a device, endpoint, or resource.\n\noptional"]
    #[serde(rename = "agent_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub agent_list: Option<Vec<Agent>>,
    #[doc = "Cloud Partition\n\nThe logical grouping or isolated segment within a cloud provider's infrastructure where the databucket is located.\n\noptional"]
    #[serde(rename = "cloud_partition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud_partition: Option<String>,
    #[doc = "Created Time\n\nThe time when the databucket was known to have been created.\n\noptional"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the databucket was known to have been created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Criticality\n\nThe criticality of the databucket as defined by the event source.\n\noptional"]
    #[serde(rename = "criticality")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub criticality: Option<String>,
    #[doc = "Data\n\nAdditional data describing the resource.\n\noptional"]
    #[serde(rename = "data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data: Option<serde_json::Value>,
    #[doc = "Data Classification\n\nThe Data Classification object includes information about data classification levels and data category types.\n\nrecommended"]
    #[serde(rename = "data_classification")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classification: Option<Box<DataClassification>>,
    #[doc = "Data Classification\n\nA list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.\n\nrecommended"]
    #[serde(rename = "data_classifications")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classifications: Option<Vec<DataClassification>>,
    #[doc = "Description\n\nThe description of the databucket.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Encryption Details\n\nThe encryption details of the databucket. Should be populated if the databucket is encrypted.\n\noptional"]
    #[serde(rename = "encryption_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub encryption_details: Option<Box<EncryptionDetails>>,
    #[doc = "File\n\nDetails about the file/object within a databucket.\n\noptional"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Group\n\nThe name of the related resource group.\n\noptional"]
    #[serde(rename = "group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub group: Option<Box<Group>>,
    #[doc = "Groups\n\nThe group names to which the databucket belongs.\n\noptional"]
    #[serde(rename = "groups")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub groups: Option<Vec<Group>>,
    #[doc = "Hostname\n\nThe fully qualified hostname of the databucket.\n\nrecommended"]
    #[serde(rename = "hostname")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hostname: Option<String>,
    #[doc = "IP Address\n\nThe IP address of the resource, in either IPv4 or IPv6 format.\n\nrecommended"]
    #[serde(rename = "ip")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ip: Option<String>,
    #[doc = "Back Ups Configured\n\nIndicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. For example, this is indicated by the <code>cloudBackupEnabled</code> value within JAMF Pro mobile devices or the registration of an AWS ARN with the AWS Backup service.\n\noptional"]
    #[serde(rename = "is_backed_up")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_backed_up: Option<bool>,
    #[doc = "Encrypted\n\nIndicates if the databucket is encrypted.\n\noptional"]
    #[serde(rename = "is_encrypted")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_encrypted: Option<bool>,
    #[doc = "Public\n\nIndicates if the databucket is publicly accessible.\n\nrecommended"]
    #[serde(rename = "is_public")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_public: Option<bool>,
    #[doc = "Labels\n\nThe list of labels associated to the resource.\n\noptional"]
    #[serde(rename = "labels")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub labels: Option<Vec<String>>,
    #[doc = "Modified Time\n\nThe most recent time when any changes, updates, or modifications were made within the databucket.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe most recent time when any changes, updates, or modifications were made within the databucket.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Name\n\nThe databucket name.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Namespace\n\nThe namespace is useful when similar entities exist that you need to keep separate.\n\noptional"]
    #[serde(rename = "namespace")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    #[doc = "Owner\n\nThe identity of the service or user account that owns the databucket.\n\nrecommended"]
    #[serde(rename = "owner")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub owner: Option<Box<User>>,
    #[doc = "Region\n\nThe cloud region of the databucket.\n\noptional"]
    #[serde(rename = "region")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub region: Option<String>,
    #[doc = "Resource Relationship\n\nA graph representation showing how this databucket relates to and interacts with other entities in the environment. This can include parent/child relationships, dependencies, or other connections.\n\noptional"]
    #[serde(rename = "resource_relationship")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resource_relationship: Option<Box<Graph>>,
    #[doc = "Size\n\nThe size of the databucket in bytes.\n\noptional"]
    #[serde(rename = "size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub size: Option<i64>,
    #[doc = "Tags\n\nThe list of tags; <code>{key:value}</code> pairs associated to the resource.\n\noptional"]
    #[serde(rename = "tags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tags: Option<Vec<KeyValueObject>>,
    #[doc = "Type\n\nThe databucket type.\n\nrecommended"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe normalized identifier of the databucket type.\n\nrequired"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier of the databucket.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Alternate ID\n\nThe alternative unique identifier of the resource.\n\noptional"]
    #[serde(rename = "uid_alt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid_alt: Option<String>,
    #[doc = "Version\n\nThe version of the resource. For example <code>1.2.3</code>.\n\noptional"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
    #[doc = "Cloud Availability Zone\n\nThe specific availability zone within a cloud region where the databucket is located.\n\noptional"]
    #[serde(rename = "zone")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub zone: Option<String>,
}
#[doc = "DCE/RPC\n\nThe DCE/RPC, or Distributed Computing Environment/Remote Procedure Call, object describes the remote procedure call system for distributed computing environments.\n\n[] Category:  | Name: dce_rpc"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct DceRpc {
    #[doc = "Command\n\nThe request command (e.g. REQUEST, BIND).\n\nrecommended"]
    #[serde(rename = "command")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub command: Option<String>,
    #[doc = "Command Response\n\nThe reply to the request command (e.g. RESPONSE, BINDACK or FAULT).\n\nrecommended"]
    #[serde(rename = "command_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub command_response: Option<String>,
    #[doc = "Flags\n\nThe list of interface flags.\n\nrequired"]
    #[serde(rename = "flags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub flags: Option<Vec<String>>,
    #[doc = "Opnum\n\nAn operation number used to identify a specific remote procedure call (RPC) method or a method in an interface.\n\nrecommended"]
    #[serde(rename = "opnum")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub opnum: Option<i64>,
    #[doc = "Remote Procedure Call Interface\n\nThe RPC Interface object describes the details pertaining to the remote procedure call interface.\n\nrequired"]
    #[serde(rename = "rpc_interface")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub rpc_interface: Option<Box<RpcInterface>>,
}
#[doc = "Device\n\nThe Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.\n\n[] Category:  | Name: device\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Device {
    #[doc = "Agent List\n\nA list of <code>agent</code> objects associated with a device, endpoint, or resource.\n\noptional"]
    #[serde(rename = "agent_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub agent_list: Option<Vec<Agent>>,
    #[doc = "Autoscale UID\n\nThe unique identifier of the cloud autoscale configuration.\n\noptional"]
    #[serde(rename = "autoscale_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub autoscale_uid: Option<String>,
    #[doc = "Boot Time\n\nThe time the system was booted.\n\noptional"]
    #[serde(rename = "boot_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub boot_time: Option<i64>,
    #[doc = "Boot Time\n\nThe time the system was booted.\n\noptional"]
    #[serde(rename = "boot_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub boot_time_dt: Option<String>,
    #[doc = "Boot UID\n\nA unique identifier of the device that changes after every reboot. For example, the value of <code>/proc/sys/kernel/random/boot_id</code> from Linux's procfs.\n\noptional"]
    #[serde(rename = "boot_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub boot_uid: Option<String>,
    #[doc = "Container\n\nThe information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.\n\nrecommended"]
    #[serde(rename = "container")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub container: Option<Box<Container>>,
    #[doc = "Created Time\n\nThe time when the device was known to have been created.\n\noptional"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the device was known to have been created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Description\n\nThe description of the device, ordinarily as reported by the operating system.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Domain\n\nThe network domain where the device resides. For example: <code>work.example.com</code>.\n\noptional"]
    #[serde(rename = "domain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub domain: Option<String>,
    #[doc = "EID\n\nAn Embedded Identity Document, is a unique serial number that identifies an eSIM-enabled device.\n\noptional"]
    #[serde(rename = "eid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub eid: Option<String>,
    #[doc = "First Seen\n\nThe initial discovery time of the device.\n\noptional"]
    #[serde(rename = "first_seen_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub first_seen_time: Option<i64>,
    #[doc = "First Seen\n\nThe initial discovery time of the device.\n\noptional"]
    #[serde(rename = "first_seen_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub first_seen_time_dt: Option<String>,
    #[doc = "Groups\n\nThe group names to which the device belongs. For example: <code>[\"Windows Laptops\", \"Engineering\"]</code>.\n\noptional"]
    #[serde(rename = "groups")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub groups: Option<Vec<Group>>,
    #[doc = "Hostname\n\nThe device hostname.\n\nrecommended"]
    #[serde(rename = "hostname")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hostname: Option<String>,
    #[doc = "Hardware Info\n\nThe endpoint hardware information.\n\noptional"]
    #[serde(rename = "hw_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hw_info: Option<Box<DeviceHwInfo>>,
    #[doc = "Hypervisor\n\nThe name of the hypervisor running on the device. For example, <code>Xen</code>, <code>VMware</code>, <code>Hyper-V</code>, <code>VirtualBox</code>, etc.\n\noptional"]
    #[serde(rename = "hypervisor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hypervisor: Option<String>,
    #[doc = "ICCID\n\nThe Integrated Circuit Card Identification of a mobile device. Typically it is a unique 18 to 22 digit number that identifies a SIM card.\n\noptional"]
    #[serde(rename = "iccid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub iccid: Option<String>,
    #[doc = "Image\n\nThe image used as a template to run the virtual machine.\n\noptional"]
    #[serde(rename = "image")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub image: Option<Box<Image>>,
    #[doc = "IMEI\n\nThe International Mobile Equipment Identity that is associated with the device.\n\noptional"]
    #[serde(rename = "imei")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub imei: Option<String>,
    #[doc = "IMEI List\n\nThe International Mobile Equipment Identity values that are associated with the device.\n\noptional"]
    #[serde(rename = "imei_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub imei_list: Option<Vec<String>>,
    #[doc = "Instance ID\n\nThe unique identifier of a VM instance.\n\nrecommended"]
    #[serde(rename = "instance_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub instance_uid: Option<String>,
    #[doc = "Network Interface Name\n\nThe name of the network interface (e.g. eth2).\n\nrecommended"]
    #[serde(rename = "interface_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub interface_name: Option<String>,
    #[doc = "Network Interface ID\n\nThe unique identifier of the network interface.\n\nrecommended"]
    #[serde(rename = "interface_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub interface_uid: Option<String>,
    #[doc = "IP Address\n\nThe device IP address, in either IPv4 or IPv6 format.\n\noptional"]
    #[serde(rename = "ip")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ip: Option<String>,
    #[doc = "Back Ups Configured\n\nIndicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. For example, this is indicated by the <code>cloudBackupEnabled</code> value within JAMF Pro mobile devices or the registration of an AWS ARN with the AWS Backup service.\n\noptional"]
    #[serde(rename = "is_backed_up")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_backed_up: Option<bool>,
    #[doc = "Compliant Device\n\nThe event occurred on a compliant device.\n\noptional"]
    #[serde(rename = "is_compliant")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_compliant: Option<bool>,
    #[doc = "Managed Device\n\nThe event occurred on a managed device.\n\noptional"]
    #[serde(rename = "is_managed")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_managed: Option<bool>,
    #[doc = "Mobile Account Active\n\nIndicates whether the device has an active mobile account. For example, this is indicated by the <code>itunesStoreAccountActive</code> value within JAMF Pro mobile devices.\n\noptional"]
    #[serde(rename = "is_mobile_account_active")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_mobile_account_active: Option<bool>,
    #[doc = "Personal Device\n\nThe event occurred on a personal device.\n\noptional"]
    #[serde(rename = "is_personal")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_personal: Option<bool>,
    #[doc = "Shared Device\n\nThe event occurred on a shared device.\n\noptional"]
    #[serde(rename = "is_shared")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_shared: Option<bool>,
    #[doc = "Supervised Device\n\nThe event occurred on a supervised device. Devices that are supervised are typically mobile devices managed by a Mobile Device Management solution and are restricted from specific behaviors such as Apple AirDrop.\n\noptional"]
    #[serde(rename = "is_supervised")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_supervised: Option<bool>,
    #[doc = "Trusted Device\n\nThe event occurred on a trusted device.\n\noptional"]
    #[serde(rename = "is_trusted")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_trusted: Option<bool>,
    #[doc = "Last Seen\n\nThe most recent discovery time of the device.\n\noptional"]
    #[serde(rename = "last_seen_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_seen_time: Option<i64>,
    #[doc = "Last Seen\n\nThe most recent discovery time of the device.\n\noptional"]
    #[serde(rename = "last_seen_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_seen_time_dt: Option<String>,
    #[doc = "Geo Location\n\nThe geographical location of the device.\n\noptional"]
    #[serde(rename = "location")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub location: Option<Box<Location>>,
    #[doc = "MAC Address\n\nThe Media Access Control (MAC) address of the endpoint.\n\noptional"]
    #[serde(rename = "mac")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub mac: Option<String>,
    #[doc = "MEID\n\nThe Mobile Equipment Identifier. It's a unique number that identifies a Code Division Multiple Access (CDMA) mobile device.\n\noptional"]
    #[serde(rename = "meid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub meid: Option<String>,
    #[doc = "Model\n\nThe model of the device. For example <code>ThinkPad X1 Carbon</code>.\n\noptional"]
    #[serde(rename = "model")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub model: Option<String>,
    #[doc = "Modified Time\n\nThe time when the device was last known to have been modified.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe time when the device was last known to have been modified.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Name\n\nThe alternate device name, ordinarily as assigned by an administrator. <p><b>Note:</b> The <b>Name</b> could be any other string that helps to identify the device, such as a phone number; for example <code>310-555-1234</code>.</p>\n\noptional"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Namespace PID\n\nIf running under a process namespace (such as in a container), the process identifier within that process namespace.\n\nrecommended"]
    #[serde(rename = "namespace_pid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub namespace_pid: Option<i64>,
    #[doc = "Network Interfaces\n\nThe physical or virtual network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.<p><b>Note:</b> The first element of the array is the network information that pertains to the event.</p>\n\noptional"]
    #[serde(rename = "network_interfaces")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub network_interfaces: Option<Vec<NetworkInterface>>,
    #[doc = "Organization\n\nOrganization and org unit related to the device.\n\noptional"]
    #[serde(rename = "org")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub org: Option<Box<Organization>>,
    #[doc = "OS\n\nThe endpoint operating system.\n\noptional"]
    #[serde(rename = "os")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub os: Option<Box<Os>>,
    #[doc = "OS Machine UUID\n\nThe operating system assigned Machine ID. In Windows, this is the value stored at the registry path: <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid</code>. In Linux, this is stored in the file: <code>/etc/machine-id</code>.\n\noptional"]
    #[serde(rename = "os_machine_uuid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub os_machine_uuid: Option<String>,
    #[doc = "Owner\n\nThe identity of the service or user account that owns the endpoint or was last logged into it.\n\nrecommended"]
    #[serde(rename = "owner")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub owner: Option<Box<User>>,
    #[doc = "Region\n\nThe region where the virtual machine is located. For example, an AWS Region.\n\nrecommended"]
    #[serde(rename = "region")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub region: Option<String>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Subnet\n\nThe subnet mask.\n\noptional"]
    #[serde(rename = "subnet")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub subnet: Option<String>,
    #[doc = "Subnet UID\n\nThe unique identifier of a virtual subnet.\n\noptional"]
    #[serde(rename = "subnet_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub subnet_uid: Option<String>,
    #[doc = "Type\n\nThe device type. For example: <code>unknown</code>, <code>server</code>, <code>desktop</code>, <code>laptop</code>, <code>tablet</code>, <code>mobile</code>, <code>virtual</code>, <code>browser</code>, or <code>other</code>.\n\nrecommended"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe device type ID.\n\nrequired"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique Device Identifier\n\nThe Apple assigned Unique Device Identifier (UDID). For iOS, iPadOS, tvOS, watchOS and visionOS devices, this is the UDID. For macOS devices, it is the Provisioning UDID. For example: <code>00008020-008D4548007B4F26</code>\n\noptional"]
    #[serde(rename = "udid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub udid: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Alternate ID\n\nAn alternate unique identifier of the device if any. For example the ActiveDirectory DN.\n\noptional"]
    #[serde(rename = "uid_alt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid_alt: Option<String>,
    #[doc = "Vendor Name\n\nThe vendor for the device. For example <code>Dell</code> or <code>Lenovo</code>.\n\nrecommended"]
    #[serde(rename = "vendor_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_name: Option<String>,
    #[doc = "VLAN\n\nThe Virtual LAN identifier.\n\noptional"]
    #[serde(rename = "vlan_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vlan_uid: Option<String>,
    #[doc = "VPC UID\n\nThe unique identifier of the Virtual Private Cloud (VPC).\n\noptional"]
    #[serde(rename = "vpc_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vpc_uid: Option<String>,
    #[doc = "Network Zone\n\nThe network zone or LAN segment.\n\noptional"]
    #[serde(rename = "zone")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub zone: Option<String>,
}
#[doc = "Device Hardware Info\n\nThe Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device.\n\n[] Category:  | Name: device_hw_info"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct DeviceHwInfo {
    #[doc = "BIOS Date\n\nThe BIOS date. For example: <code>03/31/16</code>.\n\noptional"]
    #[serde(rename = "bios_date")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub bios_date: Option<String>,
    #[doc = "BIOS Manufacturer\n\nThe BIOS manufacturer. For example: <code>LENOVO</code>.\n\noptional"]
    #[serde(rename = "bios_manufacturer")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub bios_manufacturer: Option<String>,
    #[doc = "BIOS Version\n\nThe BIOS version. For example: <code>LENOVO G5ETA2WW (2.62)</code>.\n\noptional"]
    #[serde(rename = "bios_ver")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub bios_ver: Option<String>,
    #[doc = "Chassis\n\nThe chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows <a target='_blank' href='https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-systemenclosure'>Windows Chassis Types</a>\n\noptional"]
    #[serde(rename = "chassis")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub chassis: Option<String>,
    #[doc = "CPU Architecture\n\nThe CPU architecture, normalized to the caption of the <code>cpu_architecture_id</code> value. In the case of <code>Other</code>, it is defined by the source.\n\noptional"]
    #[serde(rename = "cpu_architecture")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cpu_architecture: Option<String>,
    #[doc = "CPU Architecture ID\n\nThe normalized identifier of the CPU architecture.\n\noptional"]
    #[serde(rename = "cpu_architecture_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cpu_architecture_id: Option<i64>,
    #[doc = "CPU Bits\n\nThe cpu architecture, the number of bits used for addressing in memory. For example: <code>32</code> or <code>64</code>.\n\noptional"]
    #[serde(rename = "cpu_bits")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cpu_bits: Option<i64>,
    #[doc = "CPU Cores\n\nThe number of processor cores in all installed processors. For Example: <code>42</code>.\n\noptional"]
    #[serde(rename = "cpu_cores")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cpu_cores: Option<i64>,
    #[doc = "CPU Count\n\nThe number of physical processors on a system. For example: <code>1</code>.\n\noptional"]
    #[serde(rename = "cpu_count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cpu_count: Option<i64>,
    #[doc = "Processor Speed\n\nThe speed of the processor in Mhz. For Example: <code>4200</code>.\n\noptional"]
    #[serde(rename = "cpu_speed")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cpu_speed: Option<i64>,
    #[doc = "Processor Type\n\nThe processor type. For example: <code>x86 Family 6 Model 37 Stepping 5</code>.\n\noptional"]
    #[serde(rename = "cpu_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cpu_type: Option<String>,
    #[doc = "Desktop Display\n\nThe desktop display affiliated with the event\n\noptional"]
    #[serde(rename = "desktop_display")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desktop_display: Option<Box<Display>>,
    #[doc = "Keyboard Information\n\nThe keyboard detailed information.\n\noptional"]
    #[serde(rename = "keyboard_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub keyboard_info: Option<Box<KeyboardInfo>>,
    #[doc = "RAM Size\n\nThe total amount of installed RAM, in Megabytes. For example: <code>2048</code>.\n\noptional"]
    #[serde(rename = "ram_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ram_size: Option<i64>,
    #[doc = "Serial Number\n\nThe device manufacturer serial number.\n\noptional"]
    #[serde(rename = "serial_number")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub serial_number: Option<String>,
    #[doc = "UUID\n\nThe device manufacturer assigned universally unique hardware identifier. For SMBIOS compatible devices such as those running Linux and Windows, it is the UUID member of the System Information structure in the SMBIOS information. For macOS devices, it is the Hardware UUID (also known as IOPlatformUUID in the I/O Registry).\n\noptional"]
    #[serde(rename = "uuid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uuid: Option<String>,
    #[doc = "Vendor Name\n\nThe device manufacturer.\n\noptional"]
    #[serde(rename = "vendor_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_name: Option<String>,
}
#[doc = "Digital Signature\n\nThe Digital Signature object contains information about the cryptographic mechanism used to verify the authenticity, integrity, and origin of the file or application.\n\n[] Category:  | Name: digital_signature"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct DigitalSignature {
    #[doc = "Algorithm\n\nThe digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "algorithm")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub algorithm: Option<String>,
    #[doc = "Algorithm ID\n\nThe identifier of the normalized digital signature algorithm.\n\nrequired"]
    #[serde(rename = "algorithm_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub algorithm_id: Option<i64>,
    #[doc = "Certificate\n\nThe certificate object containing information about the digital certificate.\n\nrecommended"]
    #[serde(rename = "certificate")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub certificate: Option<Box<Certificate>>,
    #[doc = "Created Time\n\nThe time when the digital signature was created.\n\noptional"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the digital signature was created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Developer UID\n\nThe developer ID on the certificate that signed the file.\n\noptional"]
    #[serde(rename = "developer_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub developer_uid: Option<String>,
    #[doc = "Message Digest\n\nThe message digest attribute contains the fixed length message hash representation and the corresponding hashing algorithm information.\n\noptional"]
    #[serde(rename = "digest")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub digest: Option<Box<Fingerprint>>,
    #[doc = "State\n\nThe digital signature state defines the signature state, normalized to the caption of 'state_id'. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "state")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub state: Option<String>,
    #[doc = "State ID\n\nThe normalized identifier of the signature state.\n\noptional"]
    #[serde(rename = "state_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub state_id: Option<i64>,
}
#[doc = "Discovery Details\n\nThe Discovery Details object describes results of a discovery task/job.\n\n[] Category:  | Name: discovery_details"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct DiscoveryDetails {
    #[doc = "Count\n\nThe number of discovered entities of the specified type.\n\nrecommended"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Occurrence Details\n\nDetails about where in the target entity, specified information was discovered. Only the attributes, relevant to the target entity type should be populated.\n\noptional"]
    #[serde(rename = "occurrence_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub occurrence_details: Option<Box<OccurrenceDetails>>,
    #[doc = "Occurrences\n\nDetails about where in the target entity, specified information was discovered. Only the attributes, relevant to the target entity type should be populated.\n\noptional"]
    #[serde(rename = "occurrences")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub occurrences: Option<Vec<OccurrenceDetails>>,
    #[doc = "Type\n\nThe specific type of information that was discovered. e.g.<code> name, phone_number, etc.</code>\n\nrecommended"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Value\n\nOptionally, the specific value of discovered information.\n\noptional"]
    #[serde(rename = "value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}
#[doc = "Display\n\nThe Display object contains information about the physical or virtual display connected to a computer system.\n\n[] Category:  | Name: display"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Display {
    #[doc = "Color Depth\n\nThe numeric color depth.\n\noptional"]
    #[serde(rename = "color_depth")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub color_depth: Option<i64>,
    #[doc = "Physical Height\n\nThe numeric physical height of display.\n\noptional"]
    #[serde(rename = "physical_height")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub physical_height: Option<i64>,
    #[doc = "Physical Orientation\n\nThe numeric physical orientation of display.\n\noptional"]
    #[serde(rename = "physical_orientation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub physical_orientation: Option<i64>,
    #[doc = "Physical Width\n\nThe numeric physical width of display.\n\noptional"]
    #[serde(rename = "physical_width")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub physical_width: Option<i64>,
    #[doc = "Scale Factor\n\nThe numeric scale factor of display.\n\noptional"]
    #[serde(rename = "scale_factor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub scale_factor: Option<i64>,
}
#[doc = "DNS Answer\n\nThe DNS Answer object represents a specific response provided by the Domain Name System (DNS) when querying for information about a domain or performing a DNS operation. It encapsulates the relevant details and data returned by the DNS server in response to a query.\n\n[] Category:  | Name: dns_answer"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct DnsAnswer {
    #[doc = "Resource Record Class\n\nThe class of DNS data contained in this resource record. See <a target='_blank' href='https://www.rfc-editor.org/rfc/rfc1035.txt'>RFC1035</a>. For example: <code>IN</code>.\n\nrecommended"]
    #[serde(rename = "class")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class: Option<String>,
    #[doc = "DNS Header Flags\n\nThe list of DNS answer header flag IDs.\n\nrecommended"]
    #[serde(rename = "flag_ids")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub flag_ids: Option<Vec<i64>>,
    #[doc = "DNS Header Flags\n\nThe list of DNS answer header flags.\n\noptional"]
    #[serde(rename = "flags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub flags: Option<Vec<String>>,
    #[doc = "Packet UID\n\nThe DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.\n\nrecommended"]
    #[serde(rename = "packet_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub packet_uid: Option<i64>,
    #[doc = "DNS RData\n\nThe data describing the DNS resource. The meaning of this data depends on the type and class of the resource record.\n\nrequired"]
    #[serde(rename = "rdata")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub rdata: Option<String>,
    #[doc = "TTL\n\nThe time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached.\n\nrecommended"]
    #[serde(rename = "ttl")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ttl: Option<i64>,
    #[doc = "Resource Record Type\n\nThe type of data contained in this resource record. See <a target='_blank' href='https://www.rfc-editor.org/rfc/rfc1035.txt'>RFC1035</a>. For example: <code>CNAME</code>.\n\nrecommended"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
}
#[doc = "DNS Query\n\nThe DNS query object represents a specific request made to the Domain Name System (DNS) to retrieve information about a domain or perform a DNS operation. This object encapsulates the necessary attributes and methods to construct and send DNS queries, specify the query type (e.g., A, AAAA, MX).\n\n[] Category:  | Name: dns_query"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct DnsQuery {
    #[doc = "Resource Record Class\n\nThe class of resource records being queried. See <a target='_blank' href='https://www.rfc-editor.org/rfc/rfc1035.txt'>RFC1035</a>. For example: <code>IN</code>.\n\nrecommended"]
    #[serde(rename = "class")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class: Option<String>,
    #[doc = "Hostname\n\nThe hostname or domain being queried. For example: <code>www.example.com</code>\n\nrequired"]
    #[serde(rename = "hostname")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hostname: Option<String>,
    #[doc = "DNS Opcode\n\nThe DNS opcode specifies the type of the query message.\n\noptional"]
    #[serde(rename = "opcode")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub opcode: Option<String>,
    #[doc = "DNS Opcode ID\n\nThe DNS opcode ID specifies the normalized query message type as defined in <a target='_blank' href='https://www.rfc-editor.org/rfc/rfc5395.html'>RFC-5395</a>.\n\nrecommended"]
    #[serde(rename = "opcode_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub opcode_id: Option<i64>,
    #[doc = "Packet UID\n\nThe DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.\n\nrecommended"]
    #[serde(rename = "packet_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub packet_uid: Option<i64>,
    #[doc = "Resource Record Type\n\nThe type of resource records being queried. See <a target='_blank' href='https://www.rfc-editor.org/rfc/rfc1035.txt'>RFC1035</a>. For example: A, AAAA, CNAME, MX, and NS.\n\nrecommended"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
}
#[doc = "Domain Contact\n\nThe contact information related to a domain registration, e.g., registrant, administrator, abuse, billing, or technical contact.\n\n[] Category:  | Name: domain_contact"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct DomainContact {
    #[doc = "Contact Email\n\nThe user's primary email address.\n\nrecommended"]
    #[serde(rename = "email_addr")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub email_addr: Option<String>,
    #[doc = "Contact Location Information\n\nLocation details for the contract such as the city, state/province, country, etc.\n\nrecommended"]
    #[serde(rename = "location")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub location: Option<Box<Location>>,
    #[doc = "Name\n\nThe individual or organization name for the contact.\n\noptional"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Phone Number\n\nThe number associated with the phone.\n\noptional"]
    #[serde(rename = "phone_number")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub phone_number: Option<String>,
    #[doc = "Domain Contact Type\n\nThe Domain Contact type, normalized to the caption of the <code>type_id</code> value. In the case of 'Other', it is defined by the source\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Domain Contact Type ID\n\nThe normalized domain contact type ID.\n\nrequired"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier of the contact information, typically provided in WHOIS information.\n\noptional"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Edge\n\nRepresents a connection or relationship between two nodes in a graph.\n\n[] Category:  | Name: edge\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Edge {
    #[doc = "Data\n\nAdditional data about the edge such as weight, distance, or custom properties.\n\noptional"]
    #[serde(rename = "data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data: Option<serde_json::Value>,
    #[doc = "Directed\n\nIndicates whether the edge is (<code>true</code>) or undirected (<code>false</code>).\n\noptional"]
    #[serde(rename = "is_directed")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_directed: Option<bool>,
    #[doc = "Name\n\nThe human-readable name or label for the edge.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Relation\n\nThe type of relationship between nodes (e.g. is-attached-to , depends-on, etc).\n\nrecommended"]
    #[serde(rename = "relation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub relation: Option<String>,
    #[doc = "Source\n\nThe unique identifier of the node where the edge originates.\n\nrequired"]
    #[serde(rename = "source")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub source: Option<String>,
    #[doc = "Target\n\nThe unique identifier of the node where the edge terminates.\n\nrequired"]
    #[serde(rename = "target")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub target: Option<String>,
    #[doc = "Unique ID\n\nUnique identifier of the edge.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Email\n\nThe Email object describes the email metadata such as sender, recipients, and direction, and can include embedded URLs and files.\n\n[] Category:  | Name: email\n\n**Constraints:**\n* at_least_one: `[from`,`to]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Email {
    #[doc = "Cc\n\nThe machine-readable email header Cc values, as defined by RFC 5322. For example <code>example.user@usersdomain.com</code>.\n\noptional"]
    #[serde(rename = "cc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cc: Option<Vec<String>>,
    #[doc = "Cc Mailboxes\n\nThe human-readable email header Cc Mailbox values. For example <code>'Example User &lt;example.user@usersdomain.com&gt;'</code>.\n\noptional"]
    #[serde(rename = "cc_mailboxes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cc_mailboxes: Option<Vec<String>>,
    #[doc = "Data Classification\n\nThe Data Classification object includes information about data classification levels and data category types.\n\nrecommended"]
    #[serde(rename = "data_classification")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classification: Option<Box<DataClassification>>,
    #[doc = "Data Classification\n\nA list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.\n\nrecommended"]
    #[serde(rename = "data_classifications")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classifications: Option<Vec<DataClassification>>,
    #[doc = "Delivered To\n\nThe machine-readable <strong>Delivered-To</strong> email header field. For example <code>example.user@usersdomain.com</code>\n\noptional"]
    #[serde(rename = "delivered_to")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub delivered_to: Option<String>,
    #[doc = "Delivered To List\n\nThe machine-readable <strong>Delivered-To</strong> email header values. For example <code>example.user@usersdomain.com</code>\n\noptional"]
    #[serde(rename = "delivered_to_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub delivered_to_list: Option<Vec<String>>,
    #[doc = "Files\n\nThe files embedded or attached to the email.\n\noptional"]
    #[serde(rename = "files")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub files: Option<Vec<File>>,
    #[doc = "From\n\nThe machine-readable email header From value, as defined by RFC 5322. For example <code>example.user@usersdomain.com</code>.\n\nrecommended"]
    #[serde(rename = "from")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub from: Option<String>,
    #[doc = "From List\n\nThe machine-readable email header From values. This array should contain the value in <code>from</code>. For example <code>example.user@usersdomain.com</code>.\n\noptional"]
    #[serde(rename = "from_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub from_list: Option<Vec<String>>,
    #[doc = "From Mailbox\n\nThe human-readable email header From Mailbox value. For example <code>'Example User &lt;example.user@usersdomain.com&gt;'</code>.\n\noptional"]
    #[serde(rename = "from_mailbox")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub from_mailbox: Option<String>,
    #[doc = "From Mailboxes\n\nThe human-readable email header From Mailbox values. This array should contain the value in <code>from_mailbox</code>. For example <code>'Example User &lt;example.user@usersdomain.com&gt;'</code>.\n\noptional"]
    #[serde(rename = "from_mailboxes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub from_mailboxes: Option<Vec<String>>,
    #[doc = "HTTP Headers\n\nAdditional HTTP headers of an HTTP request or response.\n\noptional"]
    #[serde(rename = "http_headers")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_headers: Option<Vec<HttpHeader>>,
    #[doc = "Read\n\nThe indication of whether the email has been read.\n\noptional"]
    #[serde(rename = "is_read")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_read: Option<bool>,
    #[doc = "Message UID\n\nThe email header Message-ID value, as defined by RFC 5322.\n\nrecommended"]
    #[serde(rename = "message_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message_uid: Option<String>,
    #[doc = "Raw Header\n\nThe email authentication header.\n\noptional"]
    #[serde(rename = "raw_header")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub raw_header: Option<String>,
    #[doc = "Reply To\n\nThe machine-readable email header Reply-To value, as defined by RFC 5322. For example <code>example.user@usersdomain.com</code>\n\nrecommended"]
    #[serde(rename = "reply_to")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reply_to: Option<String>,
    #[doc = "Reply To List\n\nThe machine-readable email header Reply-To values, as defined by RFC 5322. For example <code>example.user@usersdomain.com</code>\n\noptional"]
    #[serde(rename = "reply_to_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reply_to_list: Option<Vec<String>>,
    #[doc = "Reply To Mailboxes\n\nThe human-readable email header Reply To Mailbox values. For example <code>'Example User &lt;example.user@usersdomain.com&gt;'</code>.\n\noptional"]
    #[serde(rename = "reply_to_mailboxes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reply_to_mailboxes: Option<Vec<String>>,
    #[doc = "Return Path\n\nThe address found in the 'Return-Path' header, which indicates where bounce messages (non-delivery reports) should be sent. This address is often set by the sending system and may differ from the 'From' or 'Sender' addresses. For example, <code>mailer-daemon@senderserver.com</code>.\n\noptional"]
    #[serde(rename = "return_path")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub return_path: Option<String>,
    #[doc = "Sender\n\nThe machine readable email address of the system or server that actually transmitted the email message, extracted from the email headers per RFC 5322. This differs from the <code>from</code> field, which shows the message author. The sender field is most commonly used when multiple addresses appear in the <code> from_list </code> field, or when the transmitting system is different from the message author (such as when sending on behalf of someone else).\n\noptional"]
    #[serde(rename = "sender")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub sender: Option<String>,
    #[doc = "Sender Mailbox\n\nThe human readable email address of the system or server that actually transmitted the email message, extracted from the email headers per RFC 5322. This differs from the <code>from_mailbox</code> field, which shows the message author. The sender mailbox field is most commonly used when multiple addresses appear in the <code> from_mailboxes </code> field, or when the transmitting system is different from the message author (such as when sending on behalf of someone else).\n\noptional"]
    #[serde(rename = "sender_mailbox")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub sender_mailbox: Option<String>,
    #[doc = "Size\n\nThe size in bytes of the email, including attachments.\n\nrecommended"]
    #[serde(rename = "size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub size: Option<i64>,
    #[doc = "SMTP From\n\nThe value of the SMTP MAIL FROM command.\n\nrecommended"]
    #[serde(rename = "smtp_from")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub smtp_from: Option<String>,
    #[doc = "SMTP To\n\nThe value of the SMTP envelope RCPT TO command.\n\nrecommended"]
    #[serde(rename = "smtp_to")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub smtp_to: Option<Vec<String>>,
    #[doc = "Subject\n\nThe email header Subject value, as defined by RFC 5322.\n\nrecommended"]
    #[serde(rename = "subject")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub subject: Option<String>,
    #[doc = "To\n\nThe machine-readable email header To values, as defined by RFC 5322. For example <code>example.user@usersdomain.com</code>\n\nrecommended"]
    #[serde(rename = "to")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub to: Option<Vec<String>>,
    #[doc = "To Mailboxes\n\nThe human-readable email header To Mailbox values. For example <code>'Example User &lt;example.user@usersdomain.com&gt;'</code>.\n\noptional"]
    #[serde(rename = "to_mailboxes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub to_mailboxes: Option<Vec<String>>,
    #[doc = "Email Thread UID\n\nThe unique identifier of the email thread.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "URLs\n\nThe URLs embedded in the email.\n\noptional"]
    #[serde(rename = "urls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub urls: Option<Vec<Url>>,
    #[doc = "X-Originating-IP\n\nThe X-Originating-IP header identifying the emails originating IP address(es).\n\noptional"]
    #[serde(rename = "x_originating_ip")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub x_originating_ip: Option<Vec<String>>,
}
#[doc = "Email Authentication\n\nThe Email Authentication object describes the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) attributes of an email.\n\n[] Category:  | Name: email_auth"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct EmailAuth {
    #[doc = "DKIM Status\n\nThe DomainKeys Identified Mail (DKIM) status of the email.\n\nrecommended"]
