Metadata
metadata
The Metadata object describes the metadata associated with the event.
Attributes
Caption | Name | Type | Description |
---|---|---|---|
Correlation UID | correlation_uid |
String | The unique identifier used to correlate events. |
Data Classification | data_classification |
Data Classification[] |
Group:context The Data Classification object includes information about data classification levels and data category types.
|
Data Classification | data_classifications |
Data Classification[] |
Group:context A list of Data Classification objects, that include information about data classification levels and data category types, indentified by a classifier. |
Debug Information | debug |
String[] | Debug information about non-fatal issues with this OCSF event. Each issue is a line in this string array. |
Event Code | event_code |
String |
The Event ID, Code, or Name that the product uses to primarily identify the event.
|
Schema Extension | extension |
Schema Extension[] |
The schema extension used to create the event.
|
Schema Extensions | extensions |
Schema Extension[] | The schema extensions used to create the event. |
Labels | labels |
String[] |
The list of labels attached to the event. For example: ["sample", "dev"]
|
Log Level | log_level |
String | The audit level at which an event was generated. |
Log Name | log_name |
String | The event log name. For example, syslog file name or Windows logging subsystem: Security. |
Log Provider | log_provider |
String | The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. |
Log Version | log_version |
String | The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. |
Logged Time | logged_time |
Timestamp |
The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. |
Loggers | loggers |
Logger[] | An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow. |
Modified Time | modified_time |
Timestamp | The time when the event was last modified or enriched. |
Original Time | original_time |
String | The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. |
Processed Time | processed_time |
Timestamp | The event processed time, such as an ETL operation. |
Product | product |
Product[] | The product that reported the event. |
Profiles | profiles |
String[] |
The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.
|
Raw Data | raw_data |
JSON |
Group:context The event data as received from the event source. |
Record ID | record_id |
String |
Group:primary Unique identifier for the object |
Sequence Number | sequence |
Integer | Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. |
Tags | tags |
Key:Value object[] |
The list of tags; {key:value} pairs associated to the event.
|
Tenant UID | tenant_uid |
String | The unique tenant identifier. |
Event UID | uid |
String | The logging system-assigned unique identifier of an event instance. |
Unmapped | unmapped |
Unmapped[] | Data from the source that was not mapped into the schema