Finding Information
The Finding Information object describes metadata related to a security finding generated by a security tool or system.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Analytic | analytic |
Analytic[] | The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion. |
| MITRE ATT&CK® Details | attacks |
MITRE ATT&CK®[] | The MITRE ATT&CK® technique and associated tactics related to the finding. |
| Created Time | created_time |
Timestamp | The time when the finding was created. |
| Data Sources | data_sources |
String[] | A list of data sources utilized in generation of the finding. |
| Description | desc |
String | The description of the reported finding. |
| First Seen | first_seen_time |
Timestamp |
The time when the finding was first observed. e.g. The time when a vulnerability was first observed. It can differ from the |
| Kill Chain | kill_chain |
Kill Chain Phase[] | The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. |
| Last Seen | last_seen_time |
Timestamp |
The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed. It can differ from the |
| Modified Time | modified_time |
Timestamp | The time when the finding was last modified. |
| Product Identifier | product_uid |
String | The unique identifier of the product that reported the finding. |
| Raw Data | raw_data |
JSON | The event data as received from the event source. |
| Record ID | record_id |
String | Unique identifier for the object |
| Related Analytics | related_analytics |
Analytic[] | Other analytics related to this finding. |
| Related Events | related_events |
Related Event[] | Describes events and/or other findings related to the finding as identified by the security product. |
| Source URL | src_url |
URL String | The URL pointing to the source of the finding. |
| Title | title |
String | A title or a brief phrase summarizing the reported finding. |
| Types | types |
String[] | One or more types of the reported finding. |
| Unique ID | uid |
String | The unique identifier of the reported finding. |
| Unmapped Data | unmapped |
Unmapped[] | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
Relationships
Inbound Relationships
These objects and events reference Finding Information in their attributes:
- Detection Finding
- Compliance Finding
- Finding
- Incident Finding
- Data Security Finding
- Vulnerability Finding
Outbound Relationships
Finding Information references the following objects and events in its attributes:
This page describes qdm-1.3.2+ocsf-1.3.0
Updated 2 months ago