    #[serde(rename = "dkim")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dkim: Option<String>,
    #[doc = "DKIM Domain\n\nThe DomainKeys Identified Mail (DKIM) signing domain of the email.\n\nrecommended"]
    #[serde(rename = "dkim_domain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dkim_domain: Option<String>,
    #[doc = "DKIM Signature\n\nThe DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system.\n\nrecommended"]
    #[serde(rename = "dkim_signature")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dkim_signature: Option<String>,
    #[doc = "DMARC Status\n\nThe Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email.\n\nrecommended"]
    #[serde(rename = "dmarc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dmarc: Option<String>,
    #[doc = "DMARC Override\n\nThe Domain-based Message Authentication, Reporting and Conformance (DMARC) override action.\n\nrecommended"]
    #[serde(rename = "dmarc_override")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dmarc_override: Option<String>,
    #[doc = "DMARC Policy\n\nThe Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status.\n\nrecommended"]
    #[serde(rename = "dmarc_policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dmarc_policy: Option<String>,
    #[doc = "SPF Status\n\nThe Sender Policy Framework (SPF) status of the email.\n\nrecommended"]
    #[serde(rename = "spf")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub spf: Option<String>,
}
#[doc = "Encryption Details\n\nDetails about the encryption methodology utilized.\n\n[] Category:  | Name: encryption_details"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct EncryptionDetails {
    #[doc = "Encryption Algorithm\n\nThe encryption algorithm used, normalized to the caption of 'algorithm_id\n\noptional"]
    #[serde(rename = "algorithm")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub algorithm: Option<String>,
    #[doc = "Encryption Algorithm ID\n\nThe encryption algorithm used.\n\nrecommended"]
    #[serde(rename = "algorithm_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub algorithm_id: Option<i64>,
    #[doc = "Encryption Key Length\n\nThe length of the encryption key used.\n\noptional"]
    #[serde(rename = "key_length")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub key_length: Option<i64>,
    #[doc = "Key UID\n\nThe unique identifier of the key used for encryption. For example, AWS KMS Key ARN.\n\noptional"]
    #[serde(rename = "key_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub key_uid: Option<String>,
    #[doc = "Encryption Type\n\nThe type of the encryption used.\n\nrecommended"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
}
#[doc = "Endpoint\n\nThe Endpoint object describes a physical or virtual device that connects to and exchanges information with a computer network. Some examples of endpoints are mobile devices, desktop computers, virtual machines, embedded devices, and servers. Internet-of-Things devices—like cameras, lighting, refrigerators, security systems, smart speakers, and thermostats—are also endpoints.\n\n[] Category:  | Name: endpoint\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Endpoint {
    #[doc = "Agent List\n\nA list of <code>agent</code> objects associated with a device, endpoint, or resource.\n\noptional"]
    #[serde(rename = "agent_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub agent_list: Option<Vec<Agent>>,
    #[doc = "Container\n\nThe information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.\n\nrecommended"]
    #[serde(rename = "container")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub container: Option<Box<Container>>,
    #[doc = "Domain\n\nThe name of the domain that the endpoint belongs to or that corresponds to the endpoint.\n\noptional"]
    #[serde(rename = "domain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub domain: Option<String>,
    #[doc = "Hostname\n\nThe fully qualified name of the endpoint.\n\nrecommended"]
    #[serde(rename = "hostname")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hostname: Option<String>,
    #[doc = "Hardware Info\n\nThe endpoint hardware information.\n\noptional"]
    #[serde(rename = "hw_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hw_info: Option<Box<DeviceHwInfo>>,
    #[doc = "Instance ID\n\nThe unique identifier of a VM instance.\n\nrecommended"]
    #[serde(rename = "instance_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub instance_uid: Option<String>,
    #[doc = "Network Interface Name\n\nThe name of the network interface (e.g. eth2).\n\nrecommended"]
    #[serde(rename = "interface_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub interface_name: Option<String>,
    #[doc = "Network Interface ID\n\nThe unique identifier of the network interface.\n\nrecommended"]
    #[serde(rename = "interface_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub interface_uid: Option<String>,
    #[doc = "IP Address\n\nThe IP address of the endpoint, in either IPv4 or IPv6 format.\n\nrecommended"]
    #[serde(rename = "ip")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ip: Option<String>,
    #[doc = "Geo Location\n\nThe geographical location of the endpoint.\n\noptional"]
    #[serde(rename = "location")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub location: Option<Box<Location>>,
    #[doc = "MAC Address\n\nThe Media Access Control (MAC) address of the endpoint.\n\noptional"]
    #[serde(rename = "mac")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub mac: Option<String>,
    #[doc = "Name\n\nThe short name of the endpoint.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Namespace PID\n\nIf running under a process namespace (such as in a container), the process identifier within that process namespace.\n\nrecommended"]
    #[serde(rename = "namespace_pid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub namespace_pid: Option<i64>,
    #[doc = "OS\n\nThe endpoint operating system.\n\noptional"]
    #[serde(rename = "os")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub os: Option<Box<Os>>,
    #[doc = "Owner\n\nThe identity of the service or user account that owns the endpoint or was last logged into it.\n\nrecommended"]
    #[serde(rename = "owner")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub owner: Option<Box<User>>,
    #[doc = "Subnet UID\n\nThe unique identifier of a virtual subnet.\n\noptional"]
    #[serde(rename = "subnet_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub subnet_uid: Option<String>,
    #[doc = "Type\n\nThe endpoint type. For example: <code>unknown</code>, <code>server</code>, <code>desktop</code>, <code>laptop</code>, <code>tablet</code>, <code>mobile</code>, <code>virtual</code>, <code>browser</code>, or <code>other</code>.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe endpoint type ID.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier of the endpoint.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "VLAN\n\nThe Virtual LAN identifier.\n\noptional"]
    #[serde(rename = "vlan_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vlan_uid: Option<String>,
    #[doc = "VPC UID\n\nThe unique identifier of the Virtual Private Cloud (VPC).\n\noptional"]
    #[serde(rename = "vpc_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vpc_uid: Option<String>,
    #[doc = "Network Zone\n\nThe network zone or LAN segment.\n\noptional"]
    #[serde(rename = "zone")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub zone: Option<String>,
}
#[doc = "Endpoint Connection\n\nThe Endpoint Connection object contains information detailing a connection attempt to an endpoint.\n\n[] Category:  | Name: endpoint_connection\n\n**Constraints:**\n* at_least_one: `[network_endpoint`,`code]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct EndpointConnection {
    #[doc = "Response Code\n\nA numerical response status code providing details about the connection.\n\nrecommended"]
    #[serde(rename = "code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub code: Option<i64>,
    #[doc = "Network Endpoint\n\nProvides characteristics of the network endpoint.\n\nrecommended"]
    #[serde(rename = "network_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub network_endpoint: Option<Box<NetworkEndpoint>>,
}
#[doc = "Enrichment\n\nThe Enrichment object provides inline enrichment data for specific attributes of interest within an event. It serves as a mechanism to enhance or supplement the information associated with the event by adding additional relevant details or context.\n\n[] Category:  | Name: enrichment"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Enrichment {
    #[doc = "Created Time\n\nThe time when the enrichment data was generated.\n\nrecommended"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the enrichment data was generated.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Data\n\nThe enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record.\n\nrequired"]
    #[serde(rename = "data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data: Option<serde_json::Value>,
    #[doc = "Description\n\nA long description of the enrichment data.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Name\n\nThe name of the attribute to which the enriched data pertains.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Provider\n\nThe enrichment data provider name.\n\nrecommended"]
    #[serde(rename = "provider")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub provider: Option<String>,
    #[doc = "Reputation Scores\n\nThe reputation of the enrichment data.\n\noptional"]
    #[serde(rename = "reputation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reputation: Option<Box<Reputation>>,
    #[doc = "Short Description\n\nA short description of the enrichment data.\n\nrecommended"]
    #[serde(rename = "short_desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub short_desc: Option<String>,
    #[doc = "Source URL\n\nThe URL of the source of the enrichment data.\n\nrecommended"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Type\n\nThe enrichment type. For example: <code>location</code>.\n\nrecommended"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Value\n\nThe value of the attribute to which the enriched data pertains.\n\nrequired"]
    #[serde(rename = "value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}
#[doc = "Environment Variable\n\nAn environment variable.\n\n[] Category:  | Name: environment_variable"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct EnvironmentVariable {
    #[doc = "Name\n\nThe name of the environment variable.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Value\n\nThe value of the environment variable.\n\nrequired"]
    #[serde(rename = "value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}
#[doc = "EPSS\n\nThe Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. EPSS is a community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in-the-wild. (<a target='_blank' href='https://www.first.org/epss/'>EPSS</a>).\n\n[] Category:  | Name: epss"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Epss {
    #[doc = "Created Time\n\nThe timestamp indicating when the EPSS score was calculated.\n\nrecommended"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe timestamp indicating when the EPSS score was calculated.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "EPSS Percentile\n\nThe EPSS score's percentile representing relative importance and ranking of the score in the larger EPSS dataset.\n\noptional"]
    #[serde(rename = "percentile")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub percentile: Option<f64>,
    #[doc = "EPPS Score\n\nThe EPSS score representing the probability [0-1] of exploitation in the wild in the next 30 days (following score publication).\n\nrequired"]
    #[serde(rename = "score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub score: Option<String>,
    #[doc = "Version\n\nThe version of the EPSS model used to calculate the score.\n\nrecommended"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Windows Evidence Artifacts\n\nExtends the evidences object to add Windows specific fields\n\n[] Category:  | Name: evidences\n\n**Constraints:**\n* at_least_one: `[actor`,`api`,`connection_info`,`data`,`database`,`databucket`,`device`,`dst_endpoint`,`email`,`file`,`process`,`query`,`src_endpoint`,`url`,`user`,`job`,`script`,`reg_key`,`reg_value`,`win_service]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Evidences {
    #[doc = "Actor\n\nDescribes details about the user/role/process that was the source of the activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub actor: Option<Box<Actor>>,
    #[doc = "API Details\n\nDescribes details about the API call associated to the activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "api")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub api: Option<Box<Api>>,
    #[doc = "Connection Info\n\nDescribes details about the network connection associated to the activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "Container\n\nDescribes details about the container associated to the activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "container")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub container: Option<Box<Container>>,
    #[doc = "Data\n\nAdditional evidence data that is not accounted for in the specific evidence attributes.<code> Use only when absolutely necessary.</code>\n\noptional"]
    #[serde(rename = "data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data: Option<serde_json::Value>,
    #[doc = "Database\n\nDescribes details about the database associated to the activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "database")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub database: Option<Box<Database>>,
    #[doc = "Databucket\n\nDescribes details about the databucket associated to the activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "databucket")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub databucket: Option<Box<Databucket>>,
    #[doc = "Device\n\nAn addressable device, computer system or host associated to the activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Destination Endpoint\n\nDescribes details about the destination of the network activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Email\n\nThe email object associated to the activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "email")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub email: Option<Box<Email>>,
    #[doc = "File\n\nDescribes details about the file associated to the activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "HTTP Request\n\nDescribes details about the http request associated to the activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "http_request")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_request: Option<Box<HttpRequest>>,
    #[doc = "HTTP Response\n\nDescribes details about the http response associated to the activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "http_response")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_response: Option<Box<HttpResponse>>,
    #[doc = "JA4+ Fingerprints\n\nDescribes details about the JA4+ fingerprints that triggered the detection.\n\nrecommended"]
    #[serde(rename = "ja4_fingerprint_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ja4_fingerprint_list: Option<Vec<Ja4Fingerprint>>,
    #[doc = "Job\n\nDescribes details about the scheduled job that was associated with the activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "job")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub job: Option<Box<Job>>,
    #[doc = "Name\n\nThe naming convention or type identifier of the evidence associated with the security detection. For example, the <code>@odata.type</code> from Microsoft Graph Alerts V2 or <code>display_name</code> from CrowdStrike Falcon Incident Behaviors.\n\noptional"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Process\n\nDescribes details about the process associated to the activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "process")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub process: Option<Box<Process>>,
    #[doc = "DNS Query\n\nDescribes details about the DNS query associated to the activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "query")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query: Option<Box<DnsQuery>>,
    #[doc = "Registry Key\n\nDescribes details about the registry key that triggered the detection.\n\nrecommended"]
    #[serde(rename = "reg_key")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reg_key: Option<Box<WinRegKey>>,
    #[doc = "Registry Value\n\nDescribes details about the registry value that triggered the detection.\n\nrecommended"]
    #[serde(rename = "reg_value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reg_value: Option<Box<WinRegValue>>,
    #[doc = "Cloud Resources\n\nDescribes details about the cloud resources directly related to activity that triggered the detection. For resources impacted by the detection, use <code>Affected Resources</code> at the top-level of the finding.\n\nrecommended"]
    #[serde(rename = "resources")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resources: Option<Vec<ResourceDetails>>,
    #[doc = "Script\n\nDescribes details about the script that was associated with the activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "script")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub script: Option<Box<Script>>,
    #[doc = "Source Endpoint\n\nDescribes details about the source of the network activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "src_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "TLS\n\nDescribes details about the Transport Layer Security (TLS) activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "tls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tls: Option<Box<Tls>>,
    #[doc = "Unique ID\n\nThe unique identifier of the evidence associated with the security detection. For example, the <code>activity_id</code> from CrowdStrike Falcon Alerts or <code>behavior_id</code> from CrowdStrike Falcon Incident Behaviors.\n\noptional"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "URL\n\nThe URL object that pertains to the event or object associated to the activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub url: Option<Box<Url>>,
    #[doc = "User\n\nDescribes details about the user that was the target or somehow else associated with the activity that triggered the detection.\n\nrecommended"]
    #[serde(rename = "user")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user: Option<Box<User>>,
    #[doc = "Verdict\n\nThe normalized verdict of the evidence associated with the security detection. \n\noptional"]
    #[serde(rename = "verdict")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub verdict: Option<String>,
    #[doc = "Verdict ID\n\nThe normalized verdict (or status) ID of the evidence associated with the security detection. For example, Microsoft Graph Security Alerts contain a <code>verdict</code> enumeration for each type of <code>evidence</code> associated with the Alert. This is typically set by an automated investigation process or an analyst/investigator assigned to the finding.\n\noptional"]
    #[serde(rename = "verdict_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub verdict_id: Option<i64>,
    #[doc = "Windows Service\n\nDescribes details about the Windows service that triggered the detection.\n\nrecommended"]
    #[serde(rename = "win_service")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub win_service: Option<Box<WinWinService>>,
}
#[doc = "Schema Extension\n\nThe OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the <a target='_blank' href='https://github.com/ocsf/ocsf-schema/blob/main/extensions.md'>extensions.md</a> file.\n\n[] Category:  | Name: extension\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Extension {
    #[doc = "Name\n\nThe schema extension name. For example: <code>dev</code>.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Unique ID\n\nThe schema extension unique identifier. For example: <code>999</code>.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Version\n\nThe schema extension version. For example: <code>1.0.0-alpha.2</code>.\n\nrequired"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Feature\n\nThe Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.\n\n[] Category:  | Name: feature\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Feature {
    #[doc = "Name\n\nThe name of the feature.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the feature.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Version\n\nThe version of the feature.\n\nrecommended"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "File\n\nThe File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details.\n\n[] Category:  | Name: file\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct File {
    #[doc = "Accessed Time\n\nThe time when the file was last accessed.\n\noptional"]
    #[serde(rename = "accessed_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub accessed_time: Option<i64>,
    #[doc = "Accessed Time\n\nThe time when the file was last accessed.\n\noptional"]
    #[serde(rename = "accessed_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub accessed_time_dt: Option<String>,
    #[doc = "Accessor\n\nThe name of the user who last accessed the object.\n\noptional"]
    #[serde(rename = "accessor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub accessor: Option<Box<User>>,
    #[doc = "Attributes\n\nThe bitmask value that represents the file attributes.\n\noptional"]
    #[serde(rename = "attributes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attributes: Option<i64>,
    #[doc = "Company Name\n\nThe name of the company that published the file. For example: <code>Microsoft Corporation</code>.\n\noptional"]
    #[serde(rename = "company_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub company_name: Option<String>,
    #[doc = "Confidentiality\n\nThe file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "confidentiality")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidentiality: Option<String>,
    #[doc = "Confidentiality ID\n\nThe normalized identifier of the file content confidentiality indicator.\n\noptional"]
    #[serde(rename = "confidentiality_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidentiality_id: Option<i64>,
    #[doc = "Created Time\n\nThe time when the file was created.\n\noptional"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the file was created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Creator\n\nThe user that created the file.\n\noptional"]
    #[serde(rename = "creator")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub creator: Option<Box<User>>,
    #[doc = "Data Classification\n\nThe Data Classification object includes information about data classification levels and data category types.\n\nrecommended"]
    #[serde(rename = "data_classification")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classification: Option<Box<DataClassification>>,
    #[doc = "Data Classification\n\nA list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.\n\nrecommended"]
    #[serde(rename = "data_classifications")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classifications: Option<Vec<DataClassification>>,
    #[doc = "Description\n\nThe description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Drive Type\n\nThe drive type, normalized to the caption of the <code>drive_type_id</code> value. In the case of <code>Other</code>, it is defined by the source.\n\noptional"]
    #[serde(rename = "drive_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub drive_type: Option<String>,
    #[doc = "Drive Type ID\n\nIdentifies the type of a disk drive, i.e. fixed, removable, etc.\n\noptional"]
    #[serde(rename = "drive_type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub drive_type_id: Option<i64>,
    #[doc = "Encryption Details\n\nThe encryption details of the file. Should be populated if the file is encrypted.\n\noptional"]
    #[serde(rename = "encryption_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub encryption_details: Option<Box<EncryptionDetails>>,
    #[doc = "File Extension\n\nThe extension of the file, excluding the leading dot. For example: <code>exe</code> from <code>svchost.exe</code>, or <code>gz</code> from <code>export.tar.gz</code>.\n\nrecommended"]
    #[serde(rename = "ext")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ext: Option<String>,
    #[doc = "Hashes\n\nAn array of hash attributes.\n\nrecommended"]
    #[serde(rename = "hashes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hashes: Option<Vec<Fingerprint>>,
    #[doc = "Internal Name\n\nThe name of the file as identified within the file itself. This contrasts with the name by which the file is known on disk. Where available, the internal name is widely used by security practitioners and detection content because the on-disk file name is not reliable. On the Windows OS, most PE files contain a <a href=\"https://learn.microsoft.com/en-us/windows/win32/menurc/versioninfo-resource\">VERSIONINFO</a> resource from which the internal name can be obtained. On macOS, binaries can optionally embed a copy of the application's Info.plist file which in turn contains the name of the executable.\n\noptional"]
    #[serde(rename = "internal_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub internal_name: Option<String>,
    #[doc = "Deleted\n\nIndicates if the file was deleted from the filesystem.\n\noptional"]
    #[serde(rename = "is_deleted")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_deleted: Option<bool>,
    #[doc = "Encrypted\n\nIndicates if the file is encrypted.\n\noptional"]
    #[serde(rename = "is_encrypted")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_encrypted: Option<bool>,
    #[doc = "Public\n\nIndicates if the file is publicly accessible. For example in an object's public access in AWS S3\n\noptional"]
    #[serde(rename = "is_public")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_public: Option<bool>,
    #[doc = "Read-Only\n\nIndicates that the file cannot be modified.\n\noptional"]
    #[serde(rename = "is_readonly")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_readonly: Option<bool>,
    #[doc = "System\n\nThe indication of whether the object is part of the operating system.\n\noptional"]
    #[serde(rename = "is_system")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_system: Option<bool>,
    #[doc = "MIME type\n\nThe Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable.\n\noptional"]
    #[serde(rename = "mime_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub mime_type: Option<String>,
    #[doc = "Modified Time\n\nThe time when the file was last modified.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe time when the file was last modified.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Modifier\n\nThe user that last modified the file.\n\noptional"]
    #[serde(rename = "modifier")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modifier: Option<Box<User>>,
    #[doc = "Name\n\nThe name of the file. For example: <code>svchost.exe</code>\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Owner\n\nThe user that owns the file/object.\n\noptional"]
    #[serde(rename = "owner")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub owner: Option<Box<User>>,
    #[doc = "Parent Folder\n\nThe parent folder in which the file resides. For example: <code>c:\\windows\\system32</code>\n\noptional"]
    #[serde(rename = "parent_folder")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub parent_folder: Option<String>,
    #[doc = "Path\n\nThe full path to the file. For example: <code>c:\\windows\\system32\\svchost.exe</code>.\n\nrecommended"]
    #[serde(rename = "path")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub path: Option<String>,
    #[doc = "Product\n\nThe product that created or installed the file.\n\noptional"]
    #[serde(rename = "product")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub product: Option<Box<Product>>,
    #[doc = "Security Descriptor\n\nThe object security descriptor.\n\noptional"]
    #[serde(rename = "security_descriptor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub security_descriptor: Option<String>,
    #[doc = "Digital Signature\n\nThe digital signature of the file.\n\noptional"]
    #[serde(rename = "signature")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub signature: Option<Box<DigitalSignature>>,
    #[doc = "Digital Signatures\n\nA collection of <code>Digital Signature</code> objects.\n\noptional"]
    #[serde(rename = "signatures")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub signatures: Option<Vec<DigitalSignature>>,
    #[doc = "Size\n\nThe size of data, in bytes.\n\noptional"]
    #[serde(rename = "size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub size: Option<i64>,
    #[doc = "Storage Class\n\nThe storage class of the file. For example in AWS S3: <code>STANDARD, STANDARD_IA, GLACIER</code>.\n\noptional"]
    #[serde(rename = "storage_class")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub storage_class: Option<String>,
    #[doc = "Tags\n\nThe list of tags; <code>{key:value}</code> pairs associated to the file.\n\noptional"]
    #[serde(rename = "tags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tags: Option<Vec<KeyValueObject>>,
    #[doc = "Type\n\nThe file type.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe file type ID. Note the distinction between a <code>Regular File</code> and an <code>Executable File</code>. If the distinction is not known, or not indicated by the log, use <code>Regular File</code>. In this case, it should not be assumed that a Regular File is not executable.\n\nrequired"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier of the file as defined by the storage system, such the file system file ID.\n\noptional"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "File URI\n\nThe file URI, such as those reporting by static analysis tools. E.g., <code>file:///C:/dev/sarif/sarif-tutorials/samples/Introduction/simple-example.js</code>\n\noptional"]
    #[serde(rename = "uri")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uri: Option<String>,
    #[doc = "URL\n\nThe URL of the file, when applicable.\n\noptional"]
    #[serde(rename = "url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub url: Option<Box<Url>>,
    #[doc = "Version\n\nThe file version. For example: <code>8.0.7601.17514</code>.\n\noptional"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
    #[doc = "Volume\n\nThe volume on the storage device where the file is located.\n\noptional"]
    #[serde(rename = "volume")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub volume: Option<String>,
    #[doc = "Extended Attributes\n\nAn unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute.</p>For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS: </p><ul><li><strong>ads_name</strong></li><li><strong>ads_size</strong></li><li><strong>dacl</strong></li><li><strong>owner</strong></li><li><strong>primary_group</strong></li><li><strong>link_name</strong> - name of the link associated to the file.</li><li><strong>hard_link_count</strong> - the number of links that are associated to the file.</li></ul>\n\noptional"]
    #[serde(rename = "xattributes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub xattributes: Option<serde_json::Value>,
}
#[doc = "Finding\n\nThe Finding object describes metadata related to a security finding generated by a security tool or system.\n\n[] Category:  | Name: finding"]
#[deprecated(note = "Use the new <code>finding_info</code> object. (Since 1.0.0)")]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Finding {
    #[doc = "Created Time\n\nThe time when the finding was created.\n\noptional"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the finding was created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Description\n\nThe description of the reported finding.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "First Seen\n\nThe time when the finding was first observed.\n\noptional"]
    #[serde(rename = "first_seen_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub first_seen_time: Option<i64>,
    #[doc = "First Seen\n\nThe time when the finding was first observed.\n\noptional"]
    #[serde(rename = "first_seen_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub first_seen_time_dt: Option<String>,
    #[doc = "Last Seen\n\nThe time when the finding was most recently observed.\n\noptional"]
    #[serde(rename = "last_seen_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_seen_time: Option<i64>,
    #[doc = "Last Seen\n\nThe time when the finding was most recently observed.\n\noptional"]
    #[serde(rename = "last_seen_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_seen_time_dt: Option<String>,
    #[doc = "Modified Time\n\nThe time when the finding was last modified.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe time when the finding was last modified.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Product\n\nDetails about the product that reported the finding.\n\noptional"]
    #[serde(rename = "product")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub product: Option<Box<Product>>,
    #[doc = "Product Identifier\n\nThe unique identifier of the product that reported the finding.\n\noptional"]
    #[serde(rename = "product_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub product_uid: Option<String>,
    #[doc = "Related Events/Findings\n\nDescribes events and/or other findings related to the finding as identified by the security product. Note that these events may or may not be in OCSF.\n\noptional"]
    #[serde(rename = "related_events")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub related_events: Option<Vec<RelatedEvent>>,
    #[doc = "Remediation Guidance\n\nDescribes the recommended remediation steps to address identified issue(s).\n\noptional"]
    #[serde(rename = "remediation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub remediation: Option<Box<Remediation>>,
    #[doc = "Source URL\n\nThe URL pointing to the source of the finding.\n\noptional"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Supporting Data\n\nAdditional data supporting a finding as provided by security tool\n\noptional"]
    #[serde(rename = "supporting_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub supporting_data: Option<serde_json::Value>,
    #[doc = "Title\n\nA title or a brief phrase summarizing the reported finding.\n\nrequired"]
    #[serde(rename = "title")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub title: Option<String>,
    #[doc = "Types\n\nOne or more types of the reported finding.\n\noptional"]
    #[serde(rename = "types")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub types: Option<Vec<String>>,
    #[doc = "Unique ID\n\nThe unique identifier of the reported finding.\n\nrequired"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Finding Information\n\nThe Finding Information object describes metadata related to a security finding generated by a security tool or system.\n\n[] Category:  | Name: finding_info"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct FindingInfo {
    #[doc = "Analytic\n\nThe analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.\n\nrecommended"]
    #[serde(rename = "analytic")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub analytic: Option<Box<Analytic>>,
    #[doc = "Attack Graph\n\nAn Attack Graph describes possible routes an attacker could take through an environment. It describes relationships between resources and their findings, such as malware detections, vulnerabilities, misconfigurations, and other security actions.\n\noptional"]
    #[serde(rename = "attack_graph")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attack_graph: Option<Box<Graph>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nThe <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> technique and associated tactics related to the finding.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Created Time\n\nThe time when the finding was created.\n\noptional"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the finding was created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Data Sources\n\nA list of data sources utilized in generation of the finding.\n\noptional"]
    #[serde(rename = "data_sources")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_sources: Option<Vec<String>>,
    #[doc = "Description\n\nThe description of the reported finding.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "First Seen\n\nThe time when the finding was first observed. e.g. The time when a vulnerability was first observed. <p>It can differ from the <code>created_time</code> timestamp, which reflects the time this finding was created.</p>\n\noptional"]
    #[serde(rename = "first_seen_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub first_seen_time: Option<i64>,
    #[doc = "First Seen\n\nThe time when the finding was first observed. e.g. The time when a vulnerability was first observed. <p>It can differ from the <code>created_time</code> timestamp, which reflects the time this finding was created.</p>\n\noptional"]
    #[serde(rename = "first_seen_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub first_seen_time_dt: Option<String>,
    #[doc = "Kill Chain\n\nThe <a target='_blank' href='https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html'>Cyber Kill Chain®</a> provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.\n\noptional"]
    #[serde(rename = "kill_chain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub kill_chain: Option<Vec<KillChainPhase>>,
    #[doc = "Last Seen\n\nThe time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed. <p>It can differ from the <code>modified_time</code> timestamp, which reflects the time this finding was last modified.</p>\n\noptional"]
    #[serde(rename = "last_seen_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_seen_time: Option<i64>,
    #[doc = "Last Seen\n\nThe time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed. <p>It can differ from the <code>modified_time</code> timestamp, which reflects the time this finding was last modified.</p>\n\noptional"]
    #[serde(rename = "last_seen_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_seen_time_dt: Option<String>,
    #[doc = "Modified Time\n\nThe time when the finding was last modified.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe time when the finding was last modified.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Product\n\nDetails about the product that reported the finding.\n\noptional"]
    #[serde(rename = "product")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub product: Option<Box<Product>>,
    #[doc = "Product Identifier\n\nThe unique identifier of the product that reported the finding.\n\noptional"]
    #[serde(rename = "product_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub product_uid: Option<String>,
    #[doc = "Related Analytics\n\nOther analytics related to this finding.\n\noptional"]
    #[serde(rename = "related_analytics")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub related_analytics: Option<Vec<Analytic>>,
    #[doc = "Related Events/Findings\n\nDescribes events and/or other findings related to the finding as identified by the security product. Note that these events may or may not be in OCSF.\n\noptional"]
    #[serde(rename = "related_events")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub related_events: Option<Vec<RelatedEvent>>,
    #[doc = "Related Events/Findings Count\n\nNumber of related events or findings.\n\noptional"]
    #[serde(rename = "related_events_count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub related_events_count: Option<i64>,
    #[doc = "Source URL\n\nThe URL pointing to the source of the finding.\n\noptional"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Tags\n\nThe list of tags; <code>{key:value}</code> pairs associated with the finding.\n\noptional"]
    #[serde(rename = "tags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tags: Option<Vec<KeyValueObject>>,
    #[doc = "Title\n\nA title or a brief phrase summarizing the reported finding.\n\nrecommended"]
    #[serde(rename = "title")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub title: Option<String>,
    #[doc = "Traits\n\nThe list of key traits or characteristics extracted from the finding.\n\noptional"]
    #[serde(rename = "traits")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub traits: Option<Vec<Trait>>,
    #[doc = "Types\n\nOne or more types of the reported finding.\n\noptional"]
    #[serde(rename = "types")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub types: Option<Vec<String>>,
    #[doc = "Unique ID\n\nThe unique identifier of the reported finding.\n\nrequired"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Alternate ID\n\nThe alternative unique identifier of the reported finding.\n\noptional"]
    #[serde(rename = "uid_alt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid_alt: Option<String>,
}
#[doc = "Fingerprint\n\nThe Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content. It contains the algorithm and value of the fingerprint, enabling efficient and reliable identification of the associated data.\n\n[] Category:  | Name: fingerprint"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Fingerprint {
    #[doc = "Algorithm\n\nThe hash algorithm used to create the digital fingerprint, normalized to the caption of <code>algorithm_id</code>. In the case of <code>Other</code>, it is defined by the event source.\n\noptional"]
    #[serde(rename = "algorithm")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub algorithm: Option<String>,
    #[doc = "Algorithm ID\n\nThe identifier of the normalized hash algorithm, which was used to create the digital fingerprint.\n\nrequired"]
    #[serde(rename = "algorithm_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub algorithm_id: Option<i64>,
    #[doc = "Value\n\nThe digital fingerprint value.\n\nrequired"]
    #[serde(rename = "value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}
#[doc = "Firewall Rule\n\nThe Firewall Rule object represents a specific rule within a firewall policy or event. It contains information about a rule's configuration, properties, and associated actions that define how network traffic is handled by the firewall.\n\n[] Category:  | Name: firewall_rule\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct FirewallRule {
    #[doc = "Category\n\nThe rule category.\n\noptional"]
    #[serde(rename = "category")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category: Option<String>,
    #[doc = "Condition\n\nThe rule trigger condition for the rule. For example: SQL_INJECTION.\n\noptional"]
    #[serde(rename = "condition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub condition: Option<String>,
    #[doc = "Description\n\nThe description of the rule that generated the event.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Duration Milliseconds\n\nThe rule response time duration, usually used for challenge completion time.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "Match Details\n\nThe data in a request that rule matched. For example: '[\"10\",\"and\",\"1\"]'.\n\noptional"]
    #[serde(rename = "match_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub match_details: Option<Vec<String>>,
    #[doc = "Match Location\n\nThe location of the matched data in the source which resulted in the triggered firewall rule. For example: HEADER.\n\noptional"]
    #[serde(rename = "match_location")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub match_location: Option<String>,
    #[doc = "Name\n\nThe name of the rule that generated the event.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Rate Limit\n\nThe rate limit for a rate-based rule.\n\noptional"]
    #[serde(rename = "rate_limit")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub rate_limit: Option<i64>,
    #[doc = "Sensitivity\n\nThe sensitivity of the firewall rule in the matched event. For example: HIGH.\n\noptional"]
    #[serde(rename = "sensitivity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub sensitivity: Option<String>,
    #[doc = "Type\n\nThe rule type.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the rule that generated the event.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Version\n\nThe rule version. For example: <code>1.1</code>.\n\noptional"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Function Invocation\n\nThe Function Invocation object provides details regarding the invocation of a function.\n\n[] Category:  | Name: function_invocation\n\n**Constraints:**\n* at_least_one: `[parameters`,`return_value`,`error]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct FunctionInvocation {
    #[doc = "Error Code\n\nThe error indication returned from the function. This may differ from the return value (e.g. when <code>errno</code> is used).\n\noptional"]
    #[serde(rename = "error")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub error: Option<String>,
    #[doc = "Parameters\n\nThe parameters passed into a function invocation.\n\noptional"]
    #[serde(rename = "parameters")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub parameters: Option<Vec<Parameter>>,
    #[doc = "Return Value\n\nThe value returned from a function.\n\noptional"]
    #[serde(rename = "return_value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub return_value: Option<String>,
}
#[doc = "Graph\n\nA graph data structure representation with nodes and edges.\n\n[] Category:  | Name: graph\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Graph {
    #[doc = "Description\n\nThe graph description - provides additional details about the graph's purpose and contents.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Edges\n\nThe edges/connections between nodes in the graph - contains the collection of <code>edge</code> objects defining relationships between nodes.\n\noptional"]
    #[serde(rename = "edges")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub edges: Option<Vec<Edge>>,
    #[doc = "Directed\n\nIndicates if the graph is directed (<code>true</code>) or undirected (<code>false</code>).\n\noptional"]
    #[serde(rename = "is_directed")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_directed: Option<bool>,
    #[doc = "Name\n\nThe graph name - a human readable identifier for the graph.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Nodes\n\nThe nodes/vertices of the graph - contains the collection of <code>node</code> objects that make up the graph.\n\nrequired"]
    #[serde(rename = "nodes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub nodes: Option<Vec<Node>>,
