Kill Chain Phase

kill_chain_phase

The Kill Chain Phase object represents a single phase of a cyber attack, including the initial reconnaissance and planning stages up to the final objective of the attacker. It provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. See Cyber Kill Chain®.

Attributes

Caption	Name	Type	Description
Kill Chain Phase	`phase`	String	The cyber kill chain phase.
Kill Chain Phase ID	`phase_id`	Integer	The cyber kill chain phase identifier. `0`: Unknown (`UNKNOWN`) `1`: Reconnaissance (`RECONNAISSANCE`) `2`: Weaponization (`WEAPONIZATION`) `3`: Delivery (`DELIVERY`) `4`: Exploitation (`EXPLOITATION`) `5`: Installation (`INSTALLATION`) `6`: Command & Control (`COMMAND_&_CONTROL`) `7`: Actions on Objectives (`ACTIONS_ON_OBJECTIVES`) `99`: Other (`OTHER`)
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.

Relationships

Inbound Relationships

These objects and events reference Kill Chain Phase in their attributes:

Outbound Relationships

Kill Chain Phase references the following objects and events in its attributes:

Unmapped

This page describes ocsf-1.4.0