Kill Chain Phase

kill_chain_phase

The Kill Chain Phase object represents a single phase of a cyber attack, including the initial reconnaissance and planning stages up to the final objective of the attacker. It provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. See Cyber Kill Chain®.

Attributes

CaptionNameTypeDescription
Kill Chain Phase phase String The cyber kill chain phase.
Kill Chain Phase ID phase_id Integer The cyber kill chain phase identifier.
  • 0: Unknown (UNKNOWN)
  • 1: Reconnaissance (RECONNAISSANCE)
  • 2: Weaponization (WEAPONIZATION)
  • 3: Delivery (DELIVERY)
  • 4: Exploitation (EXPLOITATION)
  • 5: Installation (INSTALLATION)
  • 6: Command & Control (COMMAND_&_CONTROL)
  • 7: Actions on Objectives (ACTIONS_ON_OBJECTIVES)
  • 99: Other (OTHER)
Raw Data raw_data JSON Group:context
The event data as received from the event source.
Record ID record_id String Group:primary
Unique identifier for the object
Unmapped unmapped Unmapped[] Data from the source that was not mapped into the schema.

Relationships

Kill Chain Phase shown in context

Inbound Relationships

These objects and events reference Kill Chain Phase in their attributes:

Outbound Relationships

Kill Chain Phase references the following objects and events in its attributes:

This page describes ocsf-1.4.0