    #[doc = "Query Language\n\nThe graph query language, normalized to the caption of the <code>query_language_id</code> value.\n\noptional"]
    #[serde(rename = "query_language")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_language: Option<String>,
    #[doc = "Query Language ID\n\nThe normalized identifier of a graph query language that can be used to interact with the graph.\n\nrecommended"]
    #[serde(rename = "query_language_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_language_id: Option<i64>,
    #[doc = "Type\n\nThe graph type. Typically useful to represent the specific type of graph that is used.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Unique ID\n\nUnique identifier of the graph - a unique ID to reference this specific graph.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Group\n\nThe Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization, including but not limited to purposes of access control.\n\n[] Category:  | Name: group\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Group {
    #[doc = "Description\n\nThe group description.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Domain\n\nThe domain where the group is defined. For example: the LDAP or Active Directory domain.\n\noptional"]
    #[serde(rename = "domain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub domain: Option<String>,
    #[doc = "Name\n\nThe group name.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Privileges\n\nThe group privileges.\n\noptional"]
    #[serde(rename = "privileges")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub privileges: Option<Vec<String>>,
    #[doc = "Account Type\n\nThe type of the group or account.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "HASSH\n\nThe HASSH object contains SSH network fingerprinting values for specific client/server implementations. It provides a standardized way of identifying and categorizing SSH connections based on their unique characteristics and behavior.\n\n[] Category:  | Name: hassh"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Hassh {
    #[doc = "Algorithm\n\nThe concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation.\n\nrecommended"]
    #[serde(rename = "algorithm")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub algorithm: Option<String>,
    #[doc = "Fingerprint\n\nThe hash of the key exchange, encryption, authentication and compression algorithms.\n\nrequired"]
    #[serde(rename = "fingerprint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub fingerprint: Option<Box<Fingerprint>>,
}
#[doc = "HTTP Cookie\n\nThe HTTP Cookie object, also known as a web cookie or browser cookie, contains details and values pertaining to a small piece of data that a server sends to a user's web browser. This data is then stored by the browser and sent back to the server with subsequent requests, allowing the server to remember and track certain information about the user's browsing session or preferences.\n\n[] Category:  | Name: http_cookie"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct HttpCookie {
    #[doc = "Domain\n\nThe domain name for the server from which the http_cookie is served.\n\noptional"]
    #[serde(rename = "domain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub domain: Option<String>,
    #[doc = "Expiration Time\n\nThe expiration time of the HTTP cookie.\n\noptional"]
    #[serde(rename = "expiration_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expiration_time: Option<i64>,
    #[doc = "Expiration Time\n\nThe expiration time of the HTTP cookie.\n\noptional"]
    #[serde(rename = "expiration_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expiration_time_dt: Option<String>,
    #[doc = "HTTP Only\n\nA cookie attribute to make it inaccessible via JavaScript\n\noptional"]
    #[serde(rename = "http_only")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_only: Option<bool>,
    #[doc = "HTTP Only\n\nThis attribute prevents the cookie from being accessed via JavaScript.\n\noptional"]
    #[serde(rename = "is_http_only")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_http_only: Option<bool>,
    #[doc = "Secure\n\nThe cookie attribute indicates that cookies are sent to the server only when the request is encrypted using the HTTPS protocol.\n\noptional"]
    #[serde(rename = "is_secure")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_secure: Option<bool>,
    #[doc = "Name\n\nThe HTTP cookie name.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Path\n\nThe path of the HTTP cookie.\n\noptional"]
    #[serde(rename = "path")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub path: Option<String>,
    #[doc = "SameSite\n\nThe cookie attribute that lets servers specify whether/when cookies are sent with cross-site requests. Values are: Strict, Lax or None\n\noptional"]
    #[serde(rename = "samesite")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub samesite: Option<String>,
    #[doc = "Secure\n\nThe cookie attribute to only send cookies to the server with an encrypted request over the HTTPS protocol.\n\noptional"]
    #[serde(rename = "secure")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub secure: Option<bool>,
    #[doc = "Value\n\nThe HTTP cookie value.\n\nrequired"]
    #[serde(rename = "value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}
#[doc = "HTTP Header\n\nThe HTTP Header object represents the headers sent in an HTTP request or response. HTTP headers are key-value pairs that convey additional information about the HTTP message, including details about the content, caching, authentication, encoding, and other aspects of the communication.\n\n[] Category:  | Name: http_header"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct HttpHeader {
    #[doc = "Name\n\nThe name of the HTTP header.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Value\n\nThe value of the HTTP header.\n\nrequired"]
    #[serde(rename = "value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}
#[doc = "HTTP Request\n\nThe HTTP Request object represents the attributes of a request made to a web server. It encapsulates the details and metadata associated with an HTTP request, including the request method, headers, URL, query parameters, body content, and other relevant information.\n\n[] Category:  | Name: http_request"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct HttpRequest {
    #[doc = "HTTP Arguments\n\nThe arguments sent along with the HTTP request.\n\noptional"]
    #[serde(rename = "args")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub args: Option<String>,
    #[doc = "Request Body Length\n\nThe actual length of the HTTP request body, in number of bytes, independent of a potentially existing Content-Length header.\n\noptional"]
    #[serde(rename = "body_length")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub body_length: Option<i64>,
    #[doc = "HTTP Headers\n\nAdditional HTTP headers of an HTTP request or response.\n\nrecommended"]
    #[serde(rename = "http_headers")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_headers: Option<Vec<HttpHeader>>,
    #[doc = "HTTP Method\n\nThe <a target='_blank' href='https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods'>HTTP request method</a> indicates the desired action to be performed for a given resource.\n\nrecommended"]
    #[serde(rename = "http_method")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_method: Option<String>,
    #[doc = "Request Length\n\nThe length of the entire HTTP request, in number of bytes.\n\noptional"]
    #[serde(rename = "length")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub length: Option<i64>,
    #[doc = "HTTP Referrer\n\nThe request header that identifies the address of the previous web page, which is linked to the current web page or resource being requested.\n\noptional"]
    #[serde(rename = "referrer")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub referrer: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the http request.\n\noptional"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "URL\n\nThe URL object that pertains to the request.\n\nrecommended"]
    #[serde(rename = "url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub url: Option<Box<Url>>,
    #[doc = "HTTP User-Agent\n\nThe request header that identifies the operating system and web browser.\n\nrecommended"]
    #[serde(rename = "user_agent")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user_agent: Option<String>,
    #[doc = "HTTP Version\n\nThe Hypertext Transfer Protocol (HTTP) version.\n\nrecommended"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
    #[doc = "X-Forwarded-For\n\nThe X-Forwarded-For header identifying the originating IP address(es) of a client connecting to a web server through an HTTP proxy or a load balancer.\n\noptional"]
    #[serde(rename = "x_forwarded_for")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub x_forwarded_for: Option<Vec<String>>,
}
#[doc = "HTTP Response\n\nThe HTTP Response object contains detailed information about the response sent from a web server to the requester. It encompasses attributes and metadata that describe the response status, headers, body content, and other relevant information.\n\n[] Category:  | Name: http_response"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct HttpResponse {
    #[doc = "Response Body Length\n\nThe actual length of the HTTP response body, in number of bytes, independent of a potentially existing Content-Length header.\n\noptional"]
    #[serde(rename = "body_length")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub body_length: Option<i64>,
    #[doc = "Response Code\n\nThe Hypertext Transfer Protocol (HTTP) status code returned from the web server to the client. For example, 200.\n\nrequired"]
    #[serde(rename = "code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub code: Option<i64>,
    #[doc = "HTTP Content Type\n\nThe request header that identifies the original <a target='_blank' href='https://www.iana.org/assignments/media-types/media-types.xhtml'>media type </a> of the resource (prior to any content encoding applied for sending).\n\noptional"]
    #[serde(rename = "content_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub content_type: Option<String>,
    #[doc = "HTTP Headers\n\nAdditional HTTP headers of an HTTP request or response.\n\nrecommended"]
    #[serde(rename = "http_headers")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub http_headers: Option<Vec<HttpHeader>>,
    #[doc = "Latency\n\nThe HTTP response latency measured in milliseconds.\n\noptional"]
    #[serde(rename = "latency")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub latency: Option<i64>,
    #[doc = "Response Length\n\nThe length of the entire HTTP response, in number of bytes.\n\noptional"]
    #[serde(rename = "length")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub length: Option<i64>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\noptional"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Status\n\nThe response status. For example: A successful HTTP status of 'OK' which corresponds to a code of 200.\n\noptional"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
}
#[doc = "Identity Activity Metrics\n\nThe Identity Activity Metrics object captures usage patterns, authentication activity, credential usage and other metrics for identities across cloud and on-premises environments. Example identities include AWS IAM Users, Roles, Azure AD Principals, GCP Service Accounts, on-premises Active Directory accounts.\n\n[] Category:  | Name: identity_activity_metrics"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct IdentityActivityMetrics {
    #[doc = "First Seen\n\nThe timestamp when this identity was first observed or created in the system. This helps establish the identity's age and lifecycle stage for risk assessment.\n\noptional"]
    #[serde(rename = "first_seen_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub first_seen_time: Option<i64>,
    #[doc = "First Seen\n\nThe timestamp when this identity was first observed or created in the system. This helps establish the identity's age and lifecycle stage for risk assessment.\n\noptional"]
    #[serde(rename = "first_seen_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub first_seen_time_dt: Option<String>,
    #[doc = "Last Authentication Time\n\nThe timestamp when this identity last successfully authenticated to any system or service. This differs from <code>last_seen_time</code> as it specifically tracks authentication events rather than all activities.\n\noptional"]
    #[serde(rename = "last_authentication_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_authentication_time: Option<i64>,
    #[doc = "Last Authentication Time\n\nThe timestamp when this identity last successfully authenticated to any system or service. This differs from <code>last_seen_time</code> as it specifically tracks authentication events rather than all activities.\n\noptional"]
    #[serde(rename = "last_authentication_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_authentication_time_dt: Option<String>,
    #[doc = "Last Seen\n\nThe timestamp of the most recent activity performed by this identity, including authentication, resource access, or API calls. This is the most comprehensive indicator of identity usage recency.\n\nrecommended"]
    #[serde(rename = "last_seen_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_seen_time: Option<i64>,
    #[doc = "Last Seen\n\nThe timestamp of the most recent activity performed by this identity, including authentication, resource access, or API calls. This is the most comprehensive indicator of identity usage recency.\n\noptional"]
    #[serde(rename = "last_seen_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_seen_time_dt: Option<String>,
    #[doc = "Password Last Used Time\n\nThe timestamp when password-based authentication was last used by this identity. This helps distinguish between password and other authentication methods (MFA, SSO, certificates) and identify password-specific usage patterns.\n\noptional"]
    #[serde(rename = "password_last_used_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub password_last_used_time: Option<i64>,
    #[doc = "Password Last Used Time\n\nThe timestamp when password-based authentication was last used by this identity. This helps distinguish between password and other authentication methods (MFA, SSO, certificates) and identify password-specific usage patterns.\n\noptional"]
    #[serde(rename = "password_last_used_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub password_last_used_time_dt: Option<String>,
    #[doc = "Programmatic Credentials\n\nDetails about the programmatic credentials associated with this identity, such as API keys, service account keys, access tokens, and client certificates used for automated access.\n\noptional"]
    #[serde(rename = "programmatic_credentials")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub programmatic_credentials: Option<Vec<ProgrammaticCredential>>,
}
#[doc = "Identity Provider\n\nThe Identity Provider object contains detailed information about a provider responsible for creating, maintaining, and managing identity information while offering authentication services to applications. An Identity Provider (IdP) serves as a trusted authority that verifies the identity of users and issues authentication tokens or assertions to enable secure access to applications or services.\n\n[] Category:  | Name: idp\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Idp {
    #[doc = "Authentication Factors\n\nThe Authentication Factors object describes the different types of Multi-Factor Authentication (MFA) methods and/or devices supported by the Identity Provider.\n\noptional"]
    #[serde(rename = "auth_factors")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub auth_factors: Option<Vec<AuthFactor>>,
    #[doc = "Domain\n\nThe primary domain associated with the Identity Provider.\n\noptional"]
    #[serde(rename = "domain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub domain: Option<String>,
    #[doc = "Certificate Fingerprint\n\nThe fingerprint of the X.509 certificate used by the Identity Provider.\n\noptional"]
    #[serde(rename = "fingerprint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub fingerprint: Option<Box<Fingerprint>>,
    #[doc = "MFA Enforced\n\nThe Identity Provider enforces Multi Factor Authentication (MFA).\n\noptional"]
    #[serde(rename = "has_mfa")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub has_mfa: Option<bool>,
    #[doc = "Issuer Details\n\nThe unique identifier (often a URL) used by the Identity Provider as its issuer.\n\noptional"]
    #[serde(rename = "issuer")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub issuer: Option<String>,
    #[doc = "Name\n\nThe name of the Identity Provider.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Supported Protocol\n\nThe supported protocol of the Identity Provider. E.g., <code>SAML</code>, <code>OIDC</code>, or <code>OAuth2</code>.\n\noptional"]
    #[serde(rename = "protocol_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub protocol_name: Option<String>,
    #[doc = "SCIM\n\nThe System for Cross-domain Identity Management (SCIM) resource object provides a structured set of attributes related to SCIM protocols used for identity provisioning and management across cloud-based platforms. It standardizes user and group provisioning details, enabling identity synchronization and lifecycle management with compatible Identity Providers (IdPs) and applications. SCIM is defined in <a target='_blank' href='https://datatracker.ietf.org/doc/html/rfc7643'>RFC-7634</a>\n\noptional"]
    #[serde(rename = "scim")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub scim: Option<Box<Scim>>,
    #[doc = "SSO\n\nThe Single Sign-On (SSO) object provides a structure for normalizing SSO attributes, configuration, and/or settings from Identity Providers.\n\noptional"]
    #[serde(rename = "sso")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub sso: Option<Box<Sso>>,
    #[doc = "State\n\nThe configuration state of the Identity Provider, normalized to the caption of the <code>state_id</code> value. In the case of <code>Other</code>, it is defined by the event source.\n\noptional"]
    #[serde(rename = "state")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub state: Option<String>,
    #[doc = "State ID\n\nThe normalized state ID of the Identity Provider to reflect its configuration or activation status.\n\noptional"]
    #[serde(rename = "state_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub state_id: Option<i64>,
    #[doc = "Tenant UID\n\nThe tenant ID associated with the Identity Provider.\n\noptional"]
    #[serde(rename = "tenant_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tenant_uid: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the Identity Provider.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Configuration URL\n\nThe URL for accessing the configuration or metadata of the Identity Provider.\n\noptional"]
    #[serde(rename = "url_string")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub url_string: Option<String>,
}
#[doc = "Image\n\nThe Image object provides a description of a specific Virtual Machine (VM) or Container image.\n\n[] Category:  | Name: image\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Image {
    #[doc = "Labels\n\nThe list of labels associated to the image.\n\noptional"]
    #[serde(rename = "labels")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub labels: Option<Vec<String>>,
    #[doc = "Name\n\nThe image name. For example: <code>elixir</code>.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Path\n\nThe full path to the image file.\n\noptional"]
    #[serde(rename = "path")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub path: Option<String>,
    #[doc = "Image Tag\n\nThe image tag. For example: <code>1.11-alpine</code>.\n\noptional"]
    #[serde(rename = "tag")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tag: Option<String>,
    #[doc = "Tags\n\nThe list of tags; <code>{key:value}</code> pairs associated to the image.\n\noptional"]
    #[serde(rename = "tags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tags: Option<Vec<KeyValueObject>>,
    #[doc = "Unique ID\n\nThe unique image ID. For example: <code>77af4d6b9913</code>.\n\nrequired"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "JA4+ Fingerprint\n\nThe JA4+ fingerprint object provides detailed fingerprint information about various aspects of network traffic which is both machine and human readable.\n\n[] Category:  | Name: ja4_fingerprint"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Ja4Fingerprint {
    #[doc = "JA4 Section A\n\nThe 'a' section of the JA4 fingerprint.\n\noptional"]
    #[serde(rename = "section_a")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub section_a: Option<String>,
    #[doc = "JA4 Section B\n\nThe 'b' section of the JA4 fingerprint.\n\noptional"]
    #[serde(rename = "section_b")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub section_b: Option<String>,
    #[doc = "JA4 Section C\n\nThe 'c' section of the JA4 fingerprint.\n\noptional"]
    #[serde(rename = "section_c")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub section_c: Option<String>,
    #[doc = "JA4 Section D\n\nThe 'd' section of the JA4 fingerprint.\n\noptional"]
    #[serde(rename = "section_d")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub section_d: Option<String>,
    #[doc = "Type\n\nThe JA4+ fingerprint type as defined by <a href='https://blog.foxio.io/ja4+-network-fingerprinting target='_blank'>FoxIO</a>, normalized to the caption of 'type_id'. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe identifier of the JA4+ fingerprint type.\n\nrequired"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Value\n\nThe JA4+ fingerprint value.\n\nrequired"]
    #[serde(rename = "value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}
#[doc = "Job\n\nThe Job object provides information about a scheduled job or task, including its name, command line, and state. It encompasses attributes that describe the properties and status of the scheduled job.\n\n[] Category:  | Name: job"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Job {
    #[doc = "Command Line\n\nThe job command line.\n\nrecommended"]
    #[serde(rename = "cmd_line")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cmd_line: Option<String>,
    #[doc = "Created Time\n\nThe time when the job was created.\n\nrecommended"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the job was created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Description\n\nThe description of the job.\n\nrecommended"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "File\n\nThe file that pertains to the job.\n\noptional"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Last Run\n\nThe time when the job was last run.\n\nrecommended"]
    #[serde(rename = "last_run_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_run_time: Option<i64>,
    #[doc = "Last Run\n\nThe time when the job was last run.\n\noptional"]
    #[serde(rename = "last_run_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_run_time_dt: Option<String>,
    #[doc = "Name\n\nThe name of the job.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Next Run\n\nThe time when the job will next be run.\n\noptional"]
    #[serde(rename = "next_run_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub next_run_time: Option<i64>,
    #[doc = "Next Run\n\nThe time when the job will next be run.\n\noptional"]
    #[serde(rename = "next_run_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub next_run_time_dt: Option<String>,
    #[doc = "Run State\n\nThe run state of the job.\n\noptional"]
    #[serde(rename = "run_state")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub run_state: Option<String>,
    #[doc = "Run State ID\n\nThe run state ID of the job.\n\nrecommended"]
    #[serde(rename = "run_state_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub run_state_id: Option<i64>,
    #[doc = "User\n\nThe user that created the job.\n\noptional"]
    #[serde(rename = "user")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user: Option<Box<User>>,
}
#[doc = "KB Article\n\nThe KB Article object contains metadata that describes the patch or update.\n\n[] Category:  | Name: kb_article\n\n**Constraints:**\n* at_least_one: `[uid`,`src_url]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct KbArticle {
    #[doc = "Average Timespan\n\nThe average time to patch.\n\noptional"]
    #[serde(rename = "avg_timespan")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub avg_timespan: Option<Box<Timespan>>,
    #[doc = "Patch Bulletin\n\nThe kb article bulletin identifier.\n\noptional"]
    #[serde(rename = "bulletin")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub bulletin: Option<String>,
    #[doc = "Classification\n\nThe vendors classification of the kb article.\n\noptional"]
    #[serde(rename = "classification")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub classification: Option<String>,
    #[doc = "Created Time\n\nThe date the kb article was released by the vendor.\n\noptional"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe date the kb article was released by the vendor.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Install State\n\nThe install state of the kb article.\n\nrecommended"]
    #[serde(rename = "install_state")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub install_state: Option<String>,
    #[doc = "Install State ID\n\nThe normalized install state ID of the kb article.\n\nrecommended"]
    #[serde(rename = "install_state_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub install_state_id: Option<i64>,
    #[doc = "The patch is superseded.\n\nThe kb article has been replaced by another.\n\noptional"]
    #[serde(rename = "is_superseded")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_superseded: Option<bool>,
    #[doc = "OS\n\nThe operating system the kb article applies.\n\nrecommended"]
    #[serde(rename = "os")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub os: Option<Box<Os>>,
    #[doc = "Product\n\nThe product details the kb article applies.\n\noptional"]
    #[serde(rename = "product")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub product: Option<Box<Product>>,
    #[doc = "Severity\n\nThe severity of the kb article.\n\nrecommended"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Size\n\nThe size in bytes for the kb article.\n\noptional"]
    #[serde(rename = "size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub size: Option<i64>,
    #[doc = "Source URL\n\nThe kb article link from the source vendor.\n\noptional"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Title\n\nThe title of the kb article.\n\nrecommended"]
    #[serde(rename = "title")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub title: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier for the kb article.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Kernel Resource\n\nThe Kernel Resource object provides information about a specific kernel resource, including its name and type. It describes essential attributes associated with a resource managed by the kernel of an operating system.\n\n[] Category:  | Name: kernel"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Kernel {
    #[doc = "System\n\nThe indication of whether the object is part of the operating system.\n\noptional"]
    #[serde(rename = "is_system")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_system: Option<bool>,
    #[doc = "Name\n\nThe name of the kernel resource.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Path\n\nThe full path of the kernel resource.\n\noptional"]
    #[serde(rename = "path")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub path: Option<String>,
    #[doc = "System Call\n\nThe system call that was invoked.\n\noptional"]
    #[serde(rename = "system_call")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub system_call: Option<String>,
    #[doc = "Type\n\nThe type of the kernel resource.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe type of the kernel resource.\n\nrequired"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
}
#[doc = "Kernel Extension\n\nThe Kernel Extension object describes a kernel driver that has been loaded or unloaded into the operating system (OS) kernel.\n\n[] Category:  | Name: kernel_driver"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct KernelDriver {
    #[doc = "File\n\nThe driver/extension file object.\n\nrequired"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
}
#[doc = "Key:Value object\n\nA generic object allowing to define a <code>{key:value}</code> pair.\n\n[] Category:  | Name: key_value_object\n\n**Constraints:**\n* at_least_one: `[value`,`values]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct KeyValueObject {
    #[doc = "Name\n\nThe name of the key.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Value\n\nThe value associated to the key.\n\nrecommended"]
    #[serde(rename = "value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
    #[doc = "Values\n\nOptional, the values associated to the key. You can populate this attribute, when you have multiple values for the same key.\n\nrecommended"]
    #[serde(rename = "values")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub values: Option<Vec<String>>,
}
#[doc = "Keyboard Information\n\nThe Keyboard Information object contains details and attributes related to a computer or device keyboard. It encompasses information that describes the characteristics, capabilities, and configuration of the keyboard.\n\n[] Category:  | Name: keyboard_info"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct KeyboardInfo {
    #[doc = "Function Keys\n\nThe number of function keys on client keyboard.\n\noptional"]
    #[serde(rename = "function_keys")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub function_keys: Option<i64>,
    #[doc = "IME\n\nThe Input Method Editor (IME) file name.\n\noptional"]
    #[serde(rename = "ime")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ime: Option<String>,
    #[doc = "Keyboard Layout\n\nThe keyboard locale identifier name (e.g., en-US).\n\noptional"]
    #[serde(rename = "keyboard_layout")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub keyboard_layout: Option<String>,
    #[doc = "Keyboard Subtype\n\nThe keyboard numeric code.\n\noptional"]
    #[serde(rename = "keyboard_subtype")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub keyboard_subtype: Option<i64>,
    #[doc = "Keyboard Type\n\nThe keyboard type (e.g., xt, ico).\n\noptional"]
    #[serde(rename = "keyboard_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub keyboard_type: Option<String>,
}
#[doc = "Kill Chain Phase\n\nThe Kill Chain Phase object represents a single phase of a cyber attack, including the initial reconnaissance and planning stages up to the final objective of the attacker. It provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. See <a target='_blank' href='https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html'>Cyber Kill Chain®</a>.\n\n[] Category:  | Name: kill_chain_phase"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct KillChainPhase {
    #[doc = "Kill Chain Phase\n\nThe cyber kill chain phase.\n\nrecommended"]
    #[serde(rename = "phase")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub phase: Option<String>,
    #[doc = "Kill Chain Phase ID\n\nThe cyber kill chain phase identifier.\n\nrequired"]
    #[serde(rename = "phase_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub phase_id: Option<i64>,
}
#[doc = "LDAP Person\n\nThe additional LDAP attributes that describe a person.\n\n[] Category:  | Name: ldap_person"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct LdapPerson {
    #[doc = "Cost Center\n\nThe cost center associated with the user.\n\noptional"]
    #[serde(rename = "cost_center")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cost_center: Option<String>,
    #[doc = "Created Time\n\nThe timestamp when the user was created.\n\noptional"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe timestamp when the user was created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Deleted Time\n\nThe timestamp when the user was deleted. In Active Directory (AD), when a user is deleted they are moved to a temporary container and then removed after 30 days. So, this field can be populated even after a user is deleted for the next 30 days.\n\noptional"]
    #[serde(rename = "deleted_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub deleted_time: Option<i64>,
    #[doc = "Deleted Time\n\nThe timestamp when the user was deleted. In Active Directory (AD), when a user is deleted they are moved to a temporary container and then removed after 30 days. So, this field can be populated even after a user is deleted for the next 30 days.\n\noptional"]
    #[serde(rename = "deleted_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub deleted_time_dt: Option<String>,
    #[doc = "Display Name\n\nThe display name of the LDAP person. According to RFC 2798, this is the preferred name of a person to be used when displaying entries.\n\noptional"]
    #[serde(rename = "display_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub display_name: Option<String>,
    #[doc = "Email Addresses\n\nA list of additional email addresses for the user.\n\noptional"]
    #[serde(rename = "email_addrs")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub email_addrs: Option<Vec<String>>,
    #[doc = "Employee ID\n\nThe employee identifier assigned to the user by the organization.\n\noptional"]
    #[serde(rename = "employee_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub employee_uid: Option<String>,
    #[doc = "Given Name\n\nThe given or first name of the user.\n\noptional"]
    #[serde(rename = "given_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub given_name: Option<String>,
    #[doc = "Hire Time\n\nThe timestamp when the user was or will be hired by the organization.\n\noptional"]
    #[serde(rename = "hire_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hire_time: Option<i64>,
    #[doc = "Hire Time\n\nThe timestamp when the user was or will be hired by the organization.\n\noptional"]
    #[serde(rename = "hire_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hire_time_dt: Option<String>,
    #[doc = "Job Title\n\nThe user's job title.\n\noptional"]
    #[serde(rename = "job_title")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub job_title: Option<String>,
    #[doc = "Labels\n\nThe labels associated with the user. For example in AD this could be the <code>userType</code>, <code>employeeType</code>. For example: <code>Member, Employee</code>.\n\noptional"]
    #[serde(rename = "labels")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub labels: Option<Vec<String>>,
    #[doc = "Last Login\n\nThe last time when the user logged in.\n\noptional"]
    #[serde(rename = "last_login_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_login_time: Option<i64>,
    #[doc = "Last Login\n\nThe last time when the user logged in.\n\noptional"]
    #[serde(rename = "last_login_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_login_time_dt: Option<String>,
    #[doc = "LDAP Common Name\n\nThe LDAP and X.500 <code>commonName</code> attribute, typically the full name of the person. For example, <code>John Doe</code>.\n\noptional"]
    #[serde(rename = "ldap_cn")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ldap_cn: Option<String>,
    #[doc = "LDAP Distinguished Name\n\nThe X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, <code>cn=John Doe,ou=People,dc=example,dc=com</code>.\n\noptional"]
    #[serde(rename = "ldap_dn")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ldap_dn: Option<String>,
    #[doc = "Leave Time\n\nThe timestamp when the user left or will be leaving the organization.\n\noptional"]
    #[serde(rename = "leave_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub leave_time: Option<i64>,
    #[doc = "Leave Time\n\nThe timestamp when the user left or will be leaving the organization.\n\noptional"]
    #[serde(rename = "leave_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub leave_time_dt: Option<String>,
    #[doc = "Geo Location\n\nThe geographical location associated with a user. This is typically the user's usual work location.\n\noptional"]
    #[serde(rename = "location")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub location: Option<Box<Location>>,
    #[doc = "Manager\n\nThe user's manager. This helps in understanding an org hierarchy. This should only ever be populated once in an event. I.e. there should not be a manager's manager in an event.\n\noptional"]
    #[serde(rename = "manager")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub manager: Option<Box<User>>,
    #[doc = "Modified Time\n\nThe timestamp when the user entry was last modified.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe timestamp when the user entry was last modified.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Office Location\n\nThe primary office location associated with the user. This could be any string and isn't a specific address. For example, <code>South East Virtual</code>.\n\noptional"]
    #[serde(rename = "office_location")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub office_location: Option<String>,
    #[doc = "Telephone Number\n\nThe telephone number of the user. Corresponds to the LDAP <code>Telephone-Number</code> CN.\n\noptional"]
    #[serde(rename = "phone_number")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub phone_number: Option<String>,
    #[doc = "Surname\n\nThe last or family name for the user.\n\noptional"]
    #[serde(rename = "surname")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub surname: Option<String>,
    #[doc = "Tags\n\nThe list of tags; <code>{key:value}</code> pairs associated to the user.\n\noptional"]
    #[serde(rename = "tags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tags: Option<Vec<KeyValueObject>>,
}
#[doc = "Load Balancer\n\nThe load balancer object describes the load balancer entity and contains additional information regarding the distribution of traffic across a network.\n\n[] Category:  | Name: load_balancer\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct LoadBalancer {
    #[doc = "Classification\n\nThe request classification as defined by the load balancer.\n\noptional"]
    #[serde(rename = "classification")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub classification: Option<String>,
    #[doc = "Response Code\n\nThe numeric response status code detailing the connection from the load balancer to the destination target.\n\nrecommended"]
    #[serde(rename = "code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub code: Option<i64>,
    #[doc = "Destination Endpoint\n\nThe destination to which the load balancer is distributing traffic.\n\nrecommended"]
    #[serde(rename = "dst_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dst_endpoint: Option<Box<NetworkEndpoint>>,
    #[doc = "Endpoint Connections\n\nAn object detailing the load balancer connection attempts and responses.\n\nrecommended"]
    #[serde(rename = "endpoint_connections")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub endpoint_connections: Option<Vec<EndpointConnection>>,
    #[doc = "Error Message\n\nThe load balancer error message.\n\noptional"]
    #[serde(rename = "error_message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub error_message: Option<String>,
    #[doc = "IP Address\n\nThe IP address of the load balancer node that handled the client request. Note: the load balancer may have other IP addresses, and this is not an IP address of the target/distribution endpoint - see <code>dst_endpoint</code>.\n\noptional"]
    #[serde(rename = "ip")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ip: Option<String>,
    #[doc = "Message\n\nThe load balancer message.\n\noptional"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Metrics\n\nGeneral purpose metrics associated with the load balancer.\n\noptional"]
    #[serde(rename = "metrics")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metrics: Option<Vec<Metric>>,
    #[doc = "Name\n\nThe name of the load balancer.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Status Detail\n\nThe status detail contains additional status information about the load balancer distribution event.\n\noptional"]
    #[serde(rename = "status_detail")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_detail: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier for the load balancer.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Geo Location\n\nThe Geo Location object describes a geographical location, usually associated with an IP address.\n\n[] Category:  | Name: location\n\n**Constraints:**\n* at_least_one: `[city`,`country`,`postal_code`,`region]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Location {
    #[doc = "Aerial Height\n\nExpressed as either height above takeoff location or height above ground level (AGL) for a UAS current location. This value is provided in meters and must have a minimum resolution of 1 m. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: -1000 m</code>.\n\noptional"]
    #[serde(rename = "aerial_height")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub aerial_height: Option<String>,
    #[doc = "City\n\nThe name of the city.\n\nrecommended"]
    #[serde(rename = "city")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub city: Option<String>,
    #[doc = "Continent\n\nThe name of the continent.\n\nrecommended"]
    #[serde(rename = "continent")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub continent: Option<String>,
    #[doc = "Coordinates\n\nA two-element array, containing a longitude/latitude pair. The format conforms with <a target='_blank' href='https://geojson.org'>GeoJSON</a>. For example: <code>[-73.983, 40.719]</code>.\n\noptional"]
    #[serde(rename = "coordinates")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub coordinates: Option<Vec<f64>>,
    #[doc = "Country\n\nThe ISO 3166-1 Alpha-2 country code.<p><b>Note:</b> The two letter country code should be capitalized. For example: <code>US</code> or <code>CA</code>.</p>\n\nrecommended"]
    #[serde(rename = "country")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub country: Option<String>,
    #[doc = "Description\n\nThe description of the geographical location.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Geodetic Altitude\n\nThe aircraft distance above or below the ellipsoid as measured along a line that passes through the aircraft and is normal to the surface of the WGS-84 ellipsoid. This value is provided in meters and must have a minimum resolution of 1 m. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: -1000 m</code>.\n\noptional"]
    #[serde(rename = "geodetic_altitude")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub geodetic_altitude: Option<String>,
    #[doc = "Geodetic Vertical Accuracy\n\nProvides quality/containment on geodetic altitude. This is based on ADS-B Geodetic Vertical Accuracy (GVA). Measured in meters.\n\noptional"]
    #[serde(rename = "geodetic_vertical_accuracy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub geodetic_vertical_accuracy: Option<String>,
    #[doc = "Geohash\n\n<p>Geohash of the geo-coordinates (latitude and longitude).</p><a target='_blank' href='https://en.wikipedia.org/wiki/Geohash'>Geohashing</a> is a geocoding system used to encode geographic coordinates in decimal degrees, to a single string.\n\noptional"]
    #[serde(rename = "geohash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub geohash: Option<String>,
    #[doc = "Horizontal Accuracy\n\nProvides quality/containment on horizontal position. This is based on ADS-B NACp. Measured in meters.\n\noptional"]
    #[serde(rename = "horizontal_accuracy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub horizontal_accuracy: Option<String>,
    #[doc = "On Premises\n\nThe indication of whether the location is on premises.\n\noptional"]
    #[serde(rename = "is_on_premises")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_on_premises: Option<bool>,
    #[doc = "ISP Name\n\nThe name of the Internet Service Provider (ISP).\n\noptional"]
    #[serde(rename = "isp")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub isp: Option<String>,
    #[doc = "Latitude\n\nThe geographical Latitude coordinate represented in Decimal Degrees (DD). For example: <code>42.361145</code>.\n\noptional"]
    #[serde(rename = "lat")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub lat: Option<f64>,
    #[doc = "Longitude\n\nThe geographical Longitude coordinate represented in Decimal Degrees (DD). For example: <code>-71.057083</code>.\n\noptional"]
    #[serde(rename = "long")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub long: Option<f64>,
    #[doc = "Postal Code\n\nThe postal code of the location.\n\noptional"]
    #[serde(rename = "postal_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub postal_code: Option<String>,
    #[doc = "Pressure Altitude\n\nThe uncorrected barometric pressure altitude (based on reference standard 29.92 inHg, 1013.25 mb) provides a reference for algorithms that utilize 'altitude deltas' between aircraft. This value is provided in meters and must have a minimum resolution of 1 m.. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: -1000 m</code>.\n\noptional"]
    #[serde(rename = "pressure_altitude")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub pressure_altitude: Option<String>,
    #[doc = "Provider\n\nThe provider of the geographical location data.\n\noptional"]
    #[serde(rename = "provider")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub provider: Option<String>,
    #[doc = "Region\n\nThe alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. For example, 'CH-VD' for the Canton of Vaud, Switzerland\n\noptional"]
    #[serde(rename = "region")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub region: Option<String>,
}
#[doc = "Logger\n\nThe Logger object represents the device and product where events are stored with times for receipt and transmission.  This may be at the source device where the event occurred, a remote scanning device, intermediate hops, or the ultimate destination.\n\n[] Category:  | Name: logger\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Logger {
    #[doc = "Device\n\nThe device where the events are logged.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Event UID\n\nThe unique identifier of the event assigned by the logger.\n\noptional"]
    #[serde(rename = "event_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub event_uid: Option<String>,
