NSRL CASE UCO mapping
NSRLMFG mapping
NSRL | CASE/UCO Class | CASE/UCO Property | Mapping Examples | CASE/UCO Example |
---|---|---|---|---|
MfgCode | uco-core.UcoObject; NA (GAP)🔴 | uco-core.UcoObject.id (for universal identification); NA (GAP)🔴 (for NSRL local ID) (likely capture in ExternalID property bundle #38) | NSRLMfg mapping | |
MfgName | uco-core.Identity | uco-core.Identity.name | NSRLMfg mapping |
NSRLOS mapping
NSRL | CASE/UCO Class | CASE/UCO Property | Mapping Examples | CASE/UCO Example |
---|---|---|---|---|
OpSystemCode | uco-core.UcoObject; NA (GAP)🔴 | uco-core.UcoObject.id (for universal identification); NA (GAP)🔴 (for NSRL local ID) (likely capture in ExternalID property bundle #38) | NSRLOS mapping | |
OpSystemName | uco-observable.CyberItem(Trace) | uco-observable.CyberItem(Trace).name | NSRLOS mapping | |
OpSystemVersion | uco-observable.OperatingSystem | uco-observable.OperatingSystem.version | NSRLOS mapping | |
MfgCode | uco-observable.OperatingSystem | uco-observable.OperatingSystem.manufacturer | NSRLOS mapping |
NSRLPROD mapping
NSRL | CASE/UCO Class | CASE/UCO Property | Mapping Examples | CASE/UCO Example |
---|---|---|---|---|
ProductCode | uco-core.UcoObject; NA (GAP)🔴 | uco-core.UcoObject.id (for universal identification); NA (GAP)🔴 (for NSRL local ID) (likely capture in ExternalID property bundle #38) | NSRLProd mapping | |
ProductName | uco-observable.CyberItem(Trace) | uco-observable.CyberItem(Trace).name | NSRLProd mapping | |
ProductVersion | uco-observable.Software | uco-observable.Software.version | NSRLProd mapping | |
OpSystemCode | uco-observable.Application | uco-observable.Application.operatingSystem | NSRLProd mapping | |
MfgCode | uco-observable.Software | uco-observable.Software.manufacturer | NSRLProd mapping | |
Language | NA (GAP)🔴 | |||
ApplicationType | NA (GAP)🔴 |
NSRLFile mapping
NSRL | CASE/UCO Class | CASE/UCO Property | Mapping Examples | CASE/UCO Example |
---|---|---|---|---|
SHA-1 | uco-observable.ContentData | uco-observable.ContentData.Hash.hashMethod="SHA1" AND uco-observable.ContentData.Hash.hashValue | NSRLFile mapping | |
MD5 | uco-observable.ContentData | uco-observable.ContentData.Hash.hashMethod="MD5" AND uco-observable.ContentData.Hash.hashValue | NSRLFile mapping | |
CRC32 | uco-observable.ContentData | uco-observable.ContentData.Hash.hashMethod="CRC32" AND uco-observable.ContentData.Hash.hashValue | NSRLFile mapping | |
FileName | uco-observable.File | uco-observable.File.fileName | NSRLFile mapping | |
FileSize | uco-observable.File OR uco-observable.ContentData | uco-observable.File.sizeInBytes (file system asserted) OR uco-observable.ContentData.sizeInBytes (actual) | NSRLFile mapping | |
ProductCode | uco-core.Relationship | uco-core.Relationship.kindOfRelationship="contained-within" AND uco-core.Relationship.source=id of file object AND uco-core.Relationship.target=id of product object | NSRLFile mapping | |
OpSystemCode | uco-core.Relationship | uco-core.Relationship.kindOfRelationship="RelevantTo" AND uco-core.Relationship.source=id of operating system object AND uco-core.Relationship.target=id of operating system object | NSRLFile mapping | |
SpecialCode | NA (GAP)🔴 | Is this field actually used? |