QueryEvidence

ocsf_types::ocsf_generated

Struct QueryEvidence 

Source 
#[non_exhaustive]
pub struct QueryEvidence {
Show 21 fields
    pub connection_info: Option<Box<NetworkConnectionInfo>>,
    pub file: Option<Box<File>>,
    pub folder: Option<Box<File>>,
    pub group: Option<Box<Group>>,
    pub job: Option<Box<Job>>,
    pub kernel: Option<Box<Kernel>>,
    pub module: Option<Box<Module>>,
    pub network_interfaces: Option<Vec<NetworkInterface>>,
    pub peripheral_device: Option<Box<PeripheralDevice>>,
    pub process: Option<Box<Process>>,
    pub query_type: Option<String>,
    pub query_type_id: Option<i64>,
    pub reg_key: Option<Box<WinRegKey>>,
    pub reg_value: Option<Box<WinRegValue>>,
    pub service: Option<Box<Service>>,
    pub session: Option<Box<Session>>,
    pub startup_item: Option<Box<StartupItem>>,
    pub state: Option<String>,
    pub tcp_state_id: Option<i64>,
    pub user: Option<Box<User>>,
    pub users: Option<Vec<User>>,

}
Expand description

Query Evidence

The resulting evidence information that was queried.

[] Category: | Name: query_evidence

Constraints:

  • just_one: [connection_info,file,folder,group,job,kernel,module,network_interfaces,peripheral_device,process,reg_key,reg_value,service,session,startup_item,user]

Fields (Non-exhaustive)§

This struct is marked as non-exhaustive
Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.
§connection_info: Option<Box<NetworkConnectionInfo>>

Connection Info

The network connection information related to a Network Connection query type.

recommended

§file: Option<Box<File>>

File

The file that is the target of the query when query_type_id indicates a File query.

recommended

§folder: Option<Box<File>>

Folder

The folder that is the target of the query when query_type_id indicates a Folder query.

recommended

§group: Option<Box<Group>>

Group

The administrative group that is the target of the query when query_type_id indicates an Admin Group query.

recommended

§job: Option<Box<Job>>

Job

The job object that pertains to the event when query_type_id indicates a Job query.

recommended

§kernel: Option<Box<Kernel>>

Kernel

The kernel object that pertains to the event when query_type_id indicates a Kernel query.

recommended

§module: Option<Box<Module>>

Module

The module that pertains to the event when query_type_id indicates a Module query.

recommended

§network_interfaces: Option<Vec<NetworkInterface>>

Network Interfaces

The physical or virtual network interfaces that are associated with the device when query_type_id indicates a Network Interfaces query.

recommended

§peripheral_device: Option<Box<PeripheralDevice>>

Peripheral Device

The peripheral device that triggered the event when query_type_id indicates a Peripheral Device query.

recommended

§process: Option<Box<Process>>

Process

The process that pertains to the event when query_type_id indicates a Process query.

recommended

§query_type: Option<String>

Query Type

The normalized caption of query_type_id or the source-specific query type.

optional

§query_type_id: Option<i64>

Query Type ID

The normalized type of system query performed against a device or system component.

required

§reg_key: Option<Box<WinRegKey>>

Registry Key

The registry key object describes a Windows registry key.

recommended

§reg_value: Option<Box<WinRegValue>>

Registry Value

The registry key object describes a Windows registry value.

recommended

§service: Option<Box<Service>>

Service

The service that pertains to the event when query_type_id indicates a Service query.

recommended

§session: Option<Box<Session>>

Session

The authenticated user or service session when query_type_id indicates a Session query.

recommended

§startup_item: Option<Box<StartupItem>>

Startup Item

The startup item object that pertains to the event when query_type_id indicates a Startup Item query.

recommended

§state: Option<String>

Network Connection State

The state of the socket, normalized to the caption of the state_id value. In the case of ‘Other’, it is defined by the event source.

optional

§tcp_state_id: Option<i64>

TCP State ID

The state of the TCP socket for the network connection.

optional

§user: Option<Box<User>>

User

The user that pertains to the event when query_type_id indicates a User query.

recommended

§users: Option<Vec<User>>

Users

The users that belong to the administrative group when query_type_id indicates a Users query.

optional

Trait Implementations§

Source§

impl Clone for QueryEvidence

Source§

fn clone(&self) -> QueryEvidence

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for QueryEvidence

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for QueryEvidence

Source§

fn default() -> QueryEvidence

Returns the “default value” for a type. Read more
Source§

impl<'de> Deserialize<'de> for QueryEvidence
where QueryEvidence: Default,

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl PartialEq for QueryEvidence

Source§

fn eq(&self, other: &QueryEvidence) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Serialize for QueryEvidence

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more
Source§

impl StructuralPartialEq for QueryEvidence

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,