    #[doc = "Is Truncated\n\nIndicates whether the OCSF event data has been truncated due to size limitations. When <code>true</code>, some event data may have been omitted to fit within system constraints.\n\noptional"]
    #[serde(rename = "is_truncated")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_truncated: Option<bool>,
    #[doc = "Log Format\n\nThe format of data in the log. For example JSON, syslog or CSV.\n\noptional"]
    #[serde(rename = "log_format")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub log_format: Option<String>,
    #[doc = "Log Level\n\nThe level at which an event was logged. This can be log provider specific. For example the audit level.\n\noptional"]
    #[serde(rename = "log_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub log_level: Option<String>,
    #[doc = "Log Name\n\nThe log name for the logging provider log, or the file name of the system log. This may be an intermediate store-and-forward log or a vendor destination log. For example /archive/server1/var/log/messages.0 or /var/log/.\n\nrecommended"]
    #[serde(rename = "log_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub log_name: Option<String>,
    #[doc = "Log Provider\n\nThe logging provider or logging service that logged the event. This may be an intermediate application store-and-forward log or a vendor destination log.\n\nrecommended"]
    #[serde(rename = "log_provider")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub log_provider: Option<String>,
    #[doc = "Log Version\n\nThe event log schema version of the original event. For example the syslog version or the Cisco Log Schema version\n\noptional"]
    #[serde(rename = "log_version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub log_version: Option<String>,
    #[doc = "Logged Time\n\n<p>The time when the logging system collected and logged the event.</p>This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.\n\nrecommended"]
    #[serde(rename = "logged_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub logged_time: Option<i64>,
    #[doc = "Logged Time\n\n<p>The time when the logging system collected and logged the event.</p>This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.\n\noptional"]
    #[serde(rename = "logged_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub logged_time_dt: Option<String>,
    #[doc = "Name\n\nThe name of the logging product instance.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Product\n\nThe product logging the event.  This may be the event source product, a management server product, a scanning product, a SIEM, etc.\n\nrecommended"]
    #[serde(rename = "product")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub product: Option<Box<Product>>,
    #[doc = "Transmission Time\n\nThe time when the event was transmitted from the logging device to it's next destination.\n\nrecommended"]
    #[serde(rename = "transmit_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub transmit_time: Option<i64>,
    #[doc = "Transmission Time\n\nThe time when the event was transmitted from the logging device to it's next destination.\n\noptional"]
    #[serde(rename = "transmit_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub transmit_time_dt: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the logging product instance.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Untruncated Size\n\nThe original size of the OCSF event data in kilobytes before any truncation occurred. This field is typically populated when <code>is_truncated</code> is <code>true</code> to indicate the full size of the original event.\n\noptional"]
    #[serde(rename = "untruncated_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub untruncated_size: Option<i64>,
    #[doc = "Version\n\nThe version of the logging provider.\n\noptional"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Long String\n\nThis object is a used to capture strings which may be truncated by a security product due to their length.\n\n[] Category:  | Name: long_string"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct LongString {
    #[doc = "Is Truncated\n\nIndicates that <code>value</code> has been truncated. May be omitted if truncation has not occurred.\n\noptional"]
    #[serde(rename = "is_truncated")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_truncated: Option<bool>,
    #[doc = "Untruncated Size\n\nThe size in bytes of the string represented by <code>value</code> before truncation. Should be omitted if truncation has not occurred.\n\noptional"]
    #[serde(rename = "untruncated_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub untruncated_size: Option<i64>,
    #[doc = "Value\n\nThe string value, truncated if <code>is_truncated</code> is <code>true</code>.\n\nrequired"]
    #[serde(rename = "value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}
#[doc = "Malware\n\nThe Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network.\n\n[] Category:  | Name: malware\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Malware {
    #[doc = "Classification IDs\n\nThe list of normalized identifiers of the malware classifications.\n\nrequired"]
    #[serde(rename = "classification_ids")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub classification_ids: Option<Vec<i64>>,
    #[doc = "Classifications\n\nThe list of malware classifications, normalized to the captions of the <code>classification_ids</code> values. In the case of 'Other', they are defined by the event source.\n\noptional"]
    #[serde(rename = "classifications")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub classifications: Option<Vec<String>>,
    #[doc = "CVE List\n\nThe list of Common Vulnerabilities and Exposures (CVE) identifiers associated with the malware. Reference: <a target='_blank' href='https://cve.mitre.org/'>CVE</a>\n\noptional"]
    #[serde(rename = "cves")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cves: Option<Vec<Cve>>,
    #[doc = "Files\n\nThe list of file objects representing files that were identified as infected by the malware.\n\noptional"]
    #[serde(rename = "files")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub files: Option<Vec<File>>,
    #[doc = "Name\n\nThe malware name, as reported by the detection engine.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Number of Infected Entities\n\nThe number of files that were identified to be infected by the malware.\n\noptional"]
    #[serde(rename = "num_infected")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub num_infected: Option<i64>,
    #[doc = "Path\n\nThe filesystem path of the malware that was observed.\n\nrecommended"]
    #[serde(rename = "path")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub path: Option<String>,
    #[doc = "Provider\n\nThe name or identifier of the security solution or service that provided the malware detection information.\n\nrecommended"]
    #[serde(rename = "provider")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub provider: Option<String>,
    #[doc = "Severity\n\nThe severity of the malware, normalized to the captions of the <code>severity_id</code> values. In the case of 'Other', they are defined by the event source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\nThe normalized identifier of the malware severity.\n\nrecommended"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Unique ID\n\nA unique identifier for the specific malware instance, as assigned by the detection engine (e.g., virus signature ID or IPS rule ID).\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Malware Scan Info\n\nThe malware scan information object describes characteristics, metadata of a malware scanning job.\n\n[] Category:  | Name: malware_scan_info\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct MalwareScanInfo {
    #[doc = "End Time\n\nThe timestamp indicating when the scan job completed execution.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe timestamp indicating when the scan job completed execution.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Name\n\nThe administrator-supplied or application-generated name of the scan. For example: \"Home office weekly user database scan\", \"Scan folders for viruses\", \"Full system virus scan\"\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Scanned Files\n\nThe total number of files analyzed during the scan.\n\noptional"]
    #[serde(rename = "num_files")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub num_files: Option<i64>,
    #[doc = "Number of Infected Entities\n\nThe total number of files identified as infected with malware during the scan.\n\noptional"]
    #[serde(rename = "num_infected")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub num_infected: Option<i64>,
    #[doc = "Number of Volumes\n\nThe total number of storage volumes examined during the malware scan.\n\noptional"]
    #[serde(rename = "num_volumes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub num_volumes: Option<i64>,
    #[doc = "Size\n\nThe total size in bytes of all files that were scanned.\n\noptional"]
    #[serde(rename = "size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub size: Option<i64>,
    #[doc = "Start Time\n\nThe timestamp indicating when the scan job began execution.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe timestamp indicating when the scan job began execution.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Type\n\nThe type of scan.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe type id of the scan.\n\nrequired"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Scan UID\n\nThe application-defined unique identifier assigned to an instance of a scan.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Unique Malware Count\n\nThe number of unique malware detected across all infected files.\n\noptional"]
    #[serde(rename = "unique_malware_count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unique_malware_count: Option<i64>,
}
#[doc = "Managed Entity\n\nThe Managed Entity object describes the type and version of an entity, such as a user, device, or policy.  For types in the <code>type_id</code> enum list, an associated attribute should be populated.  If the type of entity is not in the <code>type_id</code> list, information can be put into the <code>data</code> attribute, <code>type_id</code> should be 'Other' and the <code>type</code> attribute should label the entity type.\n\n[] Category:  | Name: managed_entity\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ManagedEntity {
    #[doc = "Data\n\nThe managed entity content as a JSON object.\n\noptional"]
    #[serde(rename = "data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data: Option<serde_json::Value>,
    #[doc = "Device\n\nAn addressable device, computer system or host.\n\nrecommended"]
    #[serde(rename = "device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub device: Option<Box<Device>>,
    #[doc = "Email\n\nThe email object.\n\nrecommended"]
    #[serde(rename = "email")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub email: Option<Box<Email>>,
    #[doc = "Group\n\nThe group object associated with an entity such as user, policy, or rule.\n\nrecommended"]
    #[serde(rename = "group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub group: Option<Box<Group>>,
    #[doc = "Geo Location\n\nThe detailed geographical location usually associated with an IP address.\n\noptional"]
    #[serde(rename = "location")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub location: Option<Box<Location>>,
    #[doc = "Name\n\nThe name of the managed entity. It should match the name of the specific entity object's name if populated, or the name of the managed entity if the <code>type_id</code> is 'Other'.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Organization\n\nThe Organization object containing details about the managed organizational entity. This object includes properties such as the organization name, unique identifier, type, and other organizational metadata. This attribute should be populated when <code>type_id</code> is <code>4</code> (Organization).\n\nrecommended"]
    #[serde(rename = "org")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub org: Option<Box<Organization>>,
    #[doc = "Policy\n\nDescribes details of a managed policy.\n\nrecommended"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Type\n\nThe managed entity type. For example: <code>Policy</code>, <code>User</code>, <code>Organization</code>, <code>Device</code>.\n\nrecommended"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe type of the Managed Entity. It is recommended to also populate the <code>type</code> attribute with the associated label, or the source specific name if <code>Other</code>.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique ID\n\nThe identifier of the managed entity. It should match the <code>uid</code> of the specific entity's object UID if populated, or the source specific ID if the <code>type_id</code> is 'Other'.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "User\n\nThe user that pertains to the event or object.\n\nrecommended"]
    #[serde(rename = "user")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user: Option<Box<User>>,
    #[doc = "Version\n\nThe version of the managed entity. For example: <code>1.2.3</code>.\n\nrecommended"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Message Context\n\nCommunication context for AI system interactions including protocols, roles, clients, and session information for MCP and other AI communication systems.\n\n[] Category:  | Name: message_context\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct MessageContext {
    #[doc = "AI Role\n\nThe normalized caption of the <code>ai_role_id</code>.\n\noptional"]
    #[serde(rename = "ai_role")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ai_role: Option<String>,
    #[doc = "AI Role ID\n\nSpecifies the functional role of the AI within the context of this message, such as retrieving information, assisting reasoning, executing a tool, or generating content.\n\nrecommended"]
    #[serde(rename = "ai_role_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ai_role_id: Option<i64>,
    #[doc = "Application\n\nThe initiating client application. In AI systems, this represents the client-side application or framework that initiates requests (e.g., LangChain application, web browser, mobile app, SDK implementation).\n\nrecommended"]
    #[serde(rename = "application")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub application: Option<Box<Application>>,
    #[doc = "Completion Tokens\n\nNumber of tokens in the model's response/completion for this message.\n\noptional"]
    #[serde(rename = "completion_tokens")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub completion_tokens: Option<i64>,
    #[doc = "Name\n\nThe name or identifier of the message context. In AI systems, this could be the conversation ID, session name, thread identifier, or interaction name (e.g., 'user-session-123', 'conversation-abc', 'chat-thread-456').\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Prompt Tokens\n\nNumber of tokens in the input prompt for this message.\n\noptional"]
    #[serde(rename = "prompt_tokens")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub prompt_tokens: Option<i64>,
    #[doc = "Service\n\nThe server or service handling the request. In AI systems, this represents the AI service, API endpoint, or agent that processes and responds to requests (e.g., OpenAI API service, Claude API service, internal AI model service).\n\nrecommended"]
    #[serde(rename = "service")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service: Option<Box<Service>>,
    #[doc = "Total Tokens\n\nTotal number of tokens used for this message (prompt + completion).\n\noptional"]
    #[serde(rename = "total_tokens")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub total_tokens: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier of the message context. This could be a session ID, conversation ID, or other unique identifier that allows correlation of messages within the same context.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Metadata\n\nThe Metadata object describes the metadata associated with the event.\n\n[] Category:  | Name: metadata"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Metadata {
    #[doc = "Correlation UID\n\nA unique identifier used to correlate this OCSF event with other related OCSF events, distinct from the event's <code>uid</code> value. This enables linking multiple OCSF events that are part of the same activity, transaction, or security incident across different systems or time periods.\n\noptional"]
    #[serde(rename = "correlation_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub correlation_uid: Option<String>,
    #[doc = "Data Classification\n\nThe Data Classification object includes information about data classification levels and data category types.\n\nrecommended"]
    #[serde(rename = "data_classification")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classification: Option<Box<DataClassification>>,
    #[doc = "Data Classification\n\nA list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.\n\nrecommended"]
    #[serde(rename = "data_classifications")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classifications: Option<Vec<DataClassification>>,
    #[doc = "Debug Information\n\nDebug information about non-fatal issues with this OCSF event. Each issue is a line in this string array.\n\noptional"]
    #[serde(rename = "debug")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub debug: Option<Vec<String>>,
    #[doc = "Event Code\n\nThe identifier of the original event. For example the numerical Windows Event Code or Cisco syslog code.\n\noptional"]
    #[serde(rename = "event_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub event_code: Option<String>,
    #[doc = "Schema Extension\n\nThe schema extension used to create the event.\n\noptional"]
    #[serde(rename = "extension")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub extension: Option<Box<Extension>>,
    #[doc = "Schema Extensions\n\nThe schema extensions used to create the event.\n\noptional"]
    #[serde(rename = "extensions")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub extensions: Option<Vec<Extension>>,
    #[doc = "Is Truncated\n\nIndicates whether the OCSF event data has been truncated due to size limitations. When <code>true</code>, some event data may have been omitted to fit within system constraints.\n\noptional"]
    #[serde(rename = "is_truncated")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_truncated: Option<bool>,
    #[doc = "Labels\n\nThe list of labels attached to the event. For example: <code>[\"sample\", \"dev\"]</code>\n\noptional"]
    #[serde(rename = "labels")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub labels: Option<Vec<String>>,
    #[doc = "Log Source Format\n\nThe format of data in the log where the data originated. For example CSV, XML, Windows Multiline, JSON, syslog or Cisco Log Schema.\n\noptional"]
    #[serde(rename = "log_format")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub log_format: Option<String>,
    #[doc = "Log Level\n\nThe level at which an event was logged. This can be log provider specific. For example the audit level.\n\noptional"]
    #[serde(rename = "log_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub log_level: Option<String>,
    #[doc = "Log Name\n\nThe event log name, typically for the consumer of the event. For example, the storage bucket name, SIEM repository index name, etc.\n\nrecommended"]
    #[serde(rename = "log_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub log_name: Option<String>,
    #[doc = "Log Provider\n\nThe logging provider or logging service that logged the event. For example AWS CloudWatch or Splunk.\n\noptional"]
    #[serde(rename = "log_provider")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub log_provider: Option<String>,
    #[doc = "Log Source\n\nThe log system or component where the data originated. For example, a file path, syslog server name or a Windows hostname and logging subsystem such as Security.\n\noptional"]
    #[serde(rename = "log_source")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub log_source: Option<String>,
    #[doc = "Log Version\n\nThe event log schema version of the original event. For example the syslog version or the Cisco Log Schema version\n\noptional"]
    #[serde(rename = "log_version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub log_version: Option<String>,
    #[doc = "Logged Time\n\n<p>The time when the logging system collected and logged the event.</p>This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.\n\noptional"]
    #[serde(rename = "logged_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub logged_time: Option<i64>,
    #[doc = "Logged Time\n\n<p>The time when the logging system collected and logged the event.</p>This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.\n\noptional"]
    #[serde(rename = "logged_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub logged_time_dt: Option<String>,
    #[doc = "Loggers\n\nAn array of Logger objects that describe the pipeline of devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow and/or to track the chain of custody of the data.\n\noptional"]
    #[serde(rename = "loggers")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub loggers: Option<Vec<Logger>>,
    #[doc = "Modified Time\n\nThe time when the event was last modified or enriched.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe time when the event was last modified or enriched.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Original Event ID\n\nThe unique identifier assigned to the event in its original logging system before transformation to OCSF format. This field preserves the source system's native event identifier, enabling traceability back to the raw log entry. For example, a Windows Event Record ID, a syslog message ID, a Splunk _cd value, or a database transaction log sequence number.\n\noptional"]
    #[serde(rename = "original_event_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub original_event_uid: Option<String>,
    #[doc = "Original Time\n\nThe original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.\n\nrecommended"]
    #[serde(rename = "original_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub original_time: Option<String>,
    #[doc = "Processed Time\n\nThe event processed time, such as an ETL operation.\n\noptional"]
    #[serde(rename = "processed_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub processed_time: Option<i64>,
    #[doc = "Processed Time\n\nThe event processed time, such as an ETL operation.\n\noptional"]
    #[serde(rename = "processed_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub processed_time_dt: Option<String>,
    #[doc = "Product\n\nThe product that reported the event.\n\nrequired"]
    #[serde(rename = "product")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub product: Option<Box<Product>>,
    #[doc = "Profiles\n\nThe list of profiles used to create the event.  Profiles should be referenced by their <code>name</code> attribute for core profiles, or <code>extension/name</code> for profiles from extensions.\n\noptional"]
    #[serde(rename = "profiles")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub profiles: Option<Vec<String>>,
    #[doc = "Reporter\n\nThe entity from which the event or finding was first reported.\n\nrecommended"]
    #[serde(rename = "reporter")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reporter: Option<Box<Reporter>>,
    #[doc = "Sequence Number\n\nSequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.\n\noptional"]
    #[serde(rename = "sequence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub sequence: Option<i64>,
    #[doc = "Source\n\nThe source of the event or finding. This can be any distinguishing name for the logical origin of the data — for example, 'CloudTrail Events', or a use case like 'Attack Simulations' or 'Vulnerability Scans'.\n\noptional"]
    #[serde(rename = "source")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub source: Option<String>,
    #[doc = "Tags\n\nThe list of tags; <code>{key:value}</code> pairs associated to the event.\n\noptional"]
    #[serde(rename = "tags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tags: Option<Vec<KeyValueObject>>,
    #[doc = "Tenant UID\n\nThe unique tenant identifier.\n\nrecommended"]
    #[serde(rename = "tenant_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tenant_uid: Option<String>,
    #[doc = "Transformation Info\n\nAn array of transformation info that describes the mappings or transforms applied to the data.\n\noptional"]
    #[serde(rename = "transformation_info_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub transformation_info_list: Option<Vec<TransformationInfo>>,
    #[doc = "Transmission Time\n\nThe time when the event was transmitted from the logging device to it's next destination.\n\noptional"]
    #[serde(rename = "transmit_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub transmit_time: Option<i64>,
    #[doc = "Transmission Time\n\nThe time when the event was transmitted from the logging device to it's next destination.\n\noptional"]
    #[serde(rename = "transmit_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub transmit_time_dt: Option<String>,
    #[doc = "Type\n\nThe type of the event or finding as a subset of the <code>source</code> of the event. This can be any distinguishing characteristic of the data. For example 'Management Events' or 'Device Penetration Test'.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Event UID\n\nA unique identifier assigned to the OCSF event. This ID is specific to the OCSF event itself and is distinct from the original event identifier in the source system (see <code>original_event_uid</code>).\n\noptional"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Untruncated Size\n\nThe original size of the OCSF event data in kilobytes before any truncation occurred. This field is typically populated when <code>is_truncated</code> is <code>true</code> to indicate the full size of the original event.\n\noptional"]
    #[serde(rename = "untruncated_size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub untruncated_size: Option<i64>,
    #[doc = "Version\n\nThe version of the OCSF schema, using Semantic Versioning Specification (<a target='_blank' href='https://semver.org'>SemVer</a>). For example: <code>1.0.0.</code> Event consumers use the version to determine the available event attributes.\n\nrequired"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Metric\n\nThe Metric object defines a simple name/value pair entity for a metric.\n\n[] Category:  | Name: metric"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Metric {
    #[doc = "Name\n\nThe name of the metric.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Value\n\nThe value of the metric.\n\nrequired"]
    #[serde(rename = "value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}
#[doc = "MITRE Mitigation\n\nThe MITRE Mitigation object describes the ATT&CK® or ATLAS™ Mitigation ID and/or name that is associated to an attack.\n\n[] Category:  | Name: mitigation\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Mitigation {
    #[doc = "Countermeasures\n\nThe D3FEND countermeasures that are associated with the attack technique. For example: ATT&CK Technique <code>T1003</code> is addressed by Mitigation <code>M1027</code>, and D3FEND Technique <code>D3-OTP</code>.\n\noptional"]
    #[serde(rename = "countermeasures")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub countermeasures: Option<Vec<D3fend>>,
    #[doc = "Name\n\nThe Mitigation name that is associated with the attack technique. For example: <code>Password Policies</code>, or <code>Code Signing</code>.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Source URL\n\nThe versioned permalink of the Mitigation. For example: <code>https://attack.mitre.org/versions/v14/mitigations/M1027</code>.\n\noptional"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Unique ID\n\nThe Mitigation ID that is associated with the attack technique. For example: <code>M1027</code>, or <code>AML.M0013</code>.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Module\n\nThe Module object describes the attributes of a module.\n\n[] Category:  | Name: module\n\n**Constraints:**\n* at_least_one: `[load_type_id`,`function_name]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Module {
    #[doc = "Base Address\n\nThe memory address where the module was loaded.\n\nrecommended"]
    #[serde(rename = "base_address")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub base_address: Option<String>,
    #[doc = "File\n\nThe module file object.\n\nrecommended"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Function Invocation\n\nDetails about the invocation of the function given in <code>function_name</code>.\n\noptional"]
    #[serde(rename = "function_invocation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub function_invocation: Option<Box<FunctionInvocation>>,
    #[doc = "Function Name\n\nThe invoked function in the module. For load and unload events, this is the entry-point function of the module. The system calls the entry-point function whenever a process or thread loads or unloads the module.\n\nrecommended"]
    #[serde(rename = "function_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub function_name: Option<String>,
    #[doc = "Load Type\n\nThe load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "load_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub load_type: Option<String>,
    #[doc = "Load Type ID\n\nThe normalized identifier for how the module was loaded in memory.\n\nrecommended"]
    #[serde(rename = "load_type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub load_type_id: Option<i64>,
    #[doc = "Start Address\n\nThe start address of the execution.\n\nrecommended"]
    #[serde(rename = "start_address")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_address: Option<String>,
    #[doc = "Type\n\nThe module type.\n\nrecommended"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
}
#[doc = "Network Connection Information\n\nThe Network Connection Information object describes characteristics of an OSI Transport Layer communication, including TCP and UDP.\n\n[] Category:  | Name: network_connection_info"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct NetworkConnectionInfo {
    #[doc = "Boundary\n\nThe boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source. <p> For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.</p>\n\noptional"]
    #[serde(rename = "boundary")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub boundary: Option<String>,
    #[doc = "Boundary ID\n\n<p>The normalized identifier of the boundary of the connection. </p><p> For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.</p>\n\nrecommended"]
    #[serde(rename = "boundary_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub boundary_id: Option<i64>,
    #[doc = "Community ID\n\nThe Community ID of the network connection.\n\noptional"]
    #[serde(rename = "community_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub community_uid: Option<String>,
    #[doc = "Direction\n\nThe direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "direction")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub direction: Option<String>,
    #[doc = "Direction ID\n\nThe normalized identifier of the direction of the initiated connection, traffic, or email.\n\nrequired"]
    #[serde(rename = "direction_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub direction_id: Option<i64>,
    #[doc = "Connection Flag History\n\nThe Connection Flag History summarizes events in a network connection. For example flags <code> ShAD </code> representing SYN, SYN/ACK, ACK and Data exchange.\n\noptional"]
    #[serde(rename = "flag_history")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub flag_history: Option<String>,
    #[doc = "Protocol Name\n\nThe IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). For example: <code>tcp</code> or <code>udp</code>.\n\nrecommended"]
    #[serde(rename = "protocol_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub protocol_name: Option<String>,
    #[doc = "Protocol Number\n\nThe IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). For example: <code>6</code> for TCP and <code>17</code> for UDP.\n\nrecommended"]
    #[serde(rename = "protocol_num")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub protocol_num: Option<i64>,
    #[doc = "IP Version\n\nThe Internet Protocol version.\n\noptional"]
    #[serde(rename = "protocol_ver")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub protocol_ver: Option<String>,
    #[doc = "IP Version ID\n\nThe Internet Protocol version identifier.\n\nrecommended"]
    #[serde(rename = "protocol_ver_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub protocol_ver_id: Option<i64>,
    #[doc = "Session\n\nThe authenticated user or service session.\n\noptional"]
    #[serde(rename = "session")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub session: Option<Box<Session>>,
    #[doc = "TCP Flags\n\nThe network connection TCP header flags (i.e., control bits).\n\noptional"]
    #[serde(rename = "tcp_flags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tcp_flags: Option<i64>,
    #[doc = "Connection UID\n\nThe unique identifier of the connection.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Network Endpoint\n\nThe Network Endpoint object describes characteristics of a network endpoint. These can be a source or destination of a network connection.\n\n[] Category:  | Name: network_endpoint\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct NetworkEndpoint {
    #[doc = "Agent List\n\nA list of <code>agent</code> objects associated with a device, endpoint, or resource.\n\noptional"]
    #[serde(rename = "agent_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub agent_list: Option<Vec<Agent>>,
    #[doc = "Autonomous System\n\nThe Autonomous System details associated with an IP address.\n\noptional"]
    #[serde(rename = "autonomous_system")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub autonomous_system: Option<Box<AutonomousSystem>>,
    #[doc = "Container\n\nThe information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.\n\nrecommended"]
    #[serde(rename = "container")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub container: Option<Box<Container>>,
    #[doc = "Domain\n\nThe name of the domain that the endpoint belongs to or that corresponds to the endpoint.\n\noptional"]
    #[serde(rename = "domain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub domain: Option<String>,
    #[doc = "Hostname\n\nThe fully qualified name of the endpoint.\n\nrecommended"]
    #[serde(rename = "hostname")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hostname: Option<String>,
    #[doc = "Hardware Info\n\nThe endpoint hardware information.\n\noptional"]
    #[serde(rename = "hw_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hw_info: Option<Box<DeviceHwInfo>>,
    #[doc = "Instance ID\n\nThe unique identifier of a VM instance.\n\nrecommended"]
    #[serde(rename = "instance_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub instance_uid: Option<String>,
    #[doc = "Network Interface Name\n\nThe name of the network interface (e.g. eth2).\n\nrecommended"]
    #[serde(rename = "interface_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub interface_name: Option<String>,
    #[doc = "Network Interface ID\n\nThe unique identifier of the network interface.\n\nrecommended"]
    #[serde(rename = "interface_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub interface_uid: Option<String>,
    #[doc = "Intermediate IP Addresses\n\nThe intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.\n\noptional"]
    #[serde(rename = "intermediate_ips")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub intermediate_ips: Option<Vec<String>>,
    #[doc = "IP Address\n\nThe IP address of the endpoint, in either IPv4 or IPv6 format.\n\nrecommended"]
    #[serde(rename = "ip")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ip: Option<String>,
    #[doc = "ISP Name\n\nThe name of the Internet Service Provider (ISP).\n\noptional"]
    #[serde(rename = "isp")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub isp: Option<String>,
    #[doc = "ISP Org\n\nThe organization name of the Internet Service Provider (ISP). This represents the parent organization or company that owns/operates the ISP. For example, Comcast Corporation would be the ISP org for Xfinity internet service. This attribute helps identify the ultimate provider when ISPs operate under different brand names.\n\noptional"]
    #[serde(rename = "isp_org")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub isp_org: Option<String>,
    #[doc = "Geo Location\n\nThe geographical location of the endpoint.\n\noptional"]
    #[serde(rename = "location")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub location: Option<Box<Location>>,
    #[doc = "MAC Address\n\nThe Media Access Control (MAC) address of the endpoint.\n\noptional"]
    #[serde(rename = "mac")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub mac: Option<String>,
    #[doc = "Name\n\nThe short name of the endpoint.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Namespace PID\n\nIf running under a process namespace (such as in a container), the process identifier within that process namespace.\n\nrecommended"]
    #[serde(rename = "namespace_pid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub namespace_pid: Option<i64>,
    #[doc = "Network Scope\n\nIndicates whether the endpoint resides inside the customer’s network, outside on the Internet, or if its location relative to the customer’s network cannot be determined. The value is normalized to the caption of the <code>network_scope_id</code>.\n\noptional"]
    #[serde(rename = "network_scope")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub network_scope: Option<String>,
    #[doc = "Network Scope ID\n\nThe normalized identifier of the endpoint’s network scope. The normalized network scope identifier indicates whether the endpoint resides inside the customer’s network, outside on the Internet, or if its location relative to the customer’s network cannot be determined.\n\noptional"]
    #[serde(rename = "network_scope_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub network_scope_id: Option<i64>,
    #[doc = "OS\n\nThe endpoint operating system.\n\noptional"]
    #[serde(rename = "os")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub os: Option<Box<Os>>,
    #[doc = "Owner\n\nThe identity of the service or user account that owns the endpoint or was last logged into it.\n\nrecommended"]
    #[serde(rename = "owner")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub owner: Option<Box<User>>,
    #[doc = "Port\n\nThe port used for communication within the network connection.\n\nrecommended"]
    #[serde(rename = "port")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub port: Option<i64>,
    #[doc = "Proxy Endpoint\n\nThe network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT).\n\noptional"]
    #[serde(rename = "proxy_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_endpoint: Option<Box<NetworkProxy>>,
    #[doc = "Subnet UID\n\nThe unique identifier of a virtual subnet.\n\noptional"]
    #[serde(rename = "subnet_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub subnet_uid: Option<String>,
    #[doc = "Service Name\n\nThe service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.\n\nrecommended"]
    #[serde(rename = "svc_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub svc_name: Option<String>,
    #[doc = "Type\n\nThe network endpoint type. For example: <code>unknown</code>, <code>server</code>, <code>desktop</code>, <code>laptop</code>, <code>tablet</code>, <code>mobile</code>, <code>virtual</code>, <code>browser</code>, or <code>other</code>.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe network endpoint type ID.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier of the endpoint.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "VLAN\n\nThe Virtual LAN identifier.\n\noptional"]
    #[serde(rename = "vlan_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vlan_uid: Option<String>,
    #[doc = "VPC UID\n\nThe unique identifier of the Virtual Private Cloud (VPC).\n\noptional"]
    #[serde(rename = "vpc_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vpc_uid: Option<String>,
    #[doc = "Network Zone\n\nThe network zone or LAN segment.\n\noptional"]
    #[serde(rename = "zone")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub zone: Option<String>,
}
#[doc = "Network Interface\n\nThe Network Interface object describes the type and associated attributes of a physical or virtual network interface.\n\n[] Category:  | Name: network_interface\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct NetworkInterface {
    #[doc = "Hostname\n\nThe hostname associated with the network interface.\n\nrecommended"]
    #[serde(rename = "hostname")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hostname: Option<String>,
    #[doc = "IP Address\n\nThe IP address associated with the network interface.\n\nrecommended"]
    #[serde(rename = "ip")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ip: Option<String>,
    #[doc = "MAC Address\n\nThe MAC address of the network interface.\n\nrecommended"]
    #[serde(rename = "mac")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub mac: Option<String>,
    #[doc = "Name\n\nThe name of the network interface.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Namespace\n\nThe namespace is useful in merger or acquisition situations. For example, when similar entities exist that you need to keep separate.\n\noptional"]
    #[serde(rename = "namespace")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    #[doc = "Open Ports\n\nThe list of open ports on a network interface, including port numbers and associated protocol information.\n\noptional"]
    #[serde(rename = "open_ports")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub open_ports: Option<Vec<PortInfo>>,
    #[doc = "Subnet Prefix Length\n\nThe subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet.\n\noptional"]
    #[serde(rename = "subnet_prefix")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub subnet_prefix: Option<i64>,
    #[doc = "Type\n\nThe type of network interface.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe network interface type identifier.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier for the network interface.\n\noptional"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Network Proxy Endpoint\n\nThe network proxy endpoint object describes a proxy server, which acts as an intermediary between a client requesting a resource and the server providing that resource.\n\n[] Category:  | Name: network_proxy\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct NetworkProxy {
    #[doc = "Agent List\n\nA list of <code>agent</code> objects associated with a device, endpoint, or resource.\n\noptional"]
    #[serde(rename = "agent_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub agent_list: Option<Vec<Agent>>,
    #[doc = "Autonomous System\n\nThe Autonomous System details associated with an IP address.\n\noptional"]
    #[serde(rename = "autonomous_system")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub autonomous_system: Option<Box<AutonomousSystem>>,
    #[doc = "Container\n\nThe information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.\n\nrecommended"]
    #[serde(rename = "container")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub container: Option<Box<Container>>,
    #[doc = "Domain\n\nThe name of the domain that the endpoint belongs to or that corresponds to the endpoint.\n\noptional"]
    #[serde(rename = "domain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub domain: Option<String>,
    #[doc = "Hostname\n\nThe fully qualified name of the endpoint.\n\nrecommended"]
    #[serde(rename = "hostname")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hostname: Option<String>,
    #[doc = "Hardware Info\n\nThe endpoint hardware information.\n\noptional"]
    #[serde(rename = "hw_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hw_info: Option<Box<DeviceHwInfo>>,
    #[doc = "Instance ID\n\nThe unique identifier of a VM instance.\n\nrecommended"]
    #[serde(rename = "instance_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub instance_uid: Option<String>,
    #[doc = "Network Interface Name\n\nThe name of the network interface (e.g. eth2).\n\nrecommended"]
    #[serde(rename = "interface_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub interface_name: Option<String>,
    #[doc = "Network Interface ID\n\nThe unique identifier of the network interface.\n\nrecommended"]
    #[serde(rename = "interface_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub interface_uid: Option<String>,
    #[doc = "Intermediate IP Addresses\n\nThe intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header.\n\noptional"]
    #[serde(rename = "intermediate_ips")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub intermediate_ips: Option<Vec<String>>,
    #[doc = "IP Address\n\nThe IP address of the endpoint, in either IPv4 or IPv6 format.\n\nrecommended"]
    #[serde(rename = "ip")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ip: Option<String>,
    #[doc = "ISP Name\n\nThe name of the Internet Service Provider (ISP).\n\noptional"]
    #[serde(rename = "isp")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub isp: Option<String>,
    #[doc = "ISP Org\n\nThe organization name of the Internet Service Provider (ISP). This represents the parent organization or company that owns/operates the ISP. For example, Comcast Corporation would be the ISP org for Xfinity internet service. This attribute helps identify the ultimate provider when ISPs operate under different brand names.\n\noptional"]
    #[serde(rename = "isp_org")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub isp_org: Option<String>,
    #[doc = "Geo Location\n\nThe geographical location of the endpoint.\n\noptional"]
    #[serde(rename = "location")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub location: Option<Box<Location>>,
    #[doc = "MAC Address\n\nThe Media Access Control (MAC) address of the endpoint.\n\noptional"]
    #[serde(rename = "mac")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub mac: Option<String>,
    #[doc = "Name\n\nThe short name of the endpoint.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Namespace PID\n\nIf running under a process namespace (such as in a container), the process identifier within that process namespace.\n\nrecommended"]
    #[serde(rename = "namespace_pid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub namespace_pid: Option<i64>,
