Finding Information

finding_info

The Finding Information object describes metadata related to a security finding generated by a security tool or system.

Attributes

CaptionNameTypeDescription
Analytic analytic Analytic[] The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.
MITRE ATT&CK® Details attacks MITRE ATT&CK®[] The MITRE ATT&CK® technique and associated tactics related to the finding.
Created Time created_time Timestamp The time when the finding was created.
Data Sources data_sources String[] A list of data sources utilized in generation of the finding.
Description desc String The description of the reported finding.
First Seen first_seen_time Timestamp The time when the finding was first observed. e.g. The time when a vulnerability was first observed.

It can differ from the created_time timestamp, which reflects the time this finding was created.

Kill Chain kill_chain Kill Chain Phase[] The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.
Last Seen last_seen_time Timestamp The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.

It can differ from the modified_time timestamp, which reflects the time this finding was last modified.

Modified Time modified_time Timestamp The time when the finding was last modified.
Product product Product[] Details about the product that reported the finding.
Product Identifier product_uid String The unique identifier of the product that reported the finding.

🚧 WARNING: DEPRECATED

Product Identifier has been deprecated since 1.4.0. Use the uid attribute in the product object instead. See specific usage.

Raw Data raw_data JSON Group:context
The event data as received from the event source.
Record ID record_id String Group:primary
Unique identifier for the object
Source URL src_url URL String Entity:URL_STRING
The URL pointing to the source of the finding.
Tags tags Key:Value object[] The list of tags; {key:value} pairs associated with the finding.
Title title String A title or a brief phrase summarizing the reported finding.
Types types String[] One or more types of the reported finding.
Unique ID uid String The unique identifier of the reported finding.
Alternate ID uid_alt String The alternative unique identifier of the reported finding.
Unmapped unmapped Unmapped[] Data from the source that was not mapped into the schema.

Relationships

Finding Information shown in context

Inbound Relationships

These objects and events reference Finding Information in their attributes:

Outbound Relationships

Finding Information references the following objects and events in its attributes:

This page describes ocsf-1.4.0