Guides

Kill Chain Phase

Suggest Edits

The Kill Chain Phase object represents a single phase of a cyber attack, including the initial reconnaissance and planning stages up to the final objective of the attacker. It provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. See Cyber Kill Chain®.

Attributes

CaptionNameTypeDescription
Kill Chain Phase phase String The cyber kill chain phase.
Kill Chain Phase ID phase_id Integer The cyber kill chain phase identifier.
  • 0: Unknown (UNKNOWN)
  • 1: Reconnaissance (RECONNAISSANCE)
  • 2: Weaponization (WEAPONIZATION)
  • 3: Delivery (DELIVERY)
  • 4: Exploitation (EXPLOITATION)
  • 5: Installation (INSTALLATION)
  • 6: Command & Control (COMMAND_&_CONTROL)
  • 7: Actions on Objectives (ACTIONS_ON_OBJECTIVES)
  • 99: Other (OTHER)
Raw Data raw_data JSON The event data as received from the event source.
Record ID record_id String Unique identifier for the object
Unmapped Data unmapped Unmapped[] The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.

Relationships

Kill Chain Phase shown in context

Inbound Relationships

These objects and events reference Kill Chain Phase in their attributes:

Outbound Relationships

Kill Chain Phase references the following objects and events in its attributes:

This page describes qdm-1.3.2+ocsf-1.3.0

Updated about 1 month ago