    #[doc = "Network Scope\n\nIndicates whether the endpoint resides inside the customer’s network, outside on the Internet, or if its location relative to the customer’s network cannot be determined. The value is normalized to the caption of the <code>network_scope_id</code>.\n\noptional"]
    #[serde(rename = "network_scope")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub network_scope: Option<String>,
    #[doc = "Network Scope ID\n\nThe normalized identifier of the endpoint’s network scope. The normalized network scope identifier indicates whether the endpoint resides inside the customer’s network, outside on the Internet, or if its location relative to the customer’s network cannot be determined.\n\noptional"]
    #[serde(rename = "network_scope_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub network_scope_id: Option<i64>,
    #[doc = "OS\n\nThe endpoint operating system.\n\noptional"]
    #[serde(rename = "os")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub os: Option<Box<Os>>,
    #[doc = "Owner\n\nThe identity of the service or user account that owns the endpoint or was last logged into it.\n\nrecommended"]
    #[serde(rename = "owner")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub owner: Option<Box<User>>,
    #[doc = "Port\n\nThe port used for communication within the network connection.\n\nrecommended"]
    #[serde(rename = "port")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub port: Option<i64>,
    #[doc = "Proxy Endpoint\n\nThe network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT).\n\noptional"]
    #[serde(rename = "proxy_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proxy_endpoint: Option<Box<NetworkProxy>>,
    #[doc = "Subnet UID\n\nThe unique identifier of a virtual subnet.\n\noptional"]
    #[serde(rename = "subnet_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub subnet_uid: Option<String>,
    #[doc = "Service Name\n\nThe service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.\n\nrecommended"]
    #[serde(rename = "svc_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub svc_name: Option<String>,
    #[doc = "Type\n\nThe network endpoint type. For example: <code>unknown</code>, <code>server</code>, <code>desktop</code>, <code>laptop</code>, <code>tablet</code>, <code>mobile</code>, <code>virtual</code>, <code>browser</code>, or <code>other</code>.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe network endpoint type ID.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier of the endpoint.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "VLAN\n\nThe Virtual LAN identifier.\n\noptional"]
    #[serde(rename = "vlan_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vlan_uid: Option<String>,
    #[doc = "VPC UID\n\nThe unique identifier of the Virtual Private Cloud (VPC).\n\noptional"]
    #[serde(rename = "vpc_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vpc_uid: Option<String>,
    #[doc = "Network Zone\n\nThe network zone or LAN segment.\n\noptional"]
    #[serde(rename = "zone")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub zone: Option<String>,
}
#[doc = "Network Traffic\n\nThe Network Traffic object describes characteristics of network traffic over a time period. The metrics represent network data transferred between source and destination during an observation window.\n\n[] Category:  | Name: network_traffic"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct NetworkTraffic {
    #[doc = "Total Bytes\n\nThe total number of bytes transferred in both directions (sum of bytes_in and bytes_out).\n\nrecommended"]
    #[serde(rename = "bytes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub bytes: Option<i64>,
    #[doc = "Bytes In\n\nThe number of bytes sent from the destination to the source (inbound direction).\n\noptional"]
    #[serde(rename = "bytes_in")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub bytes_in: Option<i64>,
    #[doc = "Bytes Missed\n\nThe number of bytes that were missed during observation, typically due to packet loss or sampling limitations.\n\noptional"]
    #[serde(rename = "bytes_missed")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub bytes_missed: Option<i64>,
    #[doc = "Bytes Out\n\nThe number of bytes sent from the source to the destination (outbound direction).\n\noptional"]
    #[serde(rename = "bytes_out")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub bytes_out: Option<i64>,
    #[doc = "Chunks\n\nThe total number of chunks transferred in both directions (sum of chunks_in and chunks_out).\n\noptional"]
    #[serde(rename = "chunks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub chunks: Option<i64>,
    #[doc = "Chunks In\n\nThe number of chunks sent from the destination to the source (inbound direction).\n\noptional"]
    #[serde(rename = "chunks_in")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub chunks_in: Option<i64>,
    #[doc = "Chunks Out\n\nThe number of chunks sent from the source to the destination (outbound direction).\n\noptional"]
    #[serde(rename = "chunks_out")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub chunks_out: Option<i64>,
    #[doc = "End Time\n\nThe end time of the observation or reporting period.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time of the observation or reporting period.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Total Packets\n\nThe total number of packets transferred in both directions (sum of packets_in and packets_out).\n\nrecommended"]
    #[serde(rename = "packets")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub packets: Option<i64>,
    #[doc = "Packets In\n\nThe number of packets sent from the destination to the source (inbound direction).\n\noptional"]
    #[serde(rename = "packets_in")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub packets_in: Option<i64>,
    #[doc = "Packets Out\n\nThe number of packets sent from the source to the destination (outbound direction).\n\noptional"]
    #[serde(rename = "packets_out")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub packets_out: Option<i64>,
    #[doc = "Start Time\n\nThe start time of the observation or reporting period.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time of the observation or reporting period.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Time Span\n\nThe time span object representing the duration of the observation or reporting period.\n\noptional"]
    #[serde(rename = "timespan")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timespan: Option<Box<Timespan>>,
}
#[doc = "Node\n\nRepresents a node or a vertex in a graph structure.\n\n[] Category:  | Name: node"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Node {
    #[doc = "Data\n\nAdditional data about the node stored as key-value pairs. Can include custom properties specific to the node.\n\noptional"]
    #[serde(rename = "data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data: Option<serde_json::Value>,
    #[doc = "Description\n\nA human-readable description of the node's purpose or meaning in the graph.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Name\n\nA human-readable name or label for the node. Should be descriptive and unique within the graph context.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Type\n\nCategorizes the node into a specific class or type. Useful for grouping and filtering nodes.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Unique ID\n\nA unique string or numeric identifier that distinguishes this node from all others in the graph. Must be unique across all nodes.\n\nrequired"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Object\n\nAn unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.\n\n[] Category:  | Name: object"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Object {}
#[doc = "Observable\n\nThe observable object is a pivot element that contains related information found in many places in the event.\n\n[] Category:  | Name: observable"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Observable {
    #[doc = "Event UID\n\nThe unique identifier (<code>metadata.uid</code>) of the source OCSF event from which this observable was extracted. This field enables linking observables back to their originating event data when observables are stored in a separate location or system.\n\noptional"]
    #[serde(rename = "event_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub event_uid: Option<String>,
    #[doc = "Name\n\nThe full name of the observable attribute. The <code>name</code> is a pointer/reference to an attribute within the OCSF event data. For example: <code>file.name</code>. Array attributes may be represented in one of three ways. For example: <code>resources.uid</code>, <code>resources[].uid</code>, <code>resources[0].uid</code>.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Reputation Scores\n\nContains the original and normalized reputation scores.\n\noptional"]
    #[serde(rename = "reputation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reputation: Option<Box<Reputation>>,
    #[doc = "Type\n\nThe observable value type name.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe observable value type identifier.\n\nrequired"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Type ID\n\nThe OCSF event type UID (<code>type_uid</code>) of the source event that this observable was extracted from. This field enables filtering and categorizing observables by their originating event type. For example: <code>300101</code> for Network Activity (class_uid 3001) with activity_id 1.\n\noptional"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Value\n\nThe value associated with the observable attribute. The meaning of the value depends on the observable type.<br/>If the <code>name</code> refers to a scalar attribute, then the <code>value</code> is the value of the attribute.<br/>If the <code>name</code> refers to an object attribute, then the <code>value</code> is not populated.\n\noptional"]
    #[serde(rename = "value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}
#[doc = "Observation\n\nA record of an observed value or event that captures the timing and frequency of its occurrence. Used to track when values/events were first detected, last detected, and their total occurrence count.\n\n[] Category:  | Name: observation"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Observation {
    #[doc = "Count\n\nInteger representing the total number of times this specific value/event was observed across all occurrences. Helps establish prevalence and patterns.\n\nrecommended"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Time Span\n\nThe time window when the value or event was first observed. It is used to analyze activity patterns, detect trends, or correlate events within a specific timeframe.\n\nrecommended"]
    #[serde(rename = "timespan")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub timespan: Option<Box<Timespan>>,
    #[doc = "Value\n\nThe specific value, event, indicator or data point that was observed and recorded. This is the core piece of information being tracked.\n\nrequired"]
    #[serde(rename = "value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
}
#[doc = "Occurrence Details\n\nDetails about where in the target entity, specified information was discovered. Only the attributes, relevant to the target entity type should be populated.\n\n[] Category:  | Name: occurrence_details\n\n**Constraints:**\n* at_least_one: `[cell_name`,`column_name`,`column_number`,`end_line`,`json_path`,`page_number`,`record_index_in_array`,`row_number`,`start_line]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct OccurrenceDetails {
    #[doc = "Cell Name\n\nThe cell name/reference in a spreadsheet. e.g <code>A2</code>\n\noptional"]
    #[serde(rename = "cell_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cell_name: Option<String>,
    #[doc = "Column Name\n\nThe column name in a spreadsheet, where the information was discovered.\n\noptional"]
    #[serde(rename = "column_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub column_name: Option<String>,
    #[doc = "Column Number\n\nThe column number in a spreadsheet or a plain text document, where the information was discovered.\n\noptional"]
    #[serde(rename = "column_number")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub column_number: Option<i64>,
    #[doc = "End Line\n\nThe line number of the last line of the file, where the information was discovered.\n\noptional"]
    #[serde(rename = "end_line")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_line: Option<i64>,
    #[doc = "JSON Path\n\nThe JSON path of the attribute in a json record, where the information was discovered\n\noptional"]
    #[serde(rename = "json_path")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub json_path: Option<String>,
    #[doc = "Page Number\n\nThe page number in a document, where the information was discovered.\n\noptional"]
    #[serde(rename = "page_number")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub page_number: Option<i64>,
    #[doc = "Record Index in Array\n\nThe index of the record in the array of records, where the information was discovered. e.g. the index of a record in an array of JSON records in a file.\n\noptional"]
    #[serde(rename = "record_index_in_array")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub record_index_in_array: Option<i64>,
    #[doc = "Row Number\n\nThe row number in a spreadsheet, where the information was discovered.\n\noptional"]
    #[serde(rename = "row_number")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub row_number: Option<i64>,
    #[doc = "Start Line\n\nThe line number of the first line of the file, where the information was discovered.\n\noptional"]
    #[serde(rename = "start_line")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_line: Option<i64>,
}
#[doc = "Organization\n\nThe Organization object describes characteristics of an organization or company and its division if any. Additionally, it also describes cloud and Software-as-a-Service (SaaS) logical hierarchies such as AWS Organizations, Google Cloud Organizations, Oracle Cloud Tenancies, and similar constructs.\n\n[] Category:  | Name: organization\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Organization {
    #[doc = "Name\n\nThe name of the organization, Oracle Cloud Tenancy, Google Cloud Organization, or AWS Organization. For example, <code> Widget, Inc. </code> or the <code> AWS Organization name </code>.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Org Unit Name\n\nThe name of an organizational unit, Google Cloud Folder, or AWS Org Unit. For example, the <code> GCP Project Name </code>, or <code> Dev_Prod_OU </code>.\n\nrecommended"]
    #[serde(rename = "ou_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ou_name: Option<String>,
    #[doc = "Org Unit ID\n\nThe unique identifier of an organizational unit, Google Cloud Folder, or AWS Org Unit. For example, an  <code> Oracle Cloud Tenancy ID </code>, <code> AWS OU ID </code>, or <code> GCP Folder ID </code>.\n\noptional"]
    #[serde(rename = "ou_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ou_uid: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the organization, Oracle Cloud Tenancy, Google Cloud Organization, or AWS Organization. For example, an <code> AWS Org ID </code> or <code> Oracle Cloud Domain ID </code>.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Operating System (OS)\n\nThe Operating System (OS) object describes characteristics of an OS, such as Linux or Windows.\n\n[] Category:  | Name: os"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Os {
    #[doc = "OS Build\n\nThe operating system build number.\n\noptional"]
    #[serde(rename = "build")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub build: Option<String>,
    #[doc = "Country\n\nThe operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code).<p><b>Note:</b> The two letter country code should be capitalized. For example: <code>US</code> or <code>CA</code>.</p>\n\noptional"]
    #[serde(rename = "country")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub country: Option<String>,
    #[doc = "The product CPE identifier\n\nThe Common Platform Enumeration (CPE) name as described by (<a target='_blank' href='https://nvd.nist.gov/products/cpe'>NIST</a>) For example: <code>cpe:/a:apple:safari:16.2</code>.\n\noptional"]
    #[serde(rename = "cpe_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cpe_name: Option<String>,
    #[doc = "CPU Bits\n\nThe cpu architecture, the number of bits used for addressing in memory. For example: <code>32</code> or <code>64</code>.\n\noptional"]
    #[serde(rename = "cpu_bits")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cpu_bits: Option<i64>,
    #[doc = "OS Edition\n\nThe operating system edition. For example: <code>Professional</code>.\n\noptional"]
    #[serde(rename = "edition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub edition: Option<String>,
    #[doc = "Kernel Release\n\nThe kernel release of the operating system. On Unix-based systems, this is determined from the <code>uname -r</code> command output, for example \"5.15.0-122-generic\".\n\noptional"]
    #[serde(rename = "kernel_release")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub kernel_release: Option<String>,
    #[doc = "Language\n\nThe two letter lower case language codes, as defined by <a target='_blank' href='https://en.wikipedia.org/wiki/ISO_639-1'>ISO 639-1</a>. For example: <code>en</code> (English), <code>de</code> (German), or <code>fr</code> (French).\n\noptional"]
    #[serde(rename = "lang")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub lang: Option<String>,
    #[doc = "Name\n\nThe operating system name.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "OS Service Pack\n\nThe name of the latest Service Pack.\n\noptional"]
    #[serde(rename = "sp_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub sp_name: Option<String>,
    #[doc = "OS Service Pack Version\n\nThe version number of the latest Service Pack.\n\noptional"]
    #[serde(rename = "sp_ver")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub sp_ver: Option<i64>,
    #[doc = "Type\n\nThe type of the operating system.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe type identifier of the operating system.\n\nrequired"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Version\n\nThe version of the OS running on the device that originated the event. For example: \"Windows 10\", \"OS X 10.7\", or \"iOS 9\".\n\noptional"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "OSINT\n\nThe OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.\n\n[] Category:  | Name: osint"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Osint {
    #[doc = "Related DNS Answers\n\nAny pertinent DNS answers information related to an indicator or OSINT analysis.\n\noptional"]
    #[serde(rename = "answers")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub answers: Option<Vec<DnsAnswer>>,
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nMITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent to an indicator or OSINT analysis.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Autonomous System\n\nAny pertinent autonomous system information related to an indicator or OSINT analysis.\n\noptional"]
    #[serde(rename = "autonomous_system")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub autonomous_system: Option<Box<AutonomousSystem>>,
    #[doc = "Campaign\n\nThe campaign object describes details about the campaign that was the source of the activity.\n\noptional"]
    #[serde(rename = "campaign")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub campaign: Option<Box<Campaign>>,
    #[doc = "Category\n\nCategorizes the threat indicator based on its functional or operational role.\n\noptional"]
    #[serde(rename = "category")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category: Option<String>,
    #[doc = "Analyst Comments\n\nAnalyst commentary or source commentary about an indicator or OSINT analysis.\n\noptional"]
    #[serde(rename = "comment")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub comment: Option<String>,
    #[doc = "Confidence\n\nThe confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source or analyst.\n\noptional"]
    #[serde(rename = "confidence")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence: Option<String>,
    #[doc = "Confidence ID\n\nThe normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. A low confidence means that the information collected or analysis conducted lacked detail or is not accurate enough to qualify an indicator as fully malicious.\n\nrecommended"]
    #[serde(rename = "confidence_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub confidence_id: Option<i64>,
    #[doc = "Created Time\n\nThe timestamp when the indicator was initially created or identified.\n\noptional"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe timestamp when the indicator was initially created or identified.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Creator\n\nThe identifier of the user, system, or organization that contributed the indicator.\n\noptional"]
    #[serde(rename = "creator")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub creator: Option<Box<User>>,
    #[doc = "Description\n\nA detailed explanation of the indicator, including its context, purpose, and relevance.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Detection Pattern\n\nThe specific detection pattern or signature associated with the indicator.\n\noptional"]
    #[serde(rename = "detection_pattern")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub detection_pattern: Option<String>,
    #[doc = "Detection Pattern\n\nThe detection pattern type, normalized to the caption of the detection_pattern_type_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "detection_pattern_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub detection_pattern_type: Option<String>,
    #[doc = "Detection Pattern Type ID\n\nSpecifies the type of detection pattern used to identify the associated threat indicator.\n\noptional"]
    #[serde(rename = "detection_pattern_type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub detection_pattern_type_id: Option<i64>,
    #[doc = "Related Email\n\nAny email information pertinent to an indicator or OSINT analysis.\n\noptional"]
    #[serde(rename = "email")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub email: Option<Box<Email>>,
    #[doc = "Related Email Authentication\n\nAny email authentication information pertinent to an indicator or OSINT analysis.\n\noptional"]
    #[serde(rename = "email_auth")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub email_auth: Option<Box<EmailAuth>>,
    #[doc = "Expiration Time\n\nThe expiration date of the indicator, after which it is no longer considered reliable.\n\noptional"]
    #[serde(rename = "expiration_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expiration_time: Option<i64>,
    #[doc = "Expiration Time\n\nThe expiration date of the indicator, after which it is no longer considered reliable.\n\noptional"]
    #[serde(rename = "expiration_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expiration_time_dt: Option<String>,
    #[doc = "External ID\n\nA unique identifier assigned by an external system for cross-referencing.\n\noptional"]
    #[serde(rename = "external_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub external_uid: Option<String>,
    #[doc = "Related File\n\nAny pertinent file information related to an indicator or OSINT analysis.\n\noptional"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Intrusion Sets\n\nA grouping of adversarial behaviors and resources believed to be associated with specific threat actors or campaigns. Intrusion sets often encompass multiple campaigns and are used to organize related activities under a common label.\n\noptional"]
    #[serde(rename = "intrusion_sets")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub intrusion_sets: Option<Vec<String>>,
    #[doc = "Kill Chain\n\nLockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis.\n\noptional"]
    #[serde(rename = "kill_chain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub kill_chain: Option<Vec<KillChainPhase>>,
    #[doc = "Labels\n\nTags or keywords associated with the indicator to enhance searchability.\n\noptional"]
    #[serde(rename = "labels")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub labels: Option<Vec<String>>,
    #[doc = "Geo Location\n\nAny pertinent geolocation information related to an indicator or OSINT analysis.\n\noptional"]
    #[serde(rename = "location")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub location: Option<Box<Location>>,
    #[doc = "Malware\n\nA list of Malware objects, describing details about the identified malware.\n\noptional"]
    #[serde(rename = "malware")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub malware: Option<Vec<Malware>>,
    #[doc = "Modified Time\n\nThe timestamp of the last modification or update to the indicator.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe timestamp of the last modification or update to the indicator.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Name\n\nThe <code>name</code> is a pointer/reference to an attribute within the OCSF event data. For example: file.name.\n\noptional"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "References\n\nProvides a reference to an external source of information related to the CTI being represented. This may include a URL, a document, or some other type of reference that provides additional context or information about the CTI.\n\noptional"]
    #[serde(rename = "references")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub references: Option<Vec<String>>,
    #[doc = "Related Analytics\n\nAny analytics related to an indicator or OSINT analysis.\n\noptional"]
    #[serde(rename = "related_analytics")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub related_analytics: Option<Vec<Analytic>>,
    #[doc = "Reputation Scores\n\nRelated reputational analysis from third-party engines and analysts for a given indicator or OSINT analysis.\n\noptional"]
    #[serde(rename = "reputation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reputation: Option<Box<Reputation>>,
    #[doc = "Risk Score\n\nA numerical representation of the threat indicator’s risk level.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Related Script Data\n\nAny pertinent script information related to an indicator or OSINT analysis.\n\noptional"]
    #[serde(rename = "script")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub script: Option<Box<Script>>,
    #[doc = "Severity\n\nRepresents the severity level of the threat indicator, typically reflecting its potential impact or damage.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\nThe normalized severity level of the threat indicator, typically reflecting its potential impact or damage.\n\noptional"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Related Digital Signatures\n\nAny digital signatures or hashes related to an indicator or OSINT analysis.\n\noptional"]
    #[serde(rename = "signatures")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub signatures: Option<Vec<DigitalSignature>>,
    #[doc = "Source URL\n\nThe source URL of an indicator or OSINT analysis, e.g., a URL back to a TIP, report, or otherwise.\n\noptional"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Related Subdomains\n\nAny pertinent subdomain information - such as those generated by a Domain Generation Algorithm - related to an indicator or OSINT analysis.\n\noptional"]
    #[serde(rename = "subdomains")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub subdomains: Option<Vec<String>>,
    #[doc = "Related Subnet\n\nA CIDR or network block related to an indicator or OSINT analysis.\n\noptional"]
    #[serde(rename = "subnet")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub subnet: Option<String>,
    #[doc = "Threat Actor\n\nA threat actor is an individual or group that conducts malicious cyber activities, often with financial, political, or ideological motives.\n\noptional"]
    #[serde(rename = "threat_actor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub threat_actor: Option<Box<ThreatActor>>,
    #[doc = "Traffic Light Protocol\n\nThe <a target='_blank' href='https://www.first.org/tlp/'>Traffic Light Protocol</a> was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.\n\nrecommended"]
    #[serde(rename = "tlp")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tlp: Option<String>,
    #[doc = "Type\n\nThe OSINT indicator type.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Indicator Type ID\n\nThe OSINT indicator type ID.\n\nrequired"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier for the OSINT object.\n\noptional"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Uploaded Time\n\nThe timestamp indicating when the associated indicator or intelligence was added to the system or repository.\n\noptional"]
    #[serde(rename = "uploaded_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uploaded_time: Option<i64>,
    #[doc = "Uploaded Time\n\nThe timestamp indicating when the associated indicator or intelligence was added to the system or repository.\n\noptional"]
    #[serde(rename = "uploaded_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uploaded_time_dt: Option<String>,
    #[doc = "Indicator\n\nThe actual indicator value in scope, e.g., a SHA-256 hash hexdigest or a domain name.\n\nrequired"]
    #[serde(rename = "value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub value: Option<String>,
    #[doc = "Vendor Name\n\nThe vendor name of a tool which generates intelligence or provides indicators.\n\noptional"]
    #[serde(rename = "vendor_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_name: Option<String>,
    #[doc = "Related Vulnerabilities\n\nAny vulnerabilities related to an indicator or OSINT analysis.\n\noptional"]
    #[serde(rename = "vulnerabilities")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vulnerabilities: Option<Vec<Vulnerability>>,
    #[doc = "WHOIS\n\nAny pertinent WHOIS information related to an indicator or OSINT analysis.\n\noptional"]
    #[serde(rename = "whois")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub whois: Option<Box<Whois>>,
}
#[doc = "Software Package\n\nThe Software Package object describes details about a software package.\n\n[] Category:  | Name: package"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Package {
    #[doc = "Architecture\n\nArchitecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on.\n\nrecommended"]
    #[serde(rename = "architecture")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub architecture: Option<String>,
    #[doc = "The product CPE identifier\n\nThe Common Platform Enumeration (CPE) name as described by (<a target='_blank' href='https://nvd.nist.gov/products/cpe'>NIST</a>) For example: <code>cpe:/a:apple:safari:16.2</code>.\n\noptional"]
    #[serde(rename = "cpe_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cpe_name: Option<String>,
    #[doc = "Epoch\n\nThe software package epoch. Epoch is a way to define weighted dependencies based on version numbers.\n\noptional"]
    #[serde(rename = "epoch")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub epoch: Option<i64>,
    #[doc = "Hash\n\nCryptographic hash to identify the binary instance of a software component. This can include any component such file, package, or library.\n\noptional"]
    #[serde(rename = "hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hash: Option<Box<Fingerprint>>,
    #[doc = "Software License\n\nThe software license applied to this package.\n\noptional"]
    #[serde(rename = "license")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub license: Option<String>,
    #[doc = "Software License URL\n\nThe URL pointing to the license applied on package or software. This is typically a <code>LICENSE.md</code> file within a repository.\n\noptional"]
    #[serde(rename = "license_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub license_url: Option<String>,
    #[doc = "Name\n\nThe software package name.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Package Manager\n\nThe software packager manager utilized to manage a package on a system, e.g. npm, yum, dpkg etc.\n\noptional"]
    #[serde(rename = "package_manager")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub package_manager: Option<String>,
    #[doc = "Package Manager URL\n\nThe URL of the package or library at the package manager, or the specific URL or URI of an internal package manager link such as <code>AWS CodeArtifact</code> or <code>Artifactory</code>.\n\noptional"]
    #[serde(rename = "package_manager_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub package_manager_url: Option<String>,
    #[doc = "Package URL\n\nA purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.\n\noptional"]
    #[serde(rename = "purl")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub purl: Option<String>,
    #[doc = "Software Release Details\n\nRelease is the number of times a version of the software has been packaged.\n\noptional"]
    #[serde(rename = "release")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub release: Option<String>,
    #[doc = "Source URL\n\nThe link to the specific library or package such as within <code>GitHub</code>, this is different from the link to the package manager where the library or package is hosted.\n\noptional"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Type\n\nThe type of software package, normalized to the caption of the <code>type_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe type of software package.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Package UID\n\nA unique identifier for the package or library reported by the source tool. E.g., the <code>libId</code> within the <code>sbom</code> field of an OX Security Issue or the SPDX <code>components.*.bom-ref</code>.\n\noptional"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Vendor Name\n\nThe name of the vendor who published the software package.\n\noptional"]
    #[serde(rename = "vendor_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_name: Option<String>,
    #[doc = "Version\n\nThe software package version.\n\nrequired"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Parameter\n\nThe Parameter object provides details regarding a parameter of a a function.\n\n[] Category:  | Name: parameter\n\n**Constraints:**\n* at_least_one: `[name`,`pre_value`,`post_value]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Parameter {
    #[doc = "Name\n\nThe parameter name.\n\noptional"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Post-Value\n\nThe parameter value after function execution.\n\noptional"]
    #[serde(rename = "post_value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub post_value: Option<String>,
    #[doc = "Pre-Value\n\nThe parameter value before function execution.\n\noptional"]
    #[serde(rename = "pre_value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub pre_value: Option<String>,
}
#[doc = "Peripheral Device\n\nThe peripheral device object describes the properties of external, connectable, and detachable hardware.\n\n[] Category:  | Name: peripheral_device\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct PeripheralDevice {
    #[doc = "Class\n\nThe class of the peripheral device.\n\noptional"]
    #[serde(rename = "class")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub class: Option<String>,
    #[doc = "Model\n\nThe peripheral device model.\n\nrecommended"]
    #[serde(rename = "model")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub model: Option<String>,
    #[doc = "Name\n\nThe name of the peripheral device.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Serial Number\n\nThe peripheral device serial number.\n\nrecommended"]
    #[serde(rename = "serial_number")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub serial_number: Option<String>,
    #[doc = "Peripheral Device Type\n\nThe Peripheral Device type, normalized to the caption of the <code>type_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Peripheral Device Type ID\n\nThe normalized peripheral device type ID.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier of the peripheral device.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Vendor ID List\n\nThe list of vendor IDs for the peripheral device.\n\nrecommended"]
    #[serde(rename = "vendor_id_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_id_list: Option<Vec<String>>,
    #[doc = "Vendor Name\n\nThe primary vendor name for the peripheral device.\n\nrecommended"]
    #[serde(rename = "vendor_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_name: Option<String>,
}
#[doc = "Permission Analysis Result\n\nThe Permission Analysis object describes analysis results of permissions, policies directly associated with an identity (user, role, or service account). This evaluates what permissions an identity has been granted through attached policies, which privileges are actively used versus unused, and identifies potential over-privileged access. Use this for identity-centric security assessments such as privilege audits, dormant permission discovery, and least-privilege compliance analysis.\n\n[] Category:  | Name: permission_analysis_result"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct PermissionAnalysisResult {
    #[doc = "Condition Keys\n\nThe condition keys and their values that were evaluated during policy analysis, including contextual constraints that affect permission grants. These conditions define when and how permissions are applied. Examples: <code>aws:SourceIp:1.2.3.4</code>, <code>aws:RequestedRegion:us-east-1</code>.\n\noptional"]
    #[serde(rename = "condition_keys")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub condition_keys: Option<Vec<KeyValueObject>>,
    #[doc = "Granted Privileges\n\nThe specific privileges, actions, or permissions that are explicitly granted by the analyzed policy. Examples: AWS actions like <code>s3:GetObject</code>, <code>ec2:RunInstances</code>, <code>iam:CreateUser</code>; Azure actions like <code>Microsoft.Storage/storageAccounts/read</code>; or GCP permissions like <code>storage.objects.get</code>.\n\noptional"]
    #[serde(rename = "granted_privileges")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub granted_privileges: Option<Vec<String>>,
    #[doc = "Policy\n\nDetailed information about the policy document that was analyzed, including policy metadata, version, type (identity-based, resource-based, etc.), and structural details. This provides context for understanding the scope and nature of the permission analysis.\n\nrecommended"]
    #[serde(rename = "policy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub policy: Option<Box<Policy>>,
    #[doc = "Unused Privileges Count\n\nThe total count of privileges or actions defined in the policy that have not been utilized within the analysis timeframe. This metric helps identify over-privileged access and opportunities for privilege reduction to follow the principle of least privilege. High counts may indicate policy bloat or excessive permissions.\n\noptional"]
    #[serde(rename = "unused_privileges_count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unused_privileges_count: Option<i64>,
    #[doc = "Unused Services Count\n\nThe total count of cloud services or resource types referenced in the policy that have not been accessed or utilized within the analysis timeframe. This helps identify unused service permissions that could be removed to reduce attack surface. Examples: AWS services like S3, SQS, IAM, Lambda; Azure services like Storage, Compute, KeyVault; or GCP services like Cloud Storage, Compute Engine, BigQuery.\n\noptional"]
    #[serde(rename = "unused_services_count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub unused_services_count: Option<i64>,
}
#[doc = "Policy\n\nThe Policy object describes the policies that are applicable. <p>Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.</p>\n\n[] Category:  | Name: policy\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Policy {
    #[doc = "Data\n\nAdditional data about the policy such as the underlying JSON policy itself or other details.\n\noptional"]
    #[serde(rename = "data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data: Option<serde_json::Value>,
    #[doc = "Description\n\nThe description of the policy.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Group\n\nThe policy group.\n\noptional"]
    #[serde(rename = "group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub group: Option<Box<Group>>,
    #[doc = "Applied\n\nA determination if the content of a policy was applied to a target or request, or not.\n\nrecommended"]
    #[serde(rename = "is_applied")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_applied: Option<bool>,
    #[doc = "Name\n\nThe policy name. For example: <code>AdministratorAccess Policy</code>.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Type\n\nThe policy type. For example: <code>Identity Policy, Resource Policy, Service Control Policy, etc./code>.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Unique ID\n\nA unique identifier of the policy instance.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Version\n\nThe policy version number.\n\nrecommended"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Port Information\n\nThe Port Information object describes a port and its associated protocol details.\n\n[] Category:  | Name: port_info"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct PortInfo {
    #[doc = "Port\n\nThe port number. For example: <code>80</code>, <code>443</code>, <code>22</code>.\n\nrequired"]
    #[serde(rename = "port")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub port: Option<i64>,
    #[doc = "Protocol Name\n\nThe IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). For example: <code>tcp</code> or <code>udp</code>.\n\nrecommended"]
    #[serde(rename = "protocol_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub protocol_name: Option<String>,
    #[doc = "Protocol Number\n\nThe IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). For example: <code>6</code> for TCP and <code>17</code> for UDP.\n\noptional"]
    #[serde(rename = "protocol_num")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub protocol_num: Option<i64>,
}
#[doc = "Process\n\nExtends the process object to add Windows specific fields.\n\n[] Category:  | Name: process\n\n**Constraints:**\n* at_least_one: `[pid`,`uid`,`cpid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Process {
    #[doc = "Ancestry\n\nAn array of Process Entities describing the extended parentage of this process object. Direct parent information should be expressed through the <code>parent_process</code> attribute. The first array element is the direct parent of this process object. Subsequent list elements go up the process parentage hierarchy. That is, the array is sorted from newest to oldest process. It is recommended to only populate this field for the top-level process object.\n\noptional"]
    #[serde(rename = "ancestry")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ancestry: Option<Vec<ProcessEntity>>,
    #[doc = "Audit User ID\n\nThe audit user assigned at login by the audit subsystem.\n\noptional"]
    #[serde(rename = "auid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub auid: Option<i64>,
    #[doc = "Command Line\n\nThe full command line used to launch an application, service, process, or job. For example: <code>ssh user@10.0.0.10</code>. If the command line is unavailable or missing, the empty string <code>''</code> is to be used.\n\nrecommended"]
    #[serde(rename = "cmd_line")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cmd_line: Option<String>,
    #[doc = "Container\n\nThe information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.\n\nrecommended"]
    #[serde(rename = "container")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub container: Option<Box<Container>>,
    #[doc = "Common Process Identifier\n\nA unique process identifier that can be assigned deterministically by multiple system data producers.\n\nrecommended"]
    #[serde(rename = "cpid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cpid: Option<String>,
    #[doc = "Created Time\n\nThe time when the process was created/started.\n\nrecommended"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the process was created/started.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Effective Group ID\n\nThe effective group under which this process is running.\n\noptional"]
    #[serde(rename = "egid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub egid: Option<i64>,
    #[doc = "Environment Variables\n\nEnvironment variables associated with the process.\n\noptional"]
    #[serde(rename = "environment_variables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub environment_variables: Option<Vec<EnvironmentVariable>>,
    #[doc = "Effective User ID\n\nThe effective user under which this process is running.\n\noptional"]
    #[serde(rename = "euid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub euid: Option<i64>,
    #[doc = "File\n\nThe process file object.\n\nrecommended"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Group\n\nThe group under which this process is running.\n\nrecommended"]
    #[serde(rename = "group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub group: Option<Box<Group>>,
    #[doc = "Hosted Services\n\nThe Windows services that this process is hosting.\n\noptional"]
    #[serde(rename = "hosted_services")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hosted_services: Option<Vec<WinWinService>>,
    #[doc = "Integrity\n\nThe process integrity level, normalized to the caption of the integrity_id value. In the case of 'Other', it is defined by the event source (Windows only).\n\noptional"]
    #[serde(rename = "integrity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub integrity: Option<String>,
    #[doc = "Integrity Level\n\nThe normalized identifier of the process integrity level (Windows only).\n\noptional"]
    #[serde(rename = "integrity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub integrity_id: Option<i64>,
    #[doc = "Lineage\n\nThe lineage of the process, represented by a list of paths for each ancestor process. For example: <code>['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']</code>.\n\noptional"]
    #[serde(rename = "lineage")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub lineage: Option<Vec<String>>,
    #[doc = "Loaded Modules\n\nThe list of loaded module names.\n\noptional"]
    #[serde(rename = "loaded_modules")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub loaded_modules: Option<Vec<String>>,
