Finding
<code>finding</code>
<blockquote class="callout callout_warn">
<h3>🚧 WARNING: DEPRECATED</h3>
<p>Finding has been deprecated since 1.0.0. Use the new <code>finding_info</code> object.</p>
</blockquote>
The Finding object describes metadata related to a security finding generated by a security tool or system.
## Attributes
<table>
<tr><th>Caption</th><th>Name</th><th>Type</th><th>Description</th></tr>
<tr id="attr-created_time">
<td>Created Time</td>
<td><code>created_time</code></td>
<td>
<a href="/docs/types#timestamp_t">Timestamp</a>
</td>
<td>
The time when the finding was created.
</td>
</tr>
<tr id="attr-desc">
<td>Description</td>
<td><code>desc</code></td>
<td>
<a href="/docs/types#string_t">String</a>
</td>
<td>
The description of the reported finding.
</td>
</tr>
<tr id="attr-first_seen_time">
<td>First Seen</td>
<td><code>first_seen_time</code></td>
<td>
<a href="/docs/types#timestamp_t">Timestamp</a>
</td>
<td>
The time when the finding was first observed.
</td>
</tr>
<tr id="attr-last_seen_time">
<td>Last Seen</td>
<td><code>last_seen_time</code></td>
<td>
<a href="/docs/types#timestamp_t">Timestamp</a>
</td>
<td>
The time when the finding was most recently observed.
</td>
</tr>
<tr id="attr-modified_time">
<td>Modified Time</td>
<td><code>modified_time</code></td>
<td>
<a href="/docs/types#timestamp_t">Timestamp</a>
</td>
<td>
The time when the finding was last modified.
</td>
</tr>
<tr id="attr-product">
<td>Product</td>
<td><code>product</code></td>
<td>
<a href="/docs/obj-product">Product[]</a>
</td>
<td>
Details about the product that reported the finding.
</td>
</tr>
<tr id="attr-product_uid">
<td>Product Identifier</td>
<td><code>product_uid</code></td>
<td>
<a href="/docs/types#string_t">String</a>
</td>
<td>
The unique identifier of the product that reported the finding.
<blockquote class="callout callout_warn">
<h3>🚧 WARNING: DEPRECATED</h3>
<p>Product Identifier has been deprecated since 1.4.0. Use the <code>uid</code> attribute in the <code>product</code> object instead. See specific usage.</p>
</blockquote>
</td>
</tr>
<tr id="attr-raw_data">
<td>Raw Data</td>
<td><code>raw_data</code></td>
<td>
<a href="/docs/types#json_t">JSON</a>
</td>
<td>
<strong>Group:</strong><code>context</code><br/>
The event data as received from the event source.
</td>
</tr>
<tr id="attr-record_id">
<td>Record ID</td>
<td><code>record_id</code></td>
<td>
<a href="/docs/types#string_t">String</a>
</td>
<td>
<strong>Group:</strong><code>primary</code><br/>
Unique identifier for the object
</td>
</tr>
<tr id="attr-related_events">
<td>Related Events/Findings</td>
<td><code>related_events</code></td>
<td>
<a href="/docs/obj-related_event">Related Event/Finding[]</a>
</td>
<td>
Describes events and/or other findings related to the finding as identified by the security product. Note that these events may or may not be in OCSF.
</td>
</tr>
<tr id="attr-remediation">
<td>Remediation Guidance</td>
<td><code>remediation</code></td>
<td>
<a href="/docs/obj-remediation">Remediation[]</a>
</td>
<td>
Describes the recommended remediation steps to address identified issue(s).
</td>
</tr>
<tr id="attr-src_url">
<td>Source URL</td>
<td><code>src_url</code></td>
<td>
<a href="/docs/types#url_t">URL String</a>
</td>
<td>
<strong>Entity:</strong><code>URL_STRING</code><br/>
The URL pointing to the source of the finding.
</td>
</tr>
<tr id="attr-supporting_data">
<td>Supporting Data</td>
<td><code>supporting_data</code></td>
<td>
<a href="/docs/types#json_t">JSON</a>
</td>
<td>
Additional data supporting a finding as provided by security tool
</td>
</tr>
<tr id="attr-title">
<td>Title</td>
<td><code>title</code></td>
<td>
<a href="/docs/types#string_t">String</a>
</td>
<td>
A title or a brief phrase summarizing the reported finding.
</td>
</tr>
<tr id="attr-types">
<td>Types</td>
<td><code>types</code></td>
<td>
<a href="/docs/types#string_t">String[]</a>
</td>
<td>
One or more types of the reported finding.
</td>
</tr>
<tr id="attr-uid">
<td>Unique ID</td>
<td><code>uid</code></td>
<td>
<a href="/docs/types#string_t">String</a>
</td>
<td>
The unique identifier of the reported finding.
</td>
</tr>
<tr id="attr-unmapped">
<td>Unmapped</td>
<td><code>unmapped</code></td>
<td>
<a href="/docs/obj-unmapped">Unmapped[]</a>
</td>
<td>
Data from the source that was not mapped into the schema.
</td>
</tr>
</table>
## Relationships
<img src="https://schema.query.ai/images/obj-finding.svg" alt="Finding shown in context" />
### Outbound Relationships
Finding references the following objects and events in its attributes:
<ul>
<li><a href="/docs/obj-related_event">Related Event/Finding</a></li>
<li><a href="/docs/obj-product">Product</a></li>
<li><a href="/docs/obj-unmapped">Unmapped</a></li>
<li><a href="/docs/obj-remediation">Remediation</a></li>
</ul>
<p><small><i>This page describes ocsf-1.4.0</i></small></p>Updated 10 days ago