Finding Information
finding_info
The Finding Information object describes metadata related to a security finding generated by a security tool or system.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Analytic | analytic | Analytic[] | The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion. |
| Attack Graph | attack_graph | Graph[] | Group: |
| MITRE ATT&CK® and ATLAS™ Details | attacks | MITRE ATT&CK® & ATLAS™[] | The MITRE ATT&CK® technique and associated tactics related to the finding. |
| Created Time | created_time | Timestamp | The time when the finding was created. |
| Data Sources | data_sources | String[] | A list of data sources utilized in generation of the finding. |
| Description | desc | String | The description of the reported finding. |
| First Seen | first_seen_time | Timestamp | The time when the finding was first observed. e.g. The time when a vulnerability was first observed. It can differ from the created_time timestamp, which reflects the time this finding was created. |
| Kill Chain | kill_chain | Kill Chain Phase[] | The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. |
| Last Seen | last_seen_time | Timestamp | The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed. It can differ from the modified_time timestamp, which reflects the time this finding was last modified. |
| Modified Time | modified_time | Timestamp | The time when the finding was last modified. |
| Product | product | Product[] | Details about the product that reported the finding. |
| Product Identifier | product_uid | String | The unique identifier of the product that reported the finding.
|
| Raw Data | raw_data | JSON | Group: |
| Record ID | record_id | String | Group: |
| Related Analytics | related_analytics | Analytic[] | Other analytics related to this finding. |
| Related Events/Findings | related_events | Related Event/Finding[] | Describes events and/or other findings related to the finding as identified by the security product. Note that these events may or may not be in OCSF. |
| Related Events/Findings Count | related_events_count | Integer | Number of related events or findings. |
| Source URL | src_url | URL String | Entity: |
| Tags | tags | Key:Value object[] | The list of tags; key:value pairs associated with the finding. |
| Title | title | String | A title or a brief phrase summarizing the reported finding. |
| Traits | traits | Trait[] | The list of key traits or characteristics extracted from the finding. |
| Types | types | String[] | One or more types of the reported finding. |
| Unique ID | uid | String | The unique identifier of the reported finding. |
| Alternate ID | uid_alt | String | The alternative unique identifier of the reported finding. |
| Unmapped | unmapped | Unmapped[] | Data from the source that was not mapped into the schema. |
Relationships
Inbound Relationships
These objects and events reference Finding Information in their attributes:
- IAM Analysis Finding
- Compliance Finding
- Incident Finding
- Detection Finding
- Vulnerability Finding
- Data Security Finding
- Application Security Posture Finding
Outbound Relationships
Finding Information references the following objects and events in its attributes:
- Analytic
- Product
- Key:Value object
- Trait
- MITRE ATT&CK® & ATLAS™
- Related Event/Finding
- Unmapped
- Graph
- Kill Chain Phase
This page describes qdm-1.5.1+ocsf-1.6.0
Updated 22 days ago