    #[doc = "Name\n\nThe friendly name of the process, for example: <code>Notepad++</code>.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Namespace PID\n\nIf running under a process namespace (such as in a container), the process identifier within that process namespace.\n\nrecommended"]
    #[serde(rename = "namespace_pid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub namespace_pid: Option<i64>,
    #[doc = "Parent Process\n\nThe parent process of this process object. It is recommended to only populate this field for the top-level process object, to prevent deep nesting. Additional ancestry information can be supplied in the <code>ancestry</code> attribute.\n\nrecommended"]
    #[serde(rename = "parent_process")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub parent_process: Option<Box<Process>>,
    #[doc = "Path\n\nThe process file path.\n\noptional"]
    #[serde(rename = "path")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub path: Option<String>,
    #[doc = "Process ID\n\nThe process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.\n\nrecommended"]
    #[serde(rename = "pid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub pid: Option<i64>,
    #[doc = "Process Thread ID\n\nThe identifier of the process thread associated with the event, as returned by the operating system.\n\noptional"]
    #[serde(rename = "ptid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ptid: Option<i64>,
    #[doc = "Sandbox\n\nThe name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.\n\noptional"]
    #[serde(rename = "sandbox")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub sandbox: Option<String>,
    #[doc = "Session\n\nThe user session under which this process is running.\n\noptional"]
    #[serde(rename = "session")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub session: Option<Box<Session>>,
    #[doc = "Terminated Time\n\nThe time when the process was terminated.\n\noptional"]
    #[serde(rename = "terminated_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub terminated_time: Option<i64>,
    #[doc = "Terminated Time\n\nThe time when the process was terminated.\n\noptional"]
    #[serde(rename = "terminated_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub terminated_time_dt: Option<String>,
    #[doc = "Thread ID\n\nThe identifier of the thread associated with the event, as returned by the operating system.\n\noptional"]
    #[serde(rename = "tid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tid: Option<i64>,
    #[doc = "Unique ID\n\nA unique identifier for this process assigned by the producer (tool).  Facilitates correlation of a process event with other events for that process.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "User\n\nThe user under which this process is running.\n\nrecommended"]
    #[serde(rename = "user")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user: Option<Box<User>>,
    #[doc = "Working Directory\n\nThe working directory of a process.\n\noptional"]
    #[serde(rename = "working_directory")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub working_directory: Option<String>,
    #[doc = "Extended Attributes\n\nAn unordered collection of zero or more name/value pairs that represent a process extended attribute.\n\noptional"]
    #[serde(rename = "xattributes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub xattributes: Option<serde_json::Value>,
}
#[doc = "Process Entity\n\nThe Process Entity object provides critical fields for referencing a process.\n\n[] Category:  | Name: process_entity\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ProcessEntity {
    #[doc = "Command Line\n\nThe full command line used to launch an application, service, process, or job. For example: <code>ssh user@10.0.0.10</code>. If the command line is unavailable or missing, the empty string <code>''</code> is to be used.\n\nrecommended"]
    #[serde(rename = "cmd_line")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cmd_line: Option<String>,
    #[doc = "Common Process Identifier\n\nA unique process identifier that can be assigned deterministically by multiple system data producers.\n\nrecommended"]
    #[serde(rename = "cpid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cpid: Option<String>,
    #[doc = "Created Time\n\nThe time when the process was created/started.\n\nrecommended"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the process was created/started.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Name\n\nThe friendly name of the process, for example: <code>Notepad++</code>.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Path\n\nThe process file path.\n\noptional"]
    #[serde(rename = "path")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub path: Option<String>,
    #[doc = "Process ID\n\nThe process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.\n\nrecommended"]
    #[serde(rename = "pid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub pid: Option<i64>,
    #[doc = "Unique ID\n\nA unique identifier for this process assigned by the producer (tool).  Facilitates correlation of a process event with other events for that process.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Product\n\nThe Product object describes characteristics of a software product.\n\n[] Category:  | Name: product\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Product {
    #[doc = "The product CPE identifier\n\nThe Common Platform Enumeration (CPE) name as described by (<a target='_blank' href='https://nvd.nist.gov/products/cpe'>NIST</a>) For example: <code>cpe:/a:apple:safari:16.2</code>.\n\noptional"]
    #[serde(rename = "cpe_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cpe_name: Option<String>,
    #[doc = "Data Classification\n\nThe Data Classification object includes information about data classification levels and data category types.\n\nrecommended"]
    #[serde(rename = "data_classification")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classification: Option<Box<DataClassification>>,
    #[doc = "Data Classification\n\nA list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.\n\nrecommended"]
    #[serde(rename = "data_classifications")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classifications: Option<Vec<DataClassification>>,
    #[doc = "Feature\n\nThe feature that reported the event.\n\noptional"]
    #[serde(rename = "feature")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub feature: Option<Box<Feature>>,
    #[doc = "Language\n\nThe two letter lower case language codes, as defined by <a target='_blank' href='https://en.wikipedia.org/wiki/ISO_639-1'>ISO 639-1</a>. For example: <code>en</code> (English), <code>de</code> (German), or <code>fr</code> (French).\n\noptional"]
    #[serde(rename = "lang")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub lang: Option<String>,
    #[doc = "Name\n\nThe name of the product.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Path\n\nThe installation path of the product.\n\noptional"]
    #[serde(rename = "path")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub path: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the product.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "URL String\n\nThe URL pointing towards the product.\n\noptional"]
    #[serde(rename = "url_string")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub url_string: Option<String>,
    #[doc = "Vendor Name\n\nThe name of the vendor of the product.\n\nrecommended"]
    #[serde(rename = "vendor_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_name: Option<String>,
    #[doc = "Version\n\nThe version of the product, as defined by the event source. For example: <code>2013.1.3-beta</code>.\n\nrecommended"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Programmatic Credential\n\nThe Programmatic Credential object describes service-specific credentials used for direct API access and system integration. These credentials are typically issued by individual services or platforms for accessing their APIs and resources, focusing on credential lifecycle management and usage tracking. Examples include API keys, service account keys, client certificates, and vendor-specific access tokens.\n\n[] Category:  | Name: programmatic_credential"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ProgrammaticCredential {
    #[doc = "Last Used Time\n\nThe timestamp when this programmatic credential was last used for authentication or API access. This helps track credential usage patterns, identify dormant credentials that may pose security risks, and support credential lifecycle management. The timestamp should reflect the most recent successful authentication or API call using this credential.\n\noptional"]
    #[serde(rename = "last_used_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_used_time: Option<i64>,
    #[doc = "Last Used Time\n\nThe timestamp when this programmatic credential was last used for authentication or API access. This helps track credential usage patterns, identify dormant credentials that may pose security risks, and support credential lifecycle management. The timestamp should reflect the most recent successful authentication or API call using this credential.\n\noptional"]
    #[serde(rename = "last_used_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_used_time_dt: Option<String>,
    #[doc = "Type\n\nThe type or category of programmatic credential, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the event source. Examples include 'API Key', 'Service Account Key', 'Access Token', 'Client Certificate', 'OAuth Token', 'Personal Access Token', etc.\n\nrecommended"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the programmatic credential. This could be an API key ID, service account key ID, access token identifier, certificate serial number, or other unique identifier that distinguishes this credential from others. Examples: AWS Access Key ID, GCP Service Account Key ID, Azure Application ID, or OAuth2 token identifier.\n\nrequired"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Query Evidence\n\nThe resulting evidence information that was queried.\n\n[] Category:  | Name: query_evidence\n\n**Constraints:**\n* just_one: `[connection_info`,`file`,`folder`,`group`,`job`,`kernel`,`module`,`network_interfaces`,`peripheral_device`,`process`,`reg_key`,`reg_value`,`service`,`session`,`startup_item`,`user]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct QueryEvidence {
    #[doc = "Connection Info\n\nThe network connection information related to a Network Connection query type.\n\nrecommended"]
    #[serde(rename = "connection_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    #[doc = "File\n\nThe file that is the target of the query when query_type_id indicates a File query.\n\nrecommended"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Folder\n\nThe folder that is the target of the query when query_type_id indicates a Folder query.\n\nrecommended"]
    #[serde(rename = "folder")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub folder: Option<Box<File>>,
    #[doc = "Group\n\nThe administrative group that is the target of the query when query_type_id indicates an Admin Group query.\n\nrecommended"]
    #[serde(rename = "group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub group: Option<Box<Group>>,
    #[doc = "Job\n\nThe job object that pertains to the event when query_type_id indicates a Job query.\n\nrecommended"]
    #[serde(rename = "job")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub job: Option<Box<Job>>,
    #[doc = "Kernel\n\nThe kernel object that pertains to the event when query_type_id indicates a Kernel query.\n\nrecommended"]
    #[serde(rename = "kernel")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub kernel: Option<Box<Kernel>>,
    #[doc = "Module\n\nThe module that pertains to the event when query_type_id indicates a Module query.\n\nrecommended"]
    #[serde(rename = "module")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub module: Option<Box<Module>>,
    #[doc = "Network Interfaces\n\nThe physical or virtual network interfaces that are associated with the device when query_type_id indicates a Network Interfaces query.\n\nrecommended"]
    #[serde(rename = "network_interfaces")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub network_interfaces: Option<Vec<NetworkInterface>>,
    #[doc = "Peripheral Device\n\nThe peripheral device that triggered the event when query_type_id indicates a Peripheral Device query.\n\nrecommended"]
    #[serde(rename = "peripheral_device")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub peripheral_device: Option<Box<PeripheralDevice>>,
    #[doc = "Process\n\nThe process that pertains to the event when query_type_id indicates a Process query.\n\nrecommended"]
    #[serde(rename = "process")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub process: Option<Box<Process>>,
    #[doc = "Query Type\n\nThe normalized caption of query_type_id or the source-specific query type.\n\noptional"]
    #[serde(rename = "query_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_type: Option<String>,
    #[doc = "Query Type ID\n\nThe normalized type of system query performed against a device or system component.\n\nrequired"]
    #[serde(rename = "query_type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_type_id: Option<i64>,
    #[doc = "Registry Key\n\nThe registry key object describes a Windows registry key.\n\nrecommended"]
    #[serde(rename = "reg_key")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reg_key: Option<Box<WinRegKey>>,
    #[doc = "Registry Value\n\nThe registry key object describes a Windows registry value.\n\nrecommended"]
    #[serde(rename = "reg_value")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reg_value: Option<Box<WinRegValue>>,
    #[doc = "Service\n\nThe service that pertains to the event when query_type_id indicates a Service query.\n\nrecommended"]
    #[serde(rename = "service")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service: Option<Box<Service>>,
    #[doc = "Session\n\nThe authenticated user or service session when query_type_id indicates a Session query.\n\nrecommended"]
    #[serde(rename = "session")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub session: Option<Box<Session>>,
    #[doc = "Startup Item\n\nThe startup item object that pertains to the event when query_type_id indicates a Startup Item query.\n\nrecommended"]
    #[serde(rename = "startup_item")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub startup_item: Option<Box<StartupItem>>,
    #[doc = "Network Connection State\n\nThe state of the socket, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "state")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub state: Option<String>,
    #[doc = "TCP State ID\n\nThe state of the TCP socket for the network connection.\n\noptional"]
    #[serde(rename = "tcp_state_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tcp_state_id: Option<i64>,
    #[doc = "User\n\nThe user that pertains to the event when query_type_id indicates a User query.\n\nrecommended"]
    #[serde(rename = "user")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user: Option<Box<User>>,
    #[doc = "Users\n\nThe users that belong to the administrative group when query_type_id indicates a Users query.\n\noptional"]
    #[serde(rename = "users")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub users: Option<Vec<User>>,
}
#[doc = "Query Information\n\nThe query info object holds information related to data access within a datastore. To access, manipulate, delete, or retrieve data from a datastore, a query must be written using a specific syntax.\n\n[] Category:  | Name: query_info\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct QueryInfo {
    #[doc = "Total Bytes\n\nThe size of the data returned from the query.\n\noptional"]
    #[serde(rename = "bytes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub bytes: Option<i64>,
    #[doc = "Data\n\nThe data returned from the query execution.\n\noptional"]
    #[serde(rename = "data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data: Option<serde_json::Value>,
    #[doc = "Name\n\nThe query name for a saved or scheduled query.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Query String\n\nA string representing the query code being run. For example: <code>SELECT * FROM my_table</code>\n\nrequired"]
    #[serde(rename = "query_string")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_string: Option<String>,
    #[doc = "Query Time\n\nThe time when the query was run.\n\noptional"]
    #[serde(rename = "query_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_time: Option<i64>,
    #[doc = "Query Time\n\nThe time when the query was run.\n\noptional"]
    #[serde(rename = "query_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_time_dt: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the query.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Related Event/Finding\n\nThe Related Event object describes an event or another finding related to a finding. It may or may not be an OCSF event.\n\n[] Category:  | Name: related_event"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct RelatedEvent {
    #[doc = "MITRE ATT&CK® and ATLAS™ Details\n\nAn array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.\n\noptional"]
    #[serde(rename = "attacks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub attacks: Option<Vec<Attack>>,
    #[doc = "Count\n\nThe number of times that activity in the same logical group occurred, as reported by the related Finding.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Created Time\n\nThe time when the related event/finding was created.\n\noptional"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the related event/finding was created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Description\n\nA description of the related event/finding.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "First Seen\n\nThe time when the finding was first observed. e.g. The time when a vulnerability was first observed.<br>It can differ from the <code>created_time</code> timestamp, which reflects the time this finding was created.\n\noptional"]
    #[serde(rename = "first_seen_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub first_seen_time: Option<i64>,
    #[doc = "First Seen\n\nThe time when the finding was first observed. e.g. The time when a vulnerability was first observed.<br>It can differ from the <code>created_time</code> timestamp, which reflects the time this finding was created.\n\noptional"]
    #[serde(rename = "first_seen_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub first_seen_time_dt: Option<String>,
    #[doc = "Kill Chain\n\nThe <a target='_blank' href='https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html'>Cyber Kill Chain®</a> provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.\n\noptional"]
    #[serde(rename = "kill_chain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub kill_chain: Option<Vec<KillChainPhase>>,
    #[doc = "Last Seen\n\nThe time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.<br>It can differ from the <code>modified_time</code> timestamp, which reflects the time this finding was last modified.\n\noptional"]
    #[serde(rename = "last_seen_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_seen_time: Option<i64>,
    #[doc = "Last Seen\n\nThe time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.<br>It can differ from the <code>modified_time</code> timestamp, which reflects the time this finding was last modified.\n\noptional"]
    #[serde(rename = "last_seen_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_seen_time_dt: Option<String>,
    #[doc = "Modified Time\n\nThe time when the related event/finding was last modified.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe time when the related event/finding was last modified.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Observables\n\nThe observables associated with the event or a finding.\n\noptional"]
    #[serde(rename = "observables")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub observables: Option<Vec<Observable>>,
    #[doc = "Product\n\nDetails about the product that reported the related event/finding.\n\noptional"]
    #[serde(rename = "product")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub product: Option<Box<Product>>,
    #[doc = "Product Identifier\n\nThe unique identifier of the product that reported the related event.\n\noptional"]
    #[serde(rename = "product_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub product_uid: Option<String>,
    #[doc = "Severity\n\nThe event/finding severity, normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\n<p>The normalized identifier of the event/finding severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.\n\nrecommended"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
    #[doc = "Status\n\nThe related event status. Should correspond to the label of the status_id (or 'Other' status value for status_id = 99) of the related event.\n\noptional"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Tags\n\nThe list of tags; <code>{key:value}</code> pairs associated with the related event/finding.\n\noptional"]
    #[serde(rename = "tags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tags: Option<Vec<KeyValueObject>>,
    #[doc = "Title\n\nA title or a brief phrase summarizing the related event/finding.\n\noptional"]
    #[serde(rename = "title")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub title: Option<String>,
    #[doc = "Traits\n\nThe list of key traits or characteristics extracted from the related event/finding that influenced or contributed to the overall finding's outcome.\n\noptional"]
    #[serde(rename = "traits")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub traits: Option<Vec<Trait>>,
    #[doc = "Type\n\nThe type of the related event/finding.</p>Populate if the related event/finding is <code>NOT</code> in OCSF. If it is in OCSF, then utilize <code>type_name, type_uid</code> instead.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type Name\n\nThe type of the related OCSF event, as defined by <code>type_uid</code>.<p>For example: <code>Process Activity: Launch.</code></p>Populate if the related event/finding is in OCSF.\n\noptional"]
    #[serde(rename = "type_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_name: Option<String>,
    #[doc = "Type ID\n\nThe unique identifier of the related OCSF event type. <p>For example: <code>100701.</code></p>Populate if the related event/finding is in OCSF.\n\nrecommended"]
    #[serde(rename = "type_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_uid: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier of the related event/finding.</p> If the related event/finding is in OCSF, then this value must be equal to <code>metadata.uid</code> in the corresponding event.\n\nrequired"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Remediation\n\nThe Remediation object describes the recommended remediation steps to address identified issue(s).\n\n[] Category:  | Name: remediation"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Remediation {
    #[doc = "CIS Controls\n\nAn array of Center for Internet Security (CIS) Controls that can be optionally mapped to provide additional remediation details.\n\noptional"]
    #[serde(rename = "cis_controls")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cis_controls: Option<Vec<CisControl>>,
    #[doc = "Description\n\nThe description of the remediation strategy.\n\nrequired"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Knowledgebase Articles\n\nA list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.\n\noptional"]
    #[serde(rename = "kb_article_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub kb_article_list: Option<Vec<KbArticle>>,
    #[doc = "Knowledgebase Articles\n\nThe KB article/s related to the entity. A KB Article contains metadata that describes the patch or an update.\n\noptional"]
    #[serde(rename = "kb_articles")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub kb_articles: Option<Vec<String>>,
    #[doc = "References\n\nA list of supporting URL/s, references that help describe the remediation strategy.\n\noptional"]
    #[serde(rename = "references")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub references: Option<Vec<String>>,
}
#[doc = "Reporter\n\nThe entity from which an event or finding was reported.\n\n[] Category:  | Name: reporter\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Reporter {
    #[doc = "Hostname\n\nThe hostname of the entity from which the event or finding was reported.\n\nrecommended"]
    #[serde(rename = "hostname")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hostname: Option<String>,
    #[doc = "IP Address\n\nThe IP address of the entity from which the event or finding was reported.\n\nrecommended"]
    #[serde(rename = "ip")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ip: Option<String>,
    #[doc = "Name\n\nThe name of the entity from which the event or finding was reported.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Organization\n\nThe organization properties of the entity that reported the event or finding.\n\noptional"]
    #[serde(rename = "org")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub org: Option<Box<Organization>>,
    #[doc = "Unique ID\n\nThe unique identifier of the entity from which the event or finding was reported.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Reputation\n\nThe Reputation object describes the reputation/risk score of an entity (e.g. device, user, domain).\n\n[] Category:  | Name: reputation"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Reputation {
    #[doc = "Reputation Score\n\nThe reputation score as reported by the event source.\n\nrequired"]
    #[serde(rename = "base_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub base_score: Option<f64>,
    #[doc = "Provider\n\nThe provider of the reputation information.\n\nrecommended"]
    #[serde(rename = "provider")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub provider: Option<String>,
    #[doc = "Reputation Score\n\nThe reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub score: Option<String>,
    #[doc = "Reputation Score ID\n\nThe normalized reputation score identifier.\n\nrequired"]
    #[serde(rename = "score_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub score_id: Option<i64>,
}
#[doc = "Request Elements\n\nThe Request Elements object describes characteristics of an API request.\n\n[] Category:  | Name: request"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Request {
    #[doc = "Containers\n\nWhen working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. For example, this may be the set of containers involved in handling api requests and responses for a containerized application.\n\noptional"]
    #[serde(rename = "containers")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub containers: Option<Vec<Container>>,
    #[doc = "Data\n\nThe additional data that is associated with the api request.\n\noptional"]
    #[serde(rename = "data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data: Option<serde_json::Value>,
    #[doc = "Flags\n\nThe communication flags that are associated with the api request.\n\noptional"]
    #[serde(rename = "flags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub flags: Option<Vec<String>>,
    #[doc = "Unique ID\n\nThe unique request identifier.\n\nrequired"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Resource Details\n\nThe Resource Details object describes details about resources that were affected by the activity/event.\n\n[] Category:  | Name: resource_details\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ResourceDetails {
    #[doc = "Agent List\n\nA list of <code>agent</code> objects associated with a device, endpoint, or resource.\n\noptional"]
    #[serde(rename = "agent_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub agent_list: Option<Vec<Agent>>,
    #[doc = "Cloud Partition\n\nThe logical grouping or isolated segment within a cloud provider's infrastructure where the resource is located. Examples include AWS partitions (aws, aws-cn, aws-us-gov), Azure cloud environments (AzureCloud, AzureUSGovernment, AzureChinaCloud), or similar logical divisions in other cloud providers.\n\noptional"]
    #[serde(rename = "cloud_partition")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cloud_partition: Option<String>,
    #[doc = "Created Time\n\nThe time when the resource was created.\n\noptional"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the resource was created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Criticality\n\nThe criticality of the resource as defined by the event source.\n\noptional"]
    #[serde(rename = "criticality")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub criticality: Option<String>,
    #[doc = "Data\n\nAdditional data describing the resource.\n\noptional"]
    #[serde(rename = "data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data: Option<serde_json::Value>,
    #[doc = "Data Classification\n\nThe Data Classification object includes information about data classification levels and data category types.\n\nrecommended"]
    #[serde(rename = "data_classification")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classification: Option<Box<DataClassification>>,
    #[doc = "Data Classification\n\nA list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.\n\nrecommended"]
    #[serde(rename = "data_classifications")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classifications: Option<Vec<DataClassification>>,
    #[doc = "Group\n\nThe name of the related resource group.\n\noptional"]
    #[serde(rename = "group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub group: Option<Box<Group>>,
    #[doc = "Hostname\n\nThe fully qualified name of the resource.\n\nrecommended"]
    #[serde(rename = "hostname")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hostname: Option<String>,
    #[doc = "IP Address\n\nThe IP address of the resource, in either IPv4 or IPv6 format.\n\nrecommended"]
    #[serde(rename = "ip")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ip: Option<String>,
    #[doc = "Back Ups Configured\n\nIndicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. For example, this is indicated by the <code>cloudBackupEnabled</code> value within JAMF Pro mobile devices or the registration of an AWS ARN with the AWS Backup service.\n\noptional"]
    #[serde(rename = "is_backed_up")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_backed_up: Option<bool>,
    #[doc = "Labels\n\nThe list of labels associated to the resource.\n\noptional"]
    #[serde(rename = "labels")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub labels: Option<Vec<String>>,
    #[doc = "Modified Time\n\nThe time when the resource was last modified.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe time when the resource was last modified.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Name\n\nThe name of the resource.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Namespace\n\nThe namespace is useful when similar entities exist that you need to keep separate.\n\noptional"]
    #[serde(rename = "namespace")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub namespace: Option<String>,
    #[doc = "Owner\n\nThe details of the entity that owns the resource. This object includes properties such as the owner's name, unique identifier, type, domain, and other relevant attributes that help identify the resource owner within the environment.\n\nrecommended"]
    #[serde(rename = "owner")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub owner: Option<Box<User>>,
    #[doc = "Region\n\nThe cloud region where the resource is hosted, as defined by the cloud provider. This represents the physical or logical geographic area containing the infrastructure supporting the resource. Examples include AWS regions (us-east-1, eu-west-1), Azure regions (East US, West Europe), GCP regions (us-central1, europe-west1), or Oracle Cloud regions (us-ashburn-1, uk-london-1).\n\noptional"]
    #[serde(rename = "region")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub region: Option<String>,
    #[doc = "Resource Relationship\n\nA graph representation showing how this resource relates to and interacts with other entities in the environment. This can include parent/child relationships, dependencies, or other connections.\n\noptional"]
    #[serde(rename = "resource_relationship")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resource_relationship: Option<Box<Graph>>,
    #[doc = "Role\n\nThe role of the resource in the context of the event or finding, normalized to the caption of the role_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "role")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub role: Option<String>,
    #[doc = "Role ID\n\nThe normalized identifier of the resource's role in the context of the event or finding.\n\nrecommended"]
    #[serde(rename = "role_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub role_id: Option<i64>,
    #[doc = "Tags\n\nThe list of tags; <code>{key:value}</code> pairs associated to the resource.\n\noptional"]
    #[serde(rename = "tags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tags: Option<Vec<KeyValueObject>>,
    #[doc = "Type\n\nThe resource type as defined by the event source.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the resource.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Alternate ID\n\nThe alternative unique identifier of the resource.\n\noptional"]
    #[serde(rename = "uid_alt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid_alt: Option<String>,
    #[doc = "Version\n\nThe version of the resource. For example <code>1.2.3</code>.\n\noptional"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
    #[doc = "Cloud Availability Zone\n\nThe availability zone within a cloud region where the resource is located. Examples include AWS availability zones (us-east-1a, us-east-1b), Azure availability zones (1, 2, 3 within a region), GCP zones (us-central1-a, us-central1-b), or Oracle Cloud availability domains (AD-1, AD-2, AD-3).\n\noptional"]
    #[serde(rename = "zone")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub zone: Option<String>,
}
#[doc = "Response Elements\n\nThe Response Elements object describes characteristics of an API response.\n\n[] Category:  | Name: response"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Response {
    #[doc = "Response Code\n\nThe numeric response sent to a request.\n\nrecommended"]
    #[serde(rename = "code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub code: Option<i64>,
    #[doc = "Containers\n\nWhen working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. For example, this may be the set of containers involved in handling api requests and responses for a containerized application.\n\noptional"]
    #[serde(rename = "containers")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub containers: Option<Vec<Container>>,
    #[doc = "Data\n\nThe additional data that is associated with the api response.\n\noptional"]
    #[serde(rename = "data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data: Option<serde_json::Value>,
    #[doc = "Error Code\n\nError Code\n\nrecommended"]
    #[serde(rename = "error")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub error: Option<String>,
    #[doc = "Error Message\n\nError Message\n\nrecommended"]
    #[serde(rename = "error_message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub error_message: Option<String>,
    #[doc = "Flags\n\nThe communication flags that are associated with the api response.\n\noptional"]
    #[serde(rename = "flags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub flags: Option<Vec<String>>,
    #[doc = "Message\n\nThe description of the event/finding, as defined by the source.\n\nrecommended"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
}
#[doc = "RPC Interface\n\nThe RPC Interface represents the remote procedure call interface used in the DCE/RPC session.\n\n[] Category:  | Name: rpc_interface"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct RpcInterface {
    #[doc = "Acknowledgement Reason\n\nAn integer that provides a reason code or additional information about the acknowledgment result.\n\nrecommended"]
    #[serde(rename = "ack_reason")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ack_reason: Option<i64>,
    #[doc = "Acknowledgement Result\n\nAn integer that denotes the acknowledgment result of the DCE/RPC call.\n\nrecommended"]
    #[serde(rename = "ack_result")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ack_result: Option<i64>,
    #[doc = "UUID\n\nThe unique identifier of the particular remote procedure or service.\n\nrequired"]
    #[serde(rename = "uuid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uuid: Option<String>,
    #[doc = "Version\n\nThe version of the DCE/RPC protocol being used in the session.\n\nrequired"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Rule\n\nThe Rule object describes characteristics of a rule associated with a policy or an event.\n\n[] Category:  | Name: rule\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Rule {
    #[doc = "Category\n\nThe rule category.\n\noptional"]
    #[serde(rename = "category")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category: Option<String>,
    #[doc = "Description\n\nThe description of the rule that generated the event.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Name\n\nThe name of the rule that generated the event.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Type\n\nThe rule type.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the rule that generated the event.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Version\n\nThe rule version. For example: <code>1.1</code>.\n\noptional"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Subject Alternative Name\n\nThe Subject Alternative name (SAN) object describes a SAN secured by a digital certificate\n\n[] Category:  | Name: san"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct San {
    #[doc = "Name\n\nName of SAN (e.g. The actual IP Address or domain.)\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Type\n\nType descriptor of SAN (e.g. IP Address/domain/etc.)\n\nrequired"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
}
#[doc = "Software Bill of Materials\n\nThe Software Bill of Materials object describes characteristics of a generated SBOM.\n\n[] Category:  | Name: sbom"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Sbom {
    #[doc = "Created Time\n\nThe time when the SBOM was created.\n\nrecommended"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the SBOM was created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Software Package\n\nThe software package or library that is being discovered or inventoried by an SBOM.\n\nrequired"]
    #[serde(rename = "package")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub package: Option<Box<Package>>,
    #[doc = "Product\n\nDetails about the upstream product that generated the SBOM e.g. <code>cdxgen</code> or <code>Syft</code>.\n\nrecommended"]
    #[serde(rename = "product")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub product: Option<Box<Product>>,
    #[doc = "Software Components\n\nThe list of software components used in the software package.\n\nrequired"]
    #[serde(rename = "software_components")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub software_components: Option<Vec<SoftwareComponent>>,
    #[doc = "Type\n\nThe type of SBOM, normalized to the caption of the <code>type_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe type of SBOM.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "SBOM ID\n\nA unique identifier for the SBOM or the SBOM generation by a source tool, such as the SPDX <code>metadata.component.bom-ref</code>.\n\noptional"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Version\n\nThe specification (spec) version of the particular SBOM, e.g., <code>1.6</code>.\n\noptional"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Scan\n\nThe Scan object describes characteristics of a proactive scan.\n\n[] Category:  | Name: scan\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Scan {
    #[doc = "Name\n\nThe administrator-supplied or application-generated name of the scan. For example: \"Home office weekly user database scan\", \"Scan folders for viruses\", \"Full system virus scan\"\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Type\n\nThe type of scan.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe type id of the scan.\n\nrequired"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Scan UID\n\nThe application-defined unique identifier assigned to an instance of a scan.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "SCIM\n\nThe System for Cross-domain Identity Management (SCIM) Configuration object provides a structured set of attributes related to SCIM protocols used for identity provisioning and management across cloud-based platforms. It standardizes user and group provisioning details, enabling identity synchronization and lifecycle management with compatible Identity Providers (IdPs) and applications. SCIM is defined in <a target='_blank' href='https://datatracker.ietf.org/doc/html/rfc7643'>RFC-7634</a>\n\n[] Category:  | Name: scim"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Scim {
    #[doc = "Auth Protocol\n\nThe authorization protocol as defined by the caption of <code>auth_protocol_id</code>. In the case of <code>Other</code>, it is defined by the event source.\n\noptional"]
    #[serde(rename = "auth_protocol")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub auth_protocol: Option<String>,
    #[doc = "Auth Protocol ID\n\nThe normalized identifier of the authorization protocol used by the SCIM resource.\n\noptional"]
    #[serde(rename = "auth_protocol_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub auth_protocol_id: Option<i64>,
    #[doc = "Created Time\n\nWhen the SCIM resource was added to the service provider.\n\noptional"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nWhen the SCIM resource was added to the service provider.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Last Error Message\n\nMessage or code associated with the last encountered error.\n\noptional"]
    #[serde(rename = "error_message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub error_message: Option<String>,
    #[doc = "SCIM Group Provisioning Enabled\n\nIndicates whether the SCIM resource is configured to provision groups, automatically or otherwise.\n\noptional"]
    #[serde(rename = "is_group_provisioning_enabled")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_group_provisioning_enabled: Option<bool>,
    #[doc = "SCIM User Provisioning Enabled\n\nIndicates whether the SCIM resource is configured to provision users, automatically or otherwise.\n\noptional"]
    #[serde(rename = "is_user_provisioning_enabled")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_user_provisioning_enabled: Option<bool>,
    #[doc = "Last Sync Time\n\nTimestamp of the most recent successful synchronization.\n\noptional"]
    #[serde(rename = "last_run_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_run_time: Option<i64>,
    #[doc = "Last Sync Time\n\nTimestamp of the most recent successful synchronization.\n\noptional"]
    #[serde(rename = "last_run_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_run_time_dt: Option<String>,
    #[doc = "Modified Time\n\nThe most recent time when the SCIM resource was updated at the service provider.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe most recent time when the SCIM resource was updated at the service provider.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Name\n\nThe name of the SCIM resource.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Supported Protocol\n\nThe supported protocol for the SCIM resource. E.g., <code>SAML</code>, <code>OIDC</code>, or <code>OAuth2</code>.\n\noptional"]
    #[serde(rename = "protocol_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub protocol_name: Option<String>,
    #[doc = "Rate Limit\n\nMaximum number of requests allowed by the SCIM resource within a specified time frame to avoid throttling.\n\noptional"]
    #[serde(rename = "rate_limit")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub rate_limit: Option<i64>,
    #[doc = "SCIM Group Schema\n\nSCIM provides a schema for representing groups, identified using the following schema URI: <code>urn:ietf:params:scim:schemas:core:2.0:Group</code> as defined in <a target='_blank' href='https://datatracker.ietf.org/doc/html/rfc7643'>RFC-7634</a>. This attribute will capture key-value pairs for the scheme implemented in a SCIM resource.\n\nrecommended"]
    #[serde(rename = "scim_group_schema")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub scim_group_schema: Option<serde_json::Value>,
    #[doc = "SCIM User Schema\n\nSCIM provides a resource type for user resources. The core schema for user is identified using the following schema URI: <code>urn:ietf:params:scim:schemas:core:2.0:User</code> as defined in <a target='_blank' href='https://datatracker.ietf.org/doc/html/rfc7643'>RFC-7634</a>. his attribute will capture key-value pairs for the scheme implemented in a SCIM resource. This object is inclusive of both the basic and Enterprise User Schema Extension.\n\nrecommended"]
    #[serde(rename = "scim_user_schema")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub scim_user_schema: Option<serde_json::Value>,
    #[doc = "State\n\nThe provisioning state of the SCIM resource, normalized to the caption of the <code>state_id</code> value. In the case of <code>Other</code>, it is defined by the event source.\n\noptional"]
    #[serde(rename = "state")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub state: Option<String>,
    #[doc = "State ID\n\nThe normalized state ID of the SCIM resource to reflect its activation status.\n\noptional"]
    #[serde(rename = "state_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub state_id: Option<i64>,
    #[doc = "Unique ID\n\nA unique identifier for a SCIM resource as defined by the service provider.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "External ID\n\nA String that is an identifier for the resource as defined by the provisioning client. The <code>externalId</code> may simplify identification of a resource between the provisioning client and the service provider by allowing the client to use a filter to locate the resource with an identifier from the provisioning domain, obviating the need to store a local mapping between the provisioning domain's identifier of the resource and the identifier used by the service provider.\n\noptional"]
