Finding Information
finding_info
The Finding Information object describes metadata related to a security finding generated by a security tool or system.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Analytic | analytic | Analytic[] | The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion. |
| Attack Graph | attack_graph | Graph[] | Group:contextAn Attack Graph describes possible routes an attacker could take through an environment. It describes relationships between resources and their findings, such as malware detections, vulnerabilities, misconfigurations, and other security actions. |
| MITRE ATT&CK® and ATLAS™ Details | attacks | MITRE ATT&CK® & ATLAS™[] | The MITRE ATT&CK® technique and associated tactics related to the finding. |
| Created Time | created_time | Timestamp | The time when the finding was created. |
| Data Sources | data_sources | String[] | A list of data sources utilized in generation of the finding. |
| Description | desc | String | The description of the reported finding. |
| First Seen | first_seen_time | Timestamp | The time when the finding was first observed. e.g. The time when a vulnerability was first observed. It can differ from the created_time timestamp, which reflects the time this finding was created. |
| Kill Chain | kill_chain | Kill Chain Phase[] | The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. |
| Last Seen | last_seen_time | Timestamp | The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed. It can differ from the modified_time timestamp, which reflects the time this finding was last modified. |
| Modified Time | modified_time | Timestamp | The time when the finding was last modified. |
| Product | product | Product[] | Details about the product that reported the finding. |
| Product Identifier | product_uid | String | The unique identifier of the product that reported the finding.
|
| Raw Data | raw_data | JSON | Group:contextThe event data as received from the event source. |
| Record ID | record_id | String | Group:primaryUnique identifier for the object |
| Related Analytics | related_analytics | Analytic[] | Other analytics related to this finding. |
| Related Events/Findings | related_events | Related Event/Finding[] | Describes events and/or other findings related to the finding as identified by the security product. Note that these events may or may not be in OCSF. |
| Related Events/Findings Count | related_events_count | Integer | Number of related events or findings. |
| Source URL | src_url | URL String | Entity:URL_STRINGThe URL pointing to the source of the finding. |
| Tags | tags | Key:Value object[] | The list of tags; key:value pairs associated with the finding. |
| Title | title | String | A title or a brief phrase summarizing the reported finding. |
| Traits | traits | Trait[] | The list of key traits or characteristics extracted from the finding. |
| Types | types | String[] | One or more types of the reported finding. |
| Unique ID | uid | String | The unique identifier of the reported finding. |
| Alternate ID | uid_alt | String | The alternative unique identifier of the reported finding. |
| Unmapped | unmapped | Unmapped[] | Data from the source that was not mapped into the schema. |
Relationships
Inbound Relationships
These objects and events reference Finding Information in their attributes:
- Detection Finding
- Incident Finding
- Vulnerability Finding
- Application Security Posture Finding
- Compliance Finding
- Data Security Finding
- IAM Analysis Finding
Outbound Relationships
Finding Information references the following objects and events in its attributes:
- Trait
- MITRE ATT&CK® & ATLAS™
- Related Event/Finding
- Product
- Key:Value object
- Graph
- Unmapped
- Analytic
- Kill Chain Phase
This page describes qdm-1.5.1+ocsf-1.6.0
Updated about 1 month ago
Did this page help you?