Finding Information

finding_info

The Finding Information object describes metadata related to a security finding generated by a security tool or system.

Attributes

CaptionNameTypeDescription
AnalyticanalyticAnalytic[]

The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.

MITRE ATT&CK® DetailsattacksMITRE ATT&CK®[]

The MITRE ATT&CK® technique and associated tactics related to the finding.

Created Timecreated_timeTimestamp

The time when the finding was created.

Data Sourcesdata_sourcesString[]

A list of data sources utilized in generation of the finding.

DescriptiondescString

The description of the reported finding.

First Seenfirst_seen_timeTimestamp

The time when the finding was first observed. e.g. The time when a vulnerability was first observed.

It can differ from the created_time timestamp, which reflects the time this finding was created.

Kill Chainkill_chainKill Chain Phase[]

The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.

Last Seenlast_seen_timeTimestamp

The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.

It can differ from the modified_time timestamp, which reflects the time this finding was last modified.

Modified Timemodified_timeTimestamp

The time when the finding was last modified.

ProductproductProduct[]

Details about the product that reported the finding.

Product Identifierproduct_uidString

The unique identifier of the product that reported the finding.

🚧 WARNING: DEPRECATED

Product Identifier has been deprecated since 1.4.0. Use the uid attribute in the product object instead. See specific usage.

Raw Dataraw_dataJSON

Group:context
The event data as received from the event source.

Record IDrecord_idString

Group:primary
Unique identifier for the object

Source URLsrc_urlURL String

Entity:URL_STRING
The URL pointing to the source of the finding.

TagstagsKey:Value object[]

The list of tags; {key:value} pairs associated with the finding.

TitletitleString

A title or a brief phrase summarizing the reported finding.

TypestypesString[]

One or more types of the reported finding.

Unique IDuidString

The unique identifier of the reported finding.

Alternate IDuid_altString

The alternative unique identifier of the reported finding.

UnmappedunmappedUnmapped[]

Data from the source that was not mapped into the schema.

Relationships

Finding Information shown in context

Inbound Relationships

These objects and events reference Finding Information in their attributes:

Outbound Relationships

Finding Information references the following objects and events in its attributes:

This page describes ocsf-1.4.0