    #[serde(rename = "uid_alt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid_alt: Option<String>,
    #[doc = "SCIM Endpoint URL\n\nThe primary URL for SCIM API requests.\n\noptional"]
    #[serde(rename = "url_string")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub url_string: Option<String>,
    #[doc = "Service Provider\n\nName of the vendor or service provider implementing SCIM. E.g., <code>Okta</code>, <code>Auth0</code>, <code>Microsoft</code>.\n\noptional"]
    #[serde(rename = "vendor_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_name: Option<String>,
    #[doc = "SCIM Version\n\nSCIM protocol version supported e.g., <code>SCIM 2.0</code>.\n\nrecommended"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Script\n\nThe Script object describes a script or command that can be executed by a shell, script engine, or interpreter. Examples include Bash, JavsScript, PowerShell, Python, VBScript, etc. Note that the term <em>script</em> here denotes not only a script contained within a file but also a script or command typed interactively by a user, supplied on the command line, or provided by some other file-less mechanism.\n\n[] Category:  | Name: script"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Script {
    #[doc = "File\n\nPresent if this script is associated with a file. Not present in the case of a file-less script.\n\noptional"]
    #[serde(rename = "file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub file: Option<Box<File>>,
    #[doc = "Hashes\n\nAn array of the script's cryptographic hashes. Note that these hashes are calculated on the script in its original encoding, and not on the normalized UTF-8 encoding found in the <code>script_content</code> attribute.\n\nrecommended"]
    #[serde(rename = "hashes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hashes: Option<Vec<Fingerprint>>,
    #[doc = "Name\n\nUnique identifier for the script or macro, independent of the containing file, used for tracking, auditing, and security analysis.\n\noptional"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Parent Unique ID\n\nThis attribute relates a sub-script to a parent script having the matching <code>uid</code> attribute. In the case of PowerShell, sub-script execution can be identified by matching the activity correlation ID of the raw ETW events provided by the OS.\n\noptional"]
    #[serde(rename = "parent_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub parent_uid: Option<String>,
    #[doc = "Script Content\n\nThe script content, normalized to UTF-8 encoding irrespective of its original encoding. When emitting this attribute, it may be appropriate to truncate large scripts. When consuming this attribute, large scripts should be anticipated.\n\nrequired"]
    #[serde(rename = "script_content")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub script_content: Option<Box<LongString>>,
    #[doc = "Type\n\nThe script type, normalized to the caption of the <code>type_id</code> value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe normalized script type ID.\n\nrequired"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique ID\n\nSome script engines assign a unique ID to each individual execution of a given script. This attribute captures that unique ID. In the case of PowerShell, the unique ID corresponds to the <code>ScriptBlockId</code> in the raw ETW events provided by the OS.\n\noptional"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Security State\n\nThe Security State object describes the security related state of a managed entity.\n\n[] Category:  | Name: security_state"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct SecurityState {
    #[doc = "Security State\n\nThe security state, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "state")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub state: Option<String>,
    #[doc = "Security State ID\n\nThe security state of the managed entity.\n\nrecommended"]
    #[serde(rename = "state_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub state_id: Option<i64>,
}
#[doc = "Service\n\nThe Service object describes characteristics of a service, <code> e.g. AWS EC2. </code>\n\n[] Category:  | Name: service\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Service {
    #[doc = "Labels\n\nThe list of labels associated with the service.\n\noptional"]
    #[serde(rename = "labels")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub labels: Option<Vec<String>>,
    #[doc = "Name\n\nThe name of the service.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Tags\n\nThe list of tags; <code>{key:value}</code> pairs associated to the service.\n\noptional"]
    #[serde(rename = "tags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tags: Option<Vec<KeyValueObject>>,
    #[doc = "Unique ID\n\nThe unique identifier of the service.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Version\n\nThe version of the service.\n\nrecommended"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Session\n\nThe Session object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer.\n\n[] Category:  | Name: session"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Session {
    #[doc = "Count\n\nThe number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time.\n\noptional"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Created Time\n\nThe time when the session was created.\n\nrecommended"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the session was created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "User Credential ID\n\nThe unique identifier of the user's credential. For example, AWS Access Key ID.\n\noptional"]
    #[serde(rename = "credential_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub credential_uid: Option<String>,
    #[doc = "Expiration Reason\n\nThe reason which triggered the session expiration.\n\noptional"]
    #[serde(rename = "expiration_reason")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expiration_reason: Option<String>,
    #[doc = "Expiration Time\n\nThe session expiration time.\n\noptional"]
    #[serde(rename = "expiration_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expiration_time: Option<i64>,
    #[doc = "Expiration Time\n\nThe session expiration time.\n\noptional"]
    #[serde(rename = "expiration_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expiration_time_dt: Option<String>,
    #[doc = "Multi Factor Authentication\n\nIndicates whether Multi Factor Authentication was used during authentication.\n\noptional"]
    #[serde(rename = "is_mfa")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_mfa: Option<bool>,
    #[doc = "Remote\n\nThe indication of whether the session is remote.\n\nrecommended"]
    #[serde(rename = "is_remote")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_remote: Option<bool>,
    #[doc = "VPN Session\n\nThe indication of whether the session is a VPN session.\n\noptional"]
    #[serde(rename = "is_vpn")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_vpn: Option<bool>,
    #[doc = "Issuer Details\n\nThe identifier of the session issuer.\n\nrecommended"]
    #[serde(rename = "issuer")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub issuer: Option<String>,
    #[doc = "Terminal\n\nThe Pseudo Terminal associated with the session. Ex: the tty or pts value.\n\noptional"]
    #[serde(rename = "terminal")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub terminal: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the session.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Alternate ID\n\nThe alternate unique identifier of the session. e.g. AWS ARN - <code>arn:aws:sts::123344444444:assumed-role/Admin/example-session</code>.\n\noptional"]
    #[serde(rename = "uid_alt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid_alt: Option<String>,
    #[doc = "UUID\n\nThe universally unique identifier of the session.\n\noptional"]
    #[serde(rename = "uuid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uuid: Option<String>,
}
#[doc = "Software Component\n\nThe Software Component object describes characteristics of a software component within a software package.\n\n[] Category:  | Name: software_component"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct SoftwareComponent {
    #[doc = "Author\n\nThe author(s) who published the software component.\n\nrecommended"]
    #[serde(rename = "author")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub author: Option<String>,
    #[doc = "Hash\n\nCryptographic hash to identify the binary instance of a software component.\n\noptional"]
    #[serde(rename = "hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hash: Option<Box<Fingerprint>>,
    #[doc = "Software License\n\nThe software license applied to this component.\n\noptional"]
    #[serde(rename = "license")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub license: Option<String>,
    #[doc = "Name\n\nThe software component name.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Package URL\n\nThe Package URL (PURL) to identify the software component. This is a URL that uniquely identifies the component, including the component's name, version, and type. The URL is used to locate and retrieve the component's metadata and content.\n\nrecommended"]
    #[serde(rename = "purl")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub purl: Option<String>,
    #[doc = "Related Component\n\nThe package URL (PURL) of the component that this software component has a relationship with.\n\nrecommended"]
    #[serde(rename = "related_component")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub related_component: Option<String>,
    #[doc = "Relationship\n\nThe relationship between two software components, normalized to the caption of the <code>relationship_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "relationship")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub relationship: Option<String>,
    #[doc = "Relationship ID\n\nThe normalized identifier of the relationship between two software components.\n\nrecommended"]
    #[serde(rename = "relationship_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub relationship_id: Option<i64>,
    #[doc = "Type\n\nThe type of software component, normalized to the caption of the <code>type_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe type of software component.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Version\n\nThe software component version.\n\nrequired"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "Span\n\nRepresents a single unit of work or operation within a distributed trace. A span typically tracks the execution of a request across a service, capturing important details such as the operation, timestamps, and status. Spans help break down the overall trace into smaller, manageable parts, enabling detailed analysis of the performance and behavior of specific operations within the system. They are crucial for understanding latency, dependencies, and bottlenecks in complex distributed systems.\n\n[] Category:  | Name: span"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Span {
    #[doc = "Duration Milliseconds\n\nThe total time, in milliseconds, that the span represents, calculated as the difference between start_time and end_time. It reflects the operation's performance and latency, independent of event timestamps, and accounts for normalized times used by observability tools to ensure consistency across distributed systems.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end timestamp of the span, essential for identifying latency and performance bottlenecks. Like the start time, this timestamp is normalized across the observability system to ensure consistency, even when events are recorded across distributed services with unsynchronized clocks. Normalized time allows for accurate duration calculations and helps observability tools track performance across services, regardless of the individual system time settings.\n\nrequired"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end timestamp of the span, essential for identifying latency and performance bottlenecks. Like the start time, this timestamp is normalized across the observability system to ensure consistency, even when events are recorded across distributed services with unsynchronized clocks. Normalized time allows for accurate duration calculations and helps observability tools track performance across services, regardless of the individual system time settings.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Message\n\nThe message in a span (often referred to as a span event) serves as a way to record significant moments or occurrences during the span's lifecycle. This content typically manifests as log entries, annotations, or semi-structured events as a string, providing additional granularity and context about what happens at specific points during the execution of an operation.\n\noptional"]
    #[serde(rename = "message")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub message: Option<String>,
    #[doc = "Operation\n\nDescribes an action performed in a span, such as API requests, database queries, or computations.\n\noptional"]
    #[serde(rename = "operation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub operation: Option<String>,
    #[doc = "Parent Unique ID\n\nThe ID of the parent span for this span object, establishing its relationship in the trace hierarchy.\n\noptional"]
    #[serde(rename = "parent_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub parent_uid: Option<String>,
    #[doc = "Service\n\nIdentifies the service or component that generates the span, helping trace its path through the distributed system.\n\noptional"]
    #[serde(rename = "service")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service: Option<Box<Service>>,
    #[doc = "Start Time\n\nThe start timestamp of the span, essential for identifying latency and performance bottlenecks. This timestamp is normalized across the observability system, ensuring consistency even when events occur across distributed services with potentially unsynchronized clocks. By using normalized time, observability tools can provide accurate, uniform measurements of operation performance and latency, regardless of where or when the events actually occur.\n\nrequired"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start timestamp of the span, essential for identifying latency and performance bottlenecks. This timestamp is normalized across the observability system, ensuring consistency even when events occur across distributed services with potentially unsynchronized clocks. By using normalized time, observability tools can provide accurate, uniform measurements of operation performance and latency, regardless of where or when the events actually occur.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Status Code\n\nIndicates the outcome of the operation in the span, such as success, failure, or error. Issues in a span typically refer to problems such as failed operations, timeouts, service unavailability, or errors in processing that can negatively impact the performance or reliability of the system. Tracking the `status_code` helps pinpoint these issues, enabling quicker identification and resolution of system inefficiencies or faults.\n\noptional"]
    #[serde(rename = "status_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_code: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier for the span, used in distributed systems and microservices architectures to track and correlate requests across different components of an application. It enables tracing the flow of a request through various services.\n\nrequired"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "SSO\n\nThe Single Sign-On (SSO) object provides a structure for normalizing SSO attributes, configuration, and/or settings from Identity Providers.\n\n[] Category:  | Name: sso"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Sso {
    #[doc = "Auth Protocol\n\nThe authorization protocol as defined by the caption of <code>auth_protocol_id</code>. In the case of <code>Other</code>, it is defined by the event source.\n\noptional"]
    #[serde(rename = "auth_protocol")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub auth_protocol: Option<String>,
    #[doc = "Auth Protocol ID\n\nThe normalized identifier of the authentication protocol used by the SSO resource.\n\noptional"]
    #[serde(rename = "auth_protocol_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub auth_protocol_id: Option<i64>,
    #[doc = "SAML Certificate\n\nDigital Signature associated with the SSO resource, e.g., SAML X.509 certificate details.\n\nrecommended"]
    #[serde(rename = "certificate")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub certificate: Option<Box<Certificate>>,
    #[doc = "Created Time\n\nWhen the SSO resource was created.\n\noptional"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nWhen the SSO resource was created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "SSO Session Duration\n\nThe duration (in minutes) for an SSO session, after which re-authentication is required.\n\noptional"]
    #[serde(rename = "duration_mins")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration_mins: Option<i64>,
    #[doc = "SSO Idle Timeout\n\nDuration (in minutes) of allowed inactivity before Single Sign-On (SSO) session expiration.\n\noptional"]
    #[serde(rename = "idle_timeout")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub idle_timeout: Option<i64>,
    #[doc = "SSO Login Endpoint\n\nURL for initiating an SSO login request.\n\noptional"]
    #[serde(rename = "login_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub login_endpoint: Option<String>,
    #[doc = "SSO Logout Endpoint\n\nURL for initiating an SSO logout request, allowing sessions to be terminated across applications.\n\noptional"]
    #[serde(rename = "logout_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub logout_endpoint: Option<String>,
    #[doc = "SSO Metadata Endpoint\n\nURL where metadata about the SSO configuration is available (e.g., for SAML configurations).\n\noptional"]
    #[serde(rename = "metadata_endpoint")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub metadata_endpoint: Option<String>,
    #[doc = "Modified Time\n\nThe most recent time when the SSO resource was updated.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe most recent time when the SSO resource was updated.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Name\n\nThe name of the SSO resource.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Supported Protocol\n\nThe supported protocol for the SSO resource. E.g., <code>SAML</code> or <code>OIDC</code>.\n\noptional"]
    #[serde(rename = "protocol_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub protocol_name: Option<String>,
    #[doc = "Scopes\n\nScopes define the specific permissions or actions that the client is allowed to perform on behalf of the user. Each scope represents a different set of permissions, and the user can selectively grant or deny access to specific scopes during the authorization process.\n\noptional"]
    #[serde(rename = "scopes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub scopes: Option<Vec<String>>,
    #[doc = "Unique ID\n\nA unique identifier for a SSO resource.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Service Provider\n\nName of the vendor or service provider implementing SSO. E.g., <code>Okta</code>, <code>Auth0</code>, <code>Microsoft</code>.\n\noptional"]
    #[serde(rename = "vendor_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_name: Option<String>,
}
#[doc = "Startup Item\n\nThe startup item object describes an application component that has associated startup criteria and configurations.\n\n[] Category:  | Name: startup_item\n\n**Constraints:**\n* just_one: `[driver`,`job`,`process`,`win_service]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct StartupItem {
    #[doc = "Kernel Driver\n\nThe startup item kernel driver resource.\n\noptional"]
    #[serde(rename = "driver")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub driver: Option<Box<KernelDriver>>,
    #[doc = "Job\n\nThe startup item job resource.\n\noptional"]
    #[serde(rename = "job")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub job: Option<Box<Job>>,
    #[doc = "Name\n\nThe unique name of the startup item.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Process\n\nThe startup item process resource.\n\noptional"]
    #[serde(rename = "process")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub process: Option<Box<Process>>,
    #[doc = "Run Mode IDs\n\nThe list of normalized identifiers that describe the startup items' properties when it is running.  Use this field to capture extended information about the process, which may depend on the type of startup item.  E.g., A Windows service that interacts with the desktop.\n\noptional"]
    #[serde(rename = "run_mode_ids")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub run_mode_ids: Option<Vec<i64>>,
    #[doc = "Run Modes\n\nThe list of run_modes, normalized to the captions of the run_mode_id values.  In the case of 'Other', they are defined by the event source.\n\noptional"]
    #[serde(rename = "run_modes")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub run_modes: Option<Vec<String>>,
    #[doc = "Run State\n\nThe run state of the startup item.\n\noptional"]
    #[serde(rename = "run_state")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub run_state: Option<String>,
    #[doc = "Run State ID\n\nThe run state ID of the startup item.\n\nrecommended"]
    #[serde(rename = "run_state_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub run_state_id: Option<i64>,
    #[doc = "Start Type\n\nThe start type of the startup item.\n\noptional"]
    #[serde(rename = "start_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_type: Option<String>,
    #[doc = "Start Type ID\n\nThe start type ID of the startup item.\n\nrequired"]
    #[serde(rename = "start_type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_type_id: Option<i64>,
    #[doc = "Type\n\nThe startup item type.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe startup item type identifier.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Windows Service\n\nThe startup item Windows service resource.\n\noptional"]
    #[serde(rename = "win_service")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub win_service: Option<Box<WinWinService>>,
}
#[doc = "MITRE Sub-technique\n\nThe MITRE Sub-technique object describes the ATT&CK® or ATLAS™ Sub-technique ID and/or name associated to an attack.\n\n[] Category:  | Name: sub_technique\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct SubTechnique {
    #[doc = "Name\n\nThe name of the attack sub-technique. For example: <code>Scanning IP Blocks</code> or <code>User Execution: Unsafe ML Artifacts</code>.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Source URL\n\nThe versioned permalink of the attack sub-technique. For example: <code>https://attack.mitre.org/versions/v14/techniques/T1595/001/</code>.\n\noptional"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the attack sub-technique. For example: <code>T1595.001</code> or <code>AML.T0011.000</code>.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Table\n\nThe table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.\n\n[] Category:  | Name: table\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Table {
    #[doc = "Created Time\n\nThe time when the table was known to have been created.\n\noptional"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the table was known to have been created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Description\n\nThe description of the table.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Groups\n\nThe group names to which the table belongs.\n\noptional"]
    #[serde(rename = "groups")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub groups: Option<Vec<Group>>,
    #[doc = "Modified Time\n\nThe most recent time when any changes, updates, or modifications were made within the table.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe most recent time when any changes, updates, or modifications were made within the table.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Name\n\nThe table name, ordinarily as assigned by a database administrator.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Size\n\nThe size of the data table in bytes.\n\noptional"]
    #[serde(rename = "size")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub size: Option<i64>,
    #[doc = "Unique ID\n\nThe unique identifier of the table.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "MITRE Tactic\n\nThe MITRE Tactic object describes the ATT&CK® or ATLAS™ Tactic ID and/or name that is associated to an attack.\n\n[] Category:  | Name: tactic\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Tactic {
    #[doc = "Name\n\nThe Tactic name that is associated with the attack technique. For example: <code>Reconnaissance</code> or <code>ML Model Access</code>.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Source URL\n\nThe versioned permalink of the Tactic. For example: <code>https://attack.mitre.org/versions/v14/tactics/TA0043/</code>.\n\noptional"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Unique ID\n\nThe Tactic ID that is associated with the attack technique. For example: <code>TA0043</code>, or <code>AML.TA0000</code>.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "MITRE Technique\n\nThe MITRE Technique object describes the ATT&CK® or ATLAS™ Technique ID and/or name associated to an attack.\n\n[] Category:  | Name: technique\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Technique {
    #[doc = "Name\n\nThe name of the attack technique. For example: <code>Active Scanning</code> or <code>AI Model Inference API Access</code>.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Source URL\n\nThe versioned permalink of the attack technique. For example: <code>https://attack.mitre.org/versions/v14/techniques/T1595/</code>.\n\noptional"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the attack technique. For example: <code>T1595</code> or <code>AML.T0040</code>.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Threat Actor\n\nThreat actor is responsible for the observed malicious activity.\n\n[] Category:  | Name: threat_actor"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct ThreatActor {
    #[doc = "Name\n\nThe name of the threat actor.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Threat Actor Type\n\nThe classification of the threat actor based on their motivations, capabilities, or affiliations. Common types include nation-state actors, cybercriminal groups, hacktivists, or insider threats.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Threat Actor Type ID\n\nThe normalized datastore resource type identifier.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
}
#[doc = "Ticket\n\nThe Ticket object represents ticket in the customer's IT Service Management (ITSM) systems like ServiceNow, Jira, etc.\n\n[] Category:  | Name: ticket\n\n**Constraints:**\n* at_least_one: `[src_url`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Ticket {
    #[doc = "Source URL\n\nThe url of a ticket in the ticket system.\n\nrecommended"]
    #[serde(rename = "src_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub src_url: Option<String>,
    #[doc = "Ticket Status\n\nThe status of the ticket normalized to the caption of the <code>status_id</code> value. In the case of <code>99</code>, this value should as defined by the source.\n\noptional"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Status Details\n\nA list of contextual descriptions of the <code>status, status_id</code> values.\n\noptional"]
    #[serde(rename = "status_details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_details: Option<Vec<String>>,
    #[doc = "Ticket Status ID\n\nThe normalized identifier for the ticket status.\n\noptional"]
    #[serde(rename = "status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status_id: Option<i64>,
    #[doc = "Title\n\nThe title of the ticket.\n\noptional"]
    #[serde(rename = "title")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub title: Option<String>,
    #[doc = "Ticket Type\n\nThe linked ticket type determines whether the ticket is internal or in an external ticketing system.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Ticket Type ID\n\nThe normalized identifier for the ticket type.\n\noptional"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique ID\n\nUnique identifier of the ticket.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Time Span\n\nThe Time Span object represents different time period durations. If a timespan is fractional, i.e. crosses one period, e.g. a week and 3 days, more than one may be populated since each member is of integral type. In that case <code>type_id</code> if present should be set to <code>Other.</code><P>A timespan may also be defined by its time interval boundaries, <code>start_time</code> and <code>end_time</code>.\n\n[] Category:  | Name: timespan\n\n**Constraints:**\n* at_least_one: `[duration`,`duration_days`,`duration_hours`,`duration_mins`,`duration_months`,`duration_secs`,`duration_weeks`,`duration_years`,`end_time`,`start_time]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Timespan {
    #[doc = "Duration Milliseconds\n\nThe duration of the time span in milliseconds.\n\nrecommended"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "Duration Days\n\nThe duration of the time span in days.\n\nrecommended"]
    #[serde(rename = "duration_days")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration_days: Option<i64>,
    #[doc = "Duration Hours\n\nThe duration of the time span in hours.\n\nrecommended"]
    #[serde(rename = "duration_hours")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration_hours: Option<i64>,
    #[doc = "Duration Minutes\n\nThe duration of the time span in minutes.\n\nrecommended"]
    #[serde(rename = "duration_mins")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration_mins: Option<i64>,
    #[doc = "Duration Months\n\nThe duration of the time span in months.\n\nrecommended"]
    #[serde(rename = "duration_months")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration_months: Option<i64>,
    #[doc = "Duration Seconds\n\nThe duration of the time span in seconds.\n\nrecommended"]
    #[serde(rename = "duration_secs")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration_secs: Option<i64>,
    #[doc = "Duration Weeks\n\nThe duration of the time span in weeks.\n\nrecommended"]
    #[serde(rename = "duration_weeks")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration_weeks: Option<i64>,
    #[doc = "Duration Years\n\nThe duration of the time span in years.\n\nrecommended"]
    #[serde(rename = "duration_years")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration_years: Option<i64>,
    #[doc = "End Time\n\nThe end time or conclusion of the timespan's interval.\n\nrecommended"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end time or conclusion of the timespan's interval.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Start Time\n\nThe start time or beginning of the timespan's interval.\n\nrecommended"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start time or beginning of the timespan's interval.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Time Span Type\n\nThe type of time span duration the object represents.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Time Span Type ID\n\nThe normalized identifier for the time span duration type.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
}
#[doc = "Transport Layer Security (TLS)\n\nThe Transport Layer Security (TLS) object describes the negotiated TLS protocol used for secure communications over an establish network connection.\n\n[] Category:  | Name: tls"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Tls {
    #[doc = "Client TLS Alert\n\nThe integer value of TLS alert if present. The alerts are defined in the TLS specification in <a target='_blank' href='https://datatracker.ietf.org/doc/html/rfc2246'>RFC-2246</a>.\n\noptional"]
    #[serde(rename = "alert")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub alert: Option<i64>,
    #[doc = "Certificate\n\nThe certificate object containing information about the digital certificate.\n\nrecommended"]
    #[serde(rename = "certificate")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub certificate: Option<Box<Certificate>>,
    #[doc = "Certificate Chain\n\nThe Chain of Certificate Serial Numbers field provides a chain of Certificate Issuer Serial Numbers leading to the Root Certificate Issuer.\n\nrecommended"]
    #[serde(rename = "certificate_chain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub certificate_chain: Option<Vec<String>>,
    #[doc = "Cipher Suite\n\nThe negotiated cipher suite.\n\nrecommended"]
    #[serde(rename = "cipher")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cipher: Option<String>,
    #[doc = "Client Cipher Suites\n\nThe client cipher suites that were exchanged during the TLS handshake negotiation.\n\nrecommended"]
    #[serde(rename = "client_ciphers")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub client_ciphers: Option<Vec<String>>,
    #[doc = "Extension List\n\nThe list of TLS extensions.\n\noptional"]
    #[serde(rename = "extension_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub extension_list: Option<Vec<TlsExtension>>,
    #[doc = "Handshake Duration\n\nThe amount of total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds.\n\noptional"]
    #[serde(rename = "handshake_dur")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub handshake_dur: Option<i64>,
    #[doc = "JA3 Hash\n\nThe MD5 hash of a JA3 string.\n\nrecommended"]
    #[serde(rename = "ja3_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ja3_hash: Option<Box<Fingerprint>>,
    #[doc = "JA3S Hash\n\nThe MD5 hash of a JA3S string.\n\nrecommended"]
    #[serde(rename = "ja3s_hash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ja3s_hash: Option<Box<Fingerprint>>,
    #[doc = "Key Length\n\nThe length of the encryption key.\n\noptional"]
    #[serde(rename = "key_length")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub key_length: Option<i64>,
    #[doc = "Subject Alternative Names\n\nThe list of subject alternative names that are secured by a specific certificate.\n\noptional"]
    #[serde(rename = "sans")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub sans: Option<Vec<San>>,
    #[doc = "Server Cipher Suites\n\nThe server cipher suites that were exchanged during the TLS handshake negotiation.\n\noptional"]
    #[serde(rename = "server_ciphers")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub server_ciphers: Option<Vec<String>>,
    #[doc = "Server Name Indication\n\n The Server Name Indication (SNI) extension sent by the client.\n\nrecommended"]
    #[serde(rename = "sni")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub sni: Option<String>,
    #[doc = "TLS Extension List\n\nThe list of TLS extensions.\n\noptional"]
    #[serde(rename = "tls_extension_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tls_extension_list: Option<Vec<TlsExtension>>,
    #[doc = "Version\n\nThe TLS protocol version.\n\nrequired"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}
#[doc = "TLS Extension\n\nThe TLS Extension object describes additional attributes that extend the base Transport Layer Security (TLS) object.\n\n[] Category:  | Name: tls_extension"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct TlsExtension {
    #[doc = "Data\n\nThe data contains information specific to the particular extension type.\n\nrecommended"]
    #[serde(rename = "data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data: Option<serde_json::Value>,
    #[doc = "Type\n\nThe TLS extension type. For example: <code>Server Name</code>.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe TLS extension type identifier. See <a target='_blank' href='https://datatracker.ietf.org/doc/html/rfc8446#page-35'>The Transport Layer Security (TLS) extension page</a>.\n\nrequired"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
}
#[doc = "Trace\n\nThe trace object contains information about a distributed trace,  which is crucial for observability. Traces are made up of one or more spans, which are individual units of work in application activity. Traces track the journey of a request as it moves through various services in a system, capturing key details like timing, status, and dependencies at each step. Traces provide insights into system performance, helping to identify latency, bottlenecks, and issues in complex, distributed environments.\n\n[] Category:  | Name: trace"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Trace {
    #[doc = "Duration Milliseconds\n\nThe total time, in milliseconds, that the trace covers, calculated as the difference between start_time and end_time. This duration helps assess the overall performance of a request as it travels across various services, and is essential for identifying latency and potential bottlenecks within the distributed system. The trace duration may differ from individual span durations due to the propagation and processing times of the trace as it spans multiple components.\n\noptional"]
    #[serde(rename = "duration")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub duration: Option<i64>,
    #[doc = "End Time\n\nThe end timestamp of the trace, essential for identifying latency and performance bottlenecks. Like the start time, this timestamp is normalized across the trace system to ensure consistency, even when events are recorded across distributed services with unsynchronized clocks. Normalized time allows for accurate trace duration calculations and helps observability tools track overall performance across services, regardless of the individual system time settings.\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe end timestamp of the trace, essential for identifying latency and performance bottlenecks. Like the start time, this timestamp is normalized across the trace system to ensure consistency, even when events are recorded across distributed services with unsynchronized clocks. Normalized time allows for accurate trace duration calculations and helps observability tools track overall performance across services, regardless of the individual system time settings.\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Flags\n\nThe flags associated with the trace, used to indicate specific properties or behaviors, such as whether the trace is sampled or if it has special handling. Flags help control how traces are processed, logged, and analyzed, providing valuable context for tracing and observability tools in identifying trace characteristics or specific tracking requirements.\n\noptional"]
    #[serde(rename = "flags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub flags: Option<Vec<String>>,
    #[doc = "Service\n\nIdentifies the service or component generating the trace, helping to track and correlate the flow of requests through various parts of a distributed system. This information is essential for understanding the role and performance of specific services within the broader context of system operations and for diagnosing issues across different components.\n\noptional"]
    #[serde(rename = "service")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service: Option<Box<Service>>,
    #[doc = "Span\n\nRepresents a single unit of work or operation within a distributed trace. A span typically tracks the execution of a request across a service, capturing important details such as the operation, timestamps, and status. Spans help break down the overall trace into smaller, manageable parts, enabling detailed analysis of the performance and behavior of specific operations within the system. They are crucial for understanding latency, dependencies, and bottlenecks in complex distributed systems.\n\noptional"]
    #[serde(rename = "span")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub span: Option<Box<Span>>,
    #[doc = "Start Time\n\nThe start timestamp of the trace, essential for identifying latency and performance bottlenecks. Like the end time, this timestamp is normalized across the trace system to ensure consistency, even when events are recorded across distributed services with unsynchronized clocks. Normalized time enables accurate trace duration calculations and helps observability tools track performance across services, regardless of the individual system time settings.\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe start timestamp of the trace, essential for identifying latency and performance bottlenecks. Like the end time, this timestamp is normalized across the trace system to ensure consistency, even when events are recorded across distributed services with unsynchronized clocks. Normalized time enables accurate trace duration calculations and helps observability tools track performance across services, regardless of the individual system time settings.\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the trace used in distributed systems and microservices architecture to track and correlate requests across various components of an application.\n\nrequired"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
}
#[doc = "Trait\n\nDescribes a characteristic or feature of an entity that was observed. For example, this object can be used to represent specific characteristics derived from events or findings that can be surfaced as distinguishing traits of the entity in question.\n\n[] Category:  | Name: trait\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Trait {
    #[doc = "Category\n\nThe high-level grouping or classification this trait belongs to.\n\noptional"]
    #[serde(rename = "category")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category: Option<String>,
    #[doc = "Name\n\nThe name of the trait.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Type\n\nThe type of the trait. For example, this can be used to indicate if the trait acts as a contributing factor (increases risk/severity) or a mitigating factor (decreases risk/severity), in the context of the related finding.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the trait.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Values\n\nThe values of the trait.\n\noptional"]
    #[serde(rename = "values")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub values: Option<Vec<String>>,
}
#[doc = "Transformation Info\n\nThe transformation_info object represents the mapping or transformation used.\n\n[] Category:  | Name: transformation_info\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct TransformationInfo {
    #[doc = "Language\n\nThe transformation language used to transform the data.\n\noptional"]
    #[serde(rename = "lang")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub lang: Option<String>,
    #[doc = "Name\n\nThe name of the transformation or mapping.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Product\n\nThe product or instance used to make the transformation\n\noptional"]
    #[serde(rename = "product")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub product: Option<Box<Product>>,
    #[doc = "Event Time\n\nTime of the transformation.\n\nrecommended"]
    #[serde(rename = "time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time: Option<i64>,
    #[doc = "Event Time\n\nTime of the transformation.\n\noptional"]
    #[serde(rename = "time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub time_dt: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the mapping or transformation.\n\noptional"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "URL String\n\nThe Uniform Resource Locator String where the mapping or transformation exists.\n\nrecommended"]
    #[serde(rename = "url_string")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub url_string: Option<String>,
}
#[doc = "Unmanned Aerial System\n\nThe Unmanned Aerial System object describes the characteristics, Position Location Information (PLI), and other metadata of Unmanned Aerial Systems (UAS) and other unmanned and drone systems used in Remote ID. Remote ID is defined in the Standard Specification for Remote ID and Tracking (ASTM Designation: F3411-22a) <a target='_blank' href='https://cdn.standards.iteh.ai/samples/112830/71297057ac42432880a203654f213709/ASTM-F3411-22a.pdf'>ASTM F3411-22a</a>.\n\n[] Category:  | Name: unmanned_aerial_system\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct UnmannedAerialSystem {
    #[doc = "UAS Hardware Information\n\nThe endpoint hardware information.\n\noptional"]
    #[serde(rename = "hw_info")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hw_info: Option<Box<DeviceHwInfo>>,
    #[doc = "UAS Position Location Information\n\nThe detailed geographical location usually associated with an IP address.\n\nrecommended"]
    #[serde(rename = "location")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub location: Option<Box<Location>>,
    #[doc = "Model\n\nThe model name of the aircraft or unmanned system.\n\noptional"]
    #[serde(rename = "model")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub model: Option<String>,
    #[doc = "Name\n\nThe name of the unmanned system as reported by tracking or sensing hardware.\n\noptional"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Serial Number\n\nThe serial number of the unmanned system. This is expressed in <code>CTA-2063-A</code> format.\n\nrecommended"]
    #[serde(rename = "serial_number")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub serial_number: Option<String>,
    #[doc = "Speed\n\nGround speed of flight. This value is provided in meters per second with a minimum resolution of 0.25 m/s. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: 255 m/s</code>.\n\noptional"]
    #[serde(rename = "speed")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub speed: Option<String>,
    #[doc = "Speed Accuracy\n\nProvides quality/containment on horizontal ground speed. Measured in meters/second.\n\noptional"]
    #[serde(rename = "speed_accuracy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub speed_accuracy: Option<String>,
    #[doc = "Track Direction\n\nDirection of flight expressed as a “True North-based” ground track angle. This value is provided in clockwise degrees with a minimum resolution of 1 degree. If aircraft is not moving horizontally, use the “Unknown” value\n\noptional"]
    #[serde(rename = "track_direction")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub track_direction: Option<String>,
