Finding Information

finding_info

The Finding Information object describes metadata related to a security finding generated by a security tool or system.

Attributes

Caption	Name	Type	Description
Analytic	`analytic`	Analytic[]	The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.
MITRE ATT&CK® Details	`attacks`	MITRE ATT&CK®[]	The MITRE ATT&CK® technique and associated tactics related to the finding.
Created Time	`created_time`	Timestamp	The time when the finding was created.
Data Sources	`data_sources`	String[]	A list of data sources utilized in generation of the finding.
Description	`desc`	String	The description of the reported finding.
First Seen	`first_seen_time`	Timestamp	The time when the finding was first observed. e.g. The time when a vulnerability was first observed. It can differ from the `created_time` timestamp, which reflects the time this finding was created.
Kill Chain	`kill_chain`	Kill Chain Phase[]	The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.
Last Seen	`last_seen_time`	Timestamp	The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed. It can differ from the `modified_time` timestamp, which reflects the time this finding was last modified.
Modified Time	`modified_time`	Timestamp	The time when the finding was last modified.
Product	`product`	Product[]	Details about the product that reported the finding.
Product Identifier	`product_uid`	String	The unique identifier of the product that reported the finding. 🚧 WARNING: DEPRECATED Product Identifier has been deprecated since 1.4.0. Use the `uid` attribute in the `product` object instead. See specific usage.
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Related Analytics	`related_analytics`	Analytic[]	Other analytics related to this finding.
Related Events/Findings	`related_events`	Related Event/Finding[]	Describes events and/or other findings related to the finding as identified by the security product. Note that these events may or may not be in OCSF.
Related Events/Findings Count	`related_events_count`	Integer	Number of related events or findings.
Source URL	`src_url`	URL String	Entity:`URL_STRING` The URL pointing to the source of the finding.
Tags	`tags`	Key:Value object[]	The list of tags; `{key:value}` pairs associated with the finding.
Title	`title`	String	A title or a brief phrase summarizing the reported finding.
Types	`types`	String[]	One or more types of the reported finding.
Unique ID	`uid`	String	The unique identifier of the reported finding.
Alternate ID	`uid_alt`	String	The alternative unique identifier of the reported finding.
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.

Relationships

Inbound Relationships

These objects and events reference Finding Information in their attributes:

Outbound Relationships

Finding Information references the following objects and events in its attributes:

This page describes ocsf-1.4.0