    #[doc = "Type\n\nThe type of the UAS. For example, Helicopter, Gyroplane, Rocket, etc.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe UAS type identifier.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "UAS ID\n\nThe primary identification identifier for an unmanned system. This can be a Serial Number (in <code>CTA-2063-A</code> format, the Registration ID (provided by the <code>CAA</code>, a UTM, or a unique Session ID.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "UAS Alternate ID\n\nA secondary identification identifier for an unmanned system. This can be a Serial Number (in <code>CTA-2063-A</code> format, the Registration ID (provided by the <code>CAA</code>, a UTM, or a unique Session ID.\n\nrecommended"]
    #[serde(rename = "uid_alt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid_alt: Option<String>,
    #[doc = "UTM UUID\n\nThe Unmanned Aircraft System Traffic Management (UTM) provided universal unique ID (UUID) traceable to a non-obfuscated ID where this UTM UUID acts as a 'session id' to protect exposure of operationally sensitive information.\n\nrecommended"]
    #[serde(rename = "uuid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uuid: Option<String>,
    #[doc = "Vertical Speed\n\nVertical speed upward relative to the WGS-84 datum, measured in meters per second. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: 63 m/s</code>.\n\noptional"]
    #[serde(rename = "vertical_speed")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vertical_speed: Option<String>,
}
#[doc = "Unmanned System Operating Area\n\nThe Unmanned System Operating Area object describes details about a precise area of operations for a UAS flight or mission.\n\n[] Category:  | Name: unmanned_system_operating_area\n\n**Constraints:**\n* at_least_one: `[city`,`country`,`postal_code`,`region]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct UnmannedSystemOperatingArea {
    #[doc = "Aerial Height\n\nExpressed as either height above takeoff location or height above ground level (AGL) for a UAS current location. This value is provided in meters and must have a minimum resolution of 1 m. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: -1000 m</code>.\n\noptional"]
    #[serde(rename = "aerial_height")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub aerial_height: Option<String>,
    #[doc = "Altitude Ceiling\n\nMaximum altitude (WGS-84 HAE) for a group or an Intent-Based Network Participant. Measured in meters. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: -1000 m</code>.\n\noptional"]
    #[serde(rename = "altitude_ceiling")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub altitude_ceiling: Option<String>,
    #[doc = "Altitude Floor\n\nMinimum altitude (WGS-84 HAE) for a group or an Intent-Based Network Participant. Measured in meters. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: -1000 m</code>.\n\noptional"]
    #[serde(rename = "altitude_floor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub altitude_floor: Option<String>,
    #[doc = "City\n\nThe name of the city.\n\nrecommended"]
    #[serde(rename = "city")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub city: Option<String>,
    #[doc = "Continent\n\nThe name of the continent.\n\nrecommended"]
    #[serde(rename = "continent")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub continent: Option<String>,
    #[doc = "Coordinates\n\nA two-element array, containing a longitude/latitude pair. The format conforms with <a target='_blank' href='https://geojson.org'>GeoJSON</a>. For example: <code>[-73.983, 40.719]</code>.\n\noptional"]
    #[serde(rename = "coordinates")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub coordinates: Option<Vec<f64>>,
    #[doc = "Count\n\nIndicates the number of UAS in the operating area.\n\nrecommended"]
    #[serde(rename = "count")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub count: Option<i64>,
    #[doc = "Country\n\nThe ISO 3166-1 Alpha-2 country code.<p><b>Note:</b> The two letter country code should be capitalized. For example: <code>US</code> or <code>CA</code>.</p>\n\nrecommended"]
    #[serde(rename = "country")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub country: Option<String>,
    #[doc = "Description\n\nThe description of the geographical location.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "End Time\n\nThe date and time at which a group or an Intent-Based Network Participant operation ends. (This field is only applicable to Network Remote ID.)\n\noptional"]
    #[serde(rename = "end_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time: Option<i64>,
    #[doc = "End Time\n\nThe date and time at which a group or an Intent-Based Network Participant operation ends. (This field is only applicable to Network Remote ID.)\n\noptional"]
    #[serde(rename = "end_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub end_time_dt: Option<String>,
    #[doc = "Geodetic Altitude\n\nThe aircraft distance above or below the ellipsoid as measured along a line that passes through the aircraft and is normal to the surface of the WGS-84 ellipsoid. This value is provided in meters and must have a minimum resolution of 1 m. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: -1000 m</code>.\n\noptional"]
    #[serde(rename = "geodetic_altitude")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub geodetic_altitude: Option<String>,
    #[doc = "Geodetic Vertical Accuracy\n\nProvides quality/containment on geodetic altitude. This is based on ADS-B Geodetic Vertical Accuracy (GVA). Measured in meters.\n\noptional"]
    #[serde(rename = "geodetic_vertical_accuracy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub geodetic_vertical_accuracy: Option<String>,
    #[doc = "Geohash\n\n<p>Geohash of the geo-coordinates (latitude and longitude).</p><a target='_blank' href='https://en.wikipedia.org/wiki/Geohash'>Geohashing</a> is a geocoding system used to encode geographic coordinates in decimal degrees, to a single string.\n\noptional"]
    #[serde(rename = "geohash")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub geohash: Option<String>,
    #[doc = "Horizontal Accuracy\n\nProvides quality/containment on horizontal position. This is based on ADS-B NACp. Measured in meters.\n\noptional"]
    #[serde(rename = "horizontal_accuracy")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub horizontal_accuracy: Option<String>,
    #[doc = "On Premises\n\nThe indication of whether the location is on premises.\n\noptional"]
    #[serde(rename = "is_on_premises")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_on_premises: Option<bool>,
    #[doc = "ISP Name\n\nThe name of the Internet Service Provider (ISP).\n\noptional"]
    #[serde(rename = "isp")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub isp: Option<String>,
    #[doc = "Latitude\n\nThe geographical Latitude coordinate represented in Decimal Degrees (DD). For example: <code>42.361145</code>.\n\noptional"]
    #[serde(rename = "lat")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub lat: Option<f64>,
    #[doc = "Operating Polygon\n\nA list of Position Location Information (PLI) (latitude/longitude pairs) defining the area where a group or Intent-Based Network Participant operation is taking place. (This field is only applicable to Network Remote ID.)\n\nrecommended"]
    #[serde(rename = "locations")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub locations: Option<Vec<Location>>,
    #[doc = "Longitude\n\nThe geographical Longitude coordinate represented in Decimal Degrees (DD). For example: <code>-71.057083</code>.\n\noptional"]
    #[serde(rename = "long")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub long: Option<f64>,
    #[doc = "Postal Code\n\nThe postal code of the location.\n\noptional"]
    #[serde(rename = "postal_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub postal_code: Option<String>,
    #[doc = "Pressure Altitude\n\nThe uncorrected barometric pressure altitude (based on reference standard 29.92 inHg, 1013.25 mb) provides a reference for algorithms that utilize 'altitude deltas' between aircraft. This value is provided in meters and must have a minimum resolution of 1 m.. Special Values: <code>Invalid</code>, <code>No Value</code>, or <code>Unknown: -1000 m</code>.\n\noptional"]
    #[serde(rename = "pressure_altitude")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub pressure_altitude: Option<String>,
    #[doc = "Provider\n\nThe provider of the geographical location data.\n\noptional"]
    #[serde(rename = "provider")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub provider: Option<String>,
    #[doc = "Operating Area Radius\n\nFarthest horizontal distance from the reported location at which any UA in a group may be located (meters). Also allows defining the area where an Intent-Based Network Participant operation is taking place. Default: 0 m.\n\noptional"]
    #[serde(rename = "radius")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub radius: Option<String>,
    #[doc = "Region\n\nThe alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. For example, 'CH-VD' for the Canton of Vaud, Switzerland\n\noptional"]
    #[serde(rename = "region")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub region: Option<String>,
    #[doc = "Start Time\n\nThe date and time at which a group or an Intent-Based Network Participant operation starts. (This field is only applicable to Network Remote ID.)\n\noptional"]
    #[serde(rename = "start_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time: Option<i64>,
    #[doc = "Start Time\n\nThe date and time at which a group or an Intent-Based Network Participant operation starts. (This field is only applicable to Network Remote ID.)\n\noptional"]
    #[serde(rename = "start_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub start_time_dt: Option<String>,
    #[doc = "Type\n\nThe type of operating area. For example, <code>Takeoff Location</code>, <code>Fixed Location</code>, <code>Dynamic Location</code>.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe operating area type identifier.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
}
#[doc = "Uniform Resource Locator\n\nThe Uniform Resource Locator (URL) object describes the characteristics of a URL.\n\n[] Category:  | Name: url\n\n**Constraints:**\n* at_least_one: `[url_string`,`path]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Url {
    #[doc = "Website Categorization\n\nThe Website categorization names, as defined by <code>category_ids</code> enum values.\n\noptional"]
    #[serde(rename = "categories")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub categories: Option<Vec<String>>,
    #[doc = "Website Categorization IDs\n\nThe Website categorization identifiers.\n\nrecommended"]
    #[serde(rename = "category_ids")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category_ids: Option<Vec<i64>>,
    #[doc = "Domain\n\nThe domain portion of the URL. For example: <code>example.com</code> in <code>https://sub.example.com</code>.\n\noptional"]
    #[serde(rename = "domain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub domain: Option<String>,
    #[doc = "Hostname\n\nThe URL host as extracted from the URL. For example: <code>www.example.com</code> from <code>www.example.com/download/trouble</code>.\n\nrecommended"]
    #[serde(rename = "hostname")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hostname: Option<String>,
    #[doc = "Path\n\nThe URL path as extracted from the URL. For example: <code>/download/trouble</code> from <code>www.example.com/download/trouble</code>.\n\nrecommended"]
    #[serde(rename = "path")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub path: Option<String>,
    #[doc = "Port\n\nThe URL port. For example: <code>80</code>.\n\nrecommended"]
    #[serde(rename = "port")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub port: Option<i64>,
    #[doc = "HTTP Query String\n\nThe query portion of the URL. For example: the query portion of the URL <code>http://www.example.com/search?q=bad&sort=date</code> is <code>q=bad&sort=date</code>.\n\nrecommended"]
    #[serde(rename = "query_string")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub query_string: Option<String>,
    #[doc = "Resource Type\n\nThe context in which a resource was retrieved in a web request.\n\noptional"]
    #[serde(rename = "resource_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub resource_type: Option<String>,
    #[doc = "Scheme\n\nThe scheme portion of the URL. For example: <code>http</code>, <code>https</code>, <code>ftp</code>, or <code>sftp</code>.\n\nrecommended"]
    #[serde(rename = "scheme")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub scheme: Option<String>,
    #[doc = "Subdomain\n\nThe subdomain portion of the URL. For example: <code>sub</code> in <code>https://sub.example.com</code> or <code>sub2.sub1</code> in <code>https://sub2.sub1.example.com</code>.\n\noptional"]
    #[serde(rename = "subdomain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub subdomain: Option<String>,
    #[doc = "URL String\n\nThe URL string. See RFC 1738. For example: <code>http://www.example.com/download/trouble.exe</code>. Note: The URL path should not populate the URL string.\n\nrecommended"]
    #[serde(rename = "url_string")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub url_string: Option<String>,
}
#[doc = "User\n\nThe User object describes the characteristics of a user/person or a security principal.\n\n[] Category:  | Name: user\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct User {
    #[doc = "Account\n\nThe user's account or the account associated with the user.\n\noptional"]
    #[serde(rename = "account")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub account: Option<Box<Account>>,
    #[doc = "User Credential ID\n\nThe unique identifier of the user's credential. For example, AWS Access Key ID.\n\noptional"]
    #[serde(rename = "credential_uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub credential_uid: Option<String>,
    #[doc = "Display Name\n\nThe display name of the user, as reported by the product.\n\noptional"]
    #[serde(rename = "display_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub display_name: Option<String>,
    #[doc = "Domain\n\nThe domain where the user is defined. For example: the LDAP or Active Directory domain.\n\noptional"]
    #[serde(rename = "domain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub domain: Option<String>,
    #[doc = "Email Address\n\nThe user's primary email address.\n\noptional"]
    #[serde(rename = "email_addr")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub email_addr: Option<String>,
    #[doc = "Forwarding Address\n\nThe user's forwarding email address.\n\noptional"]
    #[serde(rename = "forward_addr")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub forward_addr: Option<String>,
    #[doc = "Full Name\n\nThe full name of the user, as reported by the product.\n\noptional"]
    #[serde(rename = "full_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub full_name: Option<String>,
    #[doc = "Groups\n\nThe administrative groups to which the user belongs.\n\noptional"]
    #[serde(rename = "groups")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub groups: Option<Vec<Group>>,
    #[doc = "MFA Assigned\n\nThe user has a multi-factor or secondary-factor device assigned.\n\nrecommended"]
    #[serde(rename = "has_mfa")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub has_mfa: Option<bool>,
    #[doc = "LDAP Person\n\nThe additional LDAP attributes that describe a person.\n\noptional"]
    #[serde(rename = "ldap_person")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub ldap_person: Option<Box<LdapPerson>>,
    #[doc = "Name\n\nThe username. For example, <code>janedoe1</code>.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Organization\n\nOrganization and org unit related to the user.\n\noptional"]
    #[serde(rename = "org")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub org: Option<Box<Organization>>,
    #[doc = "Telephone Number\n\nThe telephone number of the user.\n\noptional"]
    #[serde(rename = "phone_number")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub phone_number: Option<String>,
    #[doc = "Programmatic Credentials\n\nDetails about the programmatic credential (API keys, access tokens, certificates, etc) associated to the user.\n\noptional"]
    #[serde(rename = "programmatic_credentials")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub programmatic_credentials: Option<Vec<ProgrammaticCredential>>,
    #[doc = "Risk Level\n\nThe risk level, normalized to the caption of the risk_level_id value.\n\noptional"]
    #[serde(rename = "risk_level")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level: Option<String>,
    #[doc = "Risk Level ID\n\nThe normalized risk level id.\n\noptional"]
    #[serde(rename = "risk_level_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_level_id: Option<i64>,
    #[doc = "Risk Score\n\nThe risk score as reported by the event source.\n\noptional"]
    #[serde(rename = "risk_score")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub risk_score: Option<i64>,
    #[doc = "Type\n\nThe type of the user. For example, System, AWS IAM User, etc.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe account type identifier.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique ID\n\nThe unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Alternate ID\n\nThe alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.\n\noptional"]
    #[serde(rename = "uid_alt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid_alt: Option<String>,
}
#[doc = "Vendor Attributes\n\nThe Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-provided values and consumer-updated values, of key attributes like <code>severity_id</code>.<br>The original finding producer should not populate this object. It should be populated by consuming systems that support data mutability.\n\n[] Category:  | Name: vendor_attributes"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct VendorAttributes {
    #[doc = "Severity\n\nThe finding severity, as reported by the Vendor (Finding Provider). The value should be normalized to the caption of the <code>severity_id</code> value. In the case of 'Other', it is defined by the source.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Severity ID\n\nThe finding severity ID, as reported by the Vendor (Finding Provider).\n\noptional"]
    #[serde(rename = "severity_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity_id: Option<i64>,
}
#[doc = "Vulnerability Details\n\nThe vulnerability is an unintended characteristic of a computing component or system configuration that multiplies the risk of an adverse event or a loss occurring either due to accidental exposure, deliberate attack, or conflict with new system components.\n\n[] Category:  | Name: vulnerability\n\n**Constraints:**\n* just_one: `[advisory`,`cve`,`cwe]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Vulnerability {
    #[doc = "Security Advisory\n\nDetail about the security advisory, that is used to publicly disclose cybersecurity vulnerabilities by a vendor.\n\noptional"]
    #[serde(rename = "advisory")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub advisory: Option<Box<Advisory>>,
    #[doc = "Affected Code\n\nList of Affected Code objects that describe details about code blocks identified as vulnerable.\n\noptional"]
    #[serde(rename = "affected_code")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub affected_code: Option<Vec<AffectedCode>>,
    #[doc = "Affected Software Packages\n\nList of software packages identified as affected by a vulnerability/vulnerabilities.\n\noptional"]
    #[serde(rename = "affected_packages")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub affected_packages: Option<Vec<AffectedPackage>>,
    #[doc = "Category\n\nThe category of a vulnerability or weakness, as reported by the source tool, such as <code>Container Security</code> or <code>Open Source Security</code>.\n\noptional"]
    #[serde(rename = "category")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub category: Option<String>,
    #[doc = "CVE\n\nDescribes the Common Vulnerabilities and Exposures <a target='_blank' href='https://cve.mitre.org/'>(CVE)</a> details related to the vulnerability.\n\nrecommended"]
    #[serde(rename = "cve")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cve: Option<Box<Cve>>,
    #[doc = "CWE\n\nDescribes the Common Weakness Enumeration <a target='_blank' href='https://cwe.mitre.org/'>(CWE)</a> details related to the vulnerability.\n\nrecommended"]
    #[serde(rename = "cwe")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cwe: Option<Box<Cwe>>,
    #[doc = "Dependency Chain\n\nInformation about the chain of dependencies related to the issue as reported by an Application Security or Vulnerability Management tool. E.g., <code>serverless-offline -> @serverless/utils -> memoizee -> es5-ext</code>.\n\noptional"]
    #[serde(rename = "dependency_chain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dependency_chain: Option<String>,
    #[doc = "Description\n\nThe description of the vulnerability.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Exploit Last Seen Time\n\nThe time when the exploit was most recently observed.\n\noptional"]
    #[serde(rename = "exploit_last_seen_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub exploit_last_seen_time: Option<i64>,
    #[doc = "Exploit Last Seen Time\n\nThe time when the exploit was most recently observed.\n\noptional"]
    #[serde(rename = "exploit_last_seen_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub exploit_last_seen_time_dt: Option<String>,
    #[doc = "Exploit URL\n\nThe URL of the exploit code or Proof-of-Concept (PoC).\n\noptional"]
    #[serde(rename = "exploit_ref_url")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub exploit_ref_url: Option<String>,
    #[doc = "Exploit Requirement\n\nThe requirement description related to any constraints around exploit execution.\n\noptional"]
    #[serde(rename = "exploit_requirement")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub exploit_requirement: Option<String>,
    #[doc = "Exploit Type\n\nThe categorization or type of Exploit. E.g., <code>Network</code> or <code>Physical</code>.\n\noptional"]
    #[serde(rename = "exploit_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub exploit_type: Option<String>,
    #[doc = "First Seen\n\nThe time when the vulnerability was first observed.\n\noptional"]
    #[serde(rename = "first_seen_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub first_seen_time: Option<i64>,
    #[doc = "First Seen\n\nThe time when the vulnerability was first observed.\n\noptional"]
    #[serde(rename = "first_seen_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub first_seen_time_dt: Option<String>,
    #[doc = "Fix Availability\n\nIndicates if a fix is available for the reported vulnerability.\n\noptional"]
    #[serde(rename = "fix_available")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub fix_available: Option<bool>,
    #[doc = "Fix Coverage\n\nThe fix coverage, normalized to the caption of the <code>fix_coverage_id</code> value.\n\noptional"]
    #[serde(rename = "fix_coverage")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub fix_coverage: Option<String>,
    #[doc = "Fix Coverage ID\n\nThe normalized identifier for fix coverage, applicable to this vulnerability. Typically useful, when there are multiple affected packages but only a subset have available fixes.\n\noptional"]
    #[serde(rename = "fix_coverage_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub fix_coverage_id: Option<i64>,
    #[doc = "Exploit Availability\n\nIndicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability.\n\noptional"]
    #[serde(rename = "is_exploit_available")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_exploit_available: Option<bool>,
    #[doc = "Fix Availability\n\nIndicates if a fix is available for the reported vulnerability.\n\noptional"]
    #[serde(rename = "is_fix_available")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_fix_available: Option<bool>,
    #[doc = "Knowledgebase Articles\n\nA list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.\n\noptional"]
    #[serde(rename = "kb_article_list")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub kb_article_list: Option<Vec<KbArticle>>,
    #[doc = "Knowledgebase Articles\n\nThe KB article/s related to the entity. A KB Article contains metadata that describes the patch or an update.\n\noptional"]
    #[serde(rename = "kb_articles")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub kb_articles: Option<Vec<String>>,
    #[doc = "Last Seen\n\nThe time when the vulnerability was most recently observed.\n\noptional"]
    #[serde(rename = "last_seen_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_seen_time: Option<i64>,
    #[doc = "Last Seen\n\nThe time when the vulnerability was most recently observed.\n\noptional"]
    #[serde(rename = "last_seen_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_seen_time_dt: Option<String>,
    #[doc = "Software Packages\n\nList of vulnerable packages as identified by the security product\n\noptional"]
    #[serde(rename = "packages")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub packages: Option<Vec<Package>>,
    #[doc = "References\n\nA list of reference URLs with additional information about the vulnerability.\n\nrecommended"]
    #[serde(rename = "references")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub references: Option<Vec<String>>,
    #[doc = "Related Vulnerability IDs\n\nList of vulnerability IDs (e.g. CVE ID) that are related to this vulnerability.\n\noptional"]
    #[serde(rename = "related_vulnerabilities")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub related_vulnerabilities: Option<Vec<String>>,
    #[doc = "Remediation Guidance\n\nThe remediation recommendations on how to mitigate the identified vulnerability.\n\noptional"]
    #[serde(rename = "remediation")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub remediation: Option<Box<Remediation>>,
    #[doc = "Severity\n\nThe vendor assigned severity of the vulnerability.\n\noptional"]
    #[serde(rename = "severity")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub severity: Option<String>,
    #[doc = "Title\n\nA title or a brief phrase summarizing the discovered vulnerability.\n\noptional"]
    #[serde(rename = "title")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub title: Option<String>,
    #[doc = "Vendor Name\n\nThe name of the vendor that identified the vulnerability.\n\noptional"]
    #[serde(rename = "vendor_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub vendor_name: Option<String>,
}
#[doc = "Web Resource\n\nThe Web Resource object describes characteristics of a web resource that was affected by the activity/event.\n\n[] Category:  | Name: web_resource\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct WebResource {
    #[doc = "Created Time\n\nThe time when the resource was created.\n\noptional"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the resource was created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Data\n\nDetails of the web resource, e.g, <code>file</code> details, <code>search</code> results or application-defined resource.\n\noptional"]
    #[serde(rename = "data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data: Option<serde_json::Value>,
    #[doc = "Data Classification\n\nThe Data Classification object includes information about data classification levels and data category types.\n\nrecommended"]
    #[serde(rename = "data_classification")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classification: Option<Box<DataClassification>>,
    #[doc = "Data Classification\n\nA list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.\n\nrecommended"]
    #[serde(rename = "data_classifications")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classifications: Option<Vec<DataClassification>>,
    #[doc = "Description\n\nDescription of the web resource.\n\noptional"]
    #[serde(rename = "desc")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub desc: Option<String>,
    #[doc = "Labels\n\nThe list of labels associated to the resource.\n\noptional"]
    #[serde(rename = "labels")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub labels: Option<Vec<String>>,
    #[doc = "Modified Time\n\nThe time when the resource was last modified.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe time when the resource was last modified.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Name\n\nThe name of the web resource.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Tags\n\nThe list of tags; <code>{key:value}</code> pairs associated to the resource.\n\noptional"]
    #[serde(rename = "tags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tags: Option<Vec<KeyValueObject>>,
    #[doc = "Type\n\nThe web resource type as defined by the event source.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Unique ID\n\nThe unique identifier of the web resource.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Alternate ID\n\nThe alternative unique identifier of the resource.\n\noptional"]
    #[serde(rename = "uid_alt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid_alt: Option<String>,
    #[doc = "URL String\n\nThe URL pointing towards the source of the web resource.\n\nrecommended"]
    #[serde(rename = "url_string")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub url_string: Option<String>,
}
#[doc = "WHOIS\n\nThe resources of a WHOIS record for a given domain. This can include domain names, IP address blocks, autonomous system information, and/or contact and registration information for a domain.\n\n[] Category:  | Name: whois"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct Whois {
    #[doc = "Autonomous System\n\nThe autonomous system information associated with a domain.\n\noptional"]
    #[serde(rename = "autonomous_system")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub autonomous_system: Option<Box<AutonomousSystem>>,
    #[doc = "Registered At\n\nWhen the domain was registered or WHOIS entry was created.\n\nrecommended"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Registered At\n\nWhen the domain was registered or WHOIS entry was created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "DNSSEC Status\n\nThe normalized value of dnssec_status_id.\n\noptional"]
    #[serde(rename = "dnssec_status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dnssec_status: Option<String>,
    #[doc = "DNSSEC Status ID\n\nDescribes the normalized status of DNS Security Extensions (DNSSEC) for a domain.\n\nrecommended"]
    #[serde(rename = "dnssec_status_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub dnssec_status_id: Option<i64>,
    #[doc = "Domain\n\nThe domain name corresponding to the WHOIS record.\n\nrecommended"]
    #[serde(rename = "domain")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub domain: Option<String>,
    #[doc = "Domain Contacts\n\nAn array of <code>Domain Contact</code> objects.\n\nrecommended"]
    #[serde(rename = "domain_contacts")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub domain_contacts: Option<Vec<DomainContact>>,
    #[doc = "Registrar Abuse Email Address\n\nThe email address for the registrar's abuse contact\n\noptional"]
    #[serde(rename = "email_addr")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub email_addr: Option<String>,
    #[doc = "ISP Name\n\nThe name of the Internet Service Provider (ISP).\n\noptional"]
    #[serde(rename = "isp")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub isp: Option<String>,
    #[doc = "ISP Org\n\nThe organization name of the Internet Service Provider (ISP). This represents the parent organization or company that owns/operates the ISP. For example, Comcast Corporation would be the ISP org for Xfinity internet service. This attribute helps identify the ultimate provider when ISPs operate under different brand names.\n\noptional"]
    #[serde(rename = "isp_org")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub isp_org: Option<String>,
    #[doc = "Last Updated At\n\nWhen the WHOIS record was last updated or seen at.\n\nrecommended"]
    #[serde(rename = "last_seen_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_seen_time: Option<i64>,
    #[doc = "Last Updated At\n\nWhen the WHOIS record was last updated or seen at.\n\noptional"]
    #[serde(rename = "last_seen_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_seen_time_dt: Option<String>,
    #[doc = "Name Servers\n\nA collection of name servers related to a domain registration or other record.\n\nrecommended"]
    #[serde(rename = "name_servers")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name_servers: Option<Vec<String>>,
    #[doc = "Registrar Abuse Phone Number\n\nThe phone number for the registrar's abuse contact\n\noptional"]
    #[serde(rename = "phone_number")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub phone_number: Option<String>,
    #[doc = "Domain Registrar\n\nThe domain registrar.\n\nrecommended"]
    #[serde(rename = "registrar")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub registrar: Option<String>,
    #[doc = "Domain Status\n\nThe status of a domain and its ability to be transferred, e.g., <code>clientTransferProhibited</code>.\n\nrecommended"]
    #[serde(rename = "status")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub status: Option<String>,
    #[doc = "Subdomains\n\nAn array of subdomain strings. Can be used to collect several subdomains such as those from Domain Generation Algorithms (DGAs).\n\noptional"]
    #[serde(rename = "subdomains")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub subdomains: Option<Vec<String>>,
    #[doc = "Subnet Block\n\nThe IP address block (CIDR) associated with a domain.\n\noptional"]
    #[serde(rename = "subnet")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub subnet: Option<String>,
}
#[doc = "Registry Key\n\nThe registry key object describes a Windows registry key.\n\n[] Category:  | Name: reg_key"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct WinRegKey {
    #[doc = "System\n\nThe indication of whether the object is part of the operating system.\n\noptional"]
    #[serde(rename = "is_system")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_system: Option<bool>,
    #[doc = "Modified Time\n\nThe time when the registry key was last modified.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe time when the registry key was last modified.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Path\n\nThe full path to the registry key.\n\nrequired"]
    #[serde(rename = "path")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub path: Option<String>,
    #[doc = "Security Descriptor\n\nThe security descriptor of the registry key.\n\noptional"]
    #[serde(rename = "security_descriptor")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub security_descriptor: Option<String>,
}
#[doc = "Registry Value\n\nThe registry value object describes a Windows registry value.\n\n[] Category:  | Name: reg_value"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct WinRegValue {
    #[doc = "Data\n\nThe data of the registry value. Where the value type is known, implementers should instead use a type-specific attribute, i.e. <code>reg_binary_data</code>, <code>reg_integer_data</code>, <code>reg_string_data</code>, or <code>reg_string_list_data</code>.\n\noptional"]
    #[serde(rename = "data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data: Option<serde_json::Value>,
    #[doc = "Default Value\n\nThe indication of whether the value is from a default value name. For example, the value name could be missing.\n\noptional"]
    #[serde(rename = "is_default")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_default: Option<bool>,
    #[doc = "System\n\nThe indication of whether the object is part of the operating system.\n\noptional"]
    #[serde(rename = "is_system")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub is_system: Option<bool>,
    #[doc = "Modified Time\n\nThe time when the registry value was last modified.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe time when the registry value was last modified.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Name\n\nThe name of the registry value.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Path\n\nThe full path to the registry key, where the value is located.\n\nrequired"]
    #[serde(rename = "path")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub path: Option<String>,
    #[doc = "Registry Binary Data\n\nThe data of the registry value when <code>type_id</code> is <code>REG_BINARY</code> or <code>REG_NONE</code>.\n\noptional"]
    #[serde(rename = "reg_binary_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reg_binary_data: Option<String>,
    #[doc = "Registry Integer Data\n\nThe data of the registry value when <code>type_id</code> is <code>REG_DWORD</code>, <code>REG_DWORD_BIG_ENDIAN</code>, or <code>REG_QWORD</code>.\n\noptional"]
    #[serde(rename = "reg_integer_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reg_integer_data: Option<i64>,
    #[doc = "Registry String Data\n\nThe data of the registry value when <code>type_id</code> is <code>REG_SZ</code>, <code>REG_EXPAND_SZ</code>, or <code>REG_LINK</code>.\n\noptional"]
    #[serde(rename = "reg_string_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reg_string_data: Option<String>,
    #[doc = "Registry String List Data\n\nThe data of the registry value when <code>type_id</code> is <code>REG_MULTI_SZ</code>.\n\noptional"]
    #[serde(rename = "reg_string_list_data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub reg_string_list_data: Option<Vec<String>>,
    #[doc = "Type\n\nA string representation of the value type as specified in <a target='_blank' href='https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types'>Registry Value Types</a>.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe value type ID.\n\nrecommended"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
}
#[doc = "Windows Resource\n\nThe Windows resource object describes a resource object managed by Windows, such as mutant or timer.\n\n[] Category:  | Name: win_resource\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct WinWinResource {
    #[doc = "Created Time\n\nThe time when the resource was created.\n\noptional"]
    #[serde(rename = "created_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time: Option<i64>,
    #[doc = "Created Time\n\nThe time when the resource was created.\n\noptional"]
    #[serde(rename = "created_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub created_time_dt: Option<String>,
    #[doc = "Data\n\nAdditional data describing the resource.\n\noptional"]
    #[serde(rename = "data")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data: Option<serde_json::Value>,
    #[doc = "Data Classification\n\nThe Data Classification object includes information about data classification levels and data category types.\n\nrecommended"]
    #[serde(rename = "data_classification")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classification: Option<Box<DataClassification>>,
    #[doc = "Data Classification\n\nA list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.\n\nrecommended"]
    #[serde(rename = "data_classifications")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub data_classifications: Option<Vec<DataClassification>>,
    #[doc = "Details\n\nThe string detailing the attributes of the resource object.\n\noptional"]
    #[serde(rename = "details")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub details: Option<String>,
    #[doc = "Labels\n\nThe list of labels associated to the resource.\n\noptional"]
    #[serde(rename = "labels")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub labels: Option<Vec<String>>,
    #[doc = "Modified Time\n\nThe time when the resource was last modified.\n\noptional"]
    #[serde(rename = "modified_time")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time: Option<i64>,
    #[doc = "Modified Time\n\nThe time when the resource was last modified.\n\noptional"]
    #[serde(rename = "modified_time_dt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub modified_time_dt: Option<String>,
    #[doc = "Name\n\nThe name of the resource object.\n\nrecommended"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Service Name\n\nThe Windows service acting as the object server for the resource object, such as Security or Security Account Manager.\n\noptional"]
    #[serde(rename = "svc_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub svc_name: Option<String>,
    #[doc = "Tags\n\nThe list of tags; <code>{key:value}</code> pairs associated to the resource.\n\noptional"]
    #[serde(rename = "tags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tags: Option<Vec<KeyValueObject>>,
    #[doc = "Type\n\nThe type of the Windows resource object.\n\noptional"]
    #[serde(rename = "type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub r#type: Option<String>,
    #[doc = "Type ID\n\nThe normalized type identifier of the Windows resource object accessed.\n\nrequired"]
    #[serde(rename = "type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub type_id: Option<i64>,
    #[doc = "Unique ID\n\nThe Windows provided handle identifier for the resource object\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Alternate ID\n\nThe alternative unique identifier of the resource.\n\noptional"]
    #[serde(rename = "uid_alt")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid_alt: Option<String>,
}
#[doc = "Windows Service\n\nThe Windows Service object describes a Windows service.\n\n[] Category:  | Name: win_service\n\n**Constraints:**\n* at_least_one: `[name`,`uid]`\n"]
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
#[serde(default)]
#[non_exhaustive]
pub struct WinWinService {
    #[doc = "Command Line\n\nThe full command line used to launch the service.\n\nrecommended"]
    #[serde(rename = "cmd_line")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cmd_line: Option<String>,
    #[doc = "Hosting Process\n\nThe process that is hosting this service.\n\noptional"]
    #[serde(rename = "hosting_process")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub hosting_process: Option<Box<ProcessEntity>>,
    #[doc = "Labels\n\nThe list of labels associated with the service.\n\noptional"]
    #[serde(rename = "labels")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub labels: Option<Vec<String>>,
    #[doc = "Load Order Group\n\nThe name of the load ordering group of which this service is a member.\n\nrecommended"]
    #[serde(rename = "load_order_group")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub load_order_group: Option<String>,
    #[doc = "Name\n\nThe unique name of the service.\n\nrequired"]
    #[serde(rename = "name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    #[doc = "Service Category\n\nThe service category, normalized to the caption of the service_category_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "service_category")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service_category: Option<String>,
    #[doc = "Service Category ID\n\nThe normalized identifier of the service category.\n\nrecommended"]
    #[serde(rename = "service_category_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service_category_id: Option<i64>,
    #[doc = "Service Dependencies\n\nThe names of other services upon which this service has a dependency.\n\nrecommended"]
    #[serde(rename = "service_dependencies")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service_dependencies: Option<Vec<String>>,
    #[doc = "Service DLL\n\nFor a shared user mode service (<code>service_type_id</code> is 4) this is the DLL that gets loaded by the generic service host process (e.g. <code>svchost.exe</code>) to implement the service.\n\noptional"]
    #[serde(rename = "service_dll_file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service_dll_file: Option<Box<File>>,
    #[doc = "Service Error Control\n\nThe service error control, normalized to the caption of the <code>service_error_control_id</code> value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "service_error_control")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service_error_control: Option<String>,
    #[doc = "Service Error Control ID\n\nThe normalized identifier of the service error control.\n\nrecommended"]
    #[serde(rename = "service_error_control_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service_error_control_id: Option<i64>,
    #[doc = "Service File\n\nFor a user mode service (<code>service_type_id</code> 3 or 4) this is the executable program that the SCM launches as the service process.<br>For a kernel mode driver (<code>service_type_id</code> 1 or 2) this is the driver file loaded into the kernel at the request of the SCM. \n\nrecommended"]
    #[serde(rename = "service_file")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service_file: Option<Box<File>>,
    #[doc = "Service Start Name\n\nFor a user mode service, this attribute represents the name of the account under which the service is run. For a kernel mode driver, this attribute represents the object name used to load the driver.\n\nrecommended"]
    #[serde(rename = "service_start_name")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service_start_name: Option<String>,
    #[doc = "Service Start Type\n\nThe service start type, normalized to the caption of the <code>service_start_type_id</code> value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "service_start_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service_start_type: Option<String>,
    #[doc = "Service Start Type ID\n\nThe normalized identifier of the service start type.\n\nrecommended"]
    #[serde(rename = "service_start_type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service_start_type_id: Option<i64>,
    #[doc = "Service Type\n\nThe service type, normalized to the caption of the service_type_id value. In the case of 'Other', it is defined by the event source.\n\noptional"]
    #[serde(rename = "service_type")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service_type: Option<String>,
    #[doc = "Service Type ID\n\nThe normalized identifier of the service type.\n\nrecommended"]
    #[serde(rename = "service_type_id")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub service_type_id: Option<i64>,
    #[doc = "Tags\n\nThe list of tags; <code>{key:value}</code> pairs associated to the service.\n\noptional"]
    #[serde(rename = "tags")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tags: Option<Vec<KeyValueObject>>,
    #[doc = "Unique ID\n\nThe unique identifier of the service.\n\nrecommended"]
    #[serde(rename = "uid")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub uid: Option<String>,
    #[doc = "Version\n\nThe version of the service.\n\nrecommended"]
    #[serde(rename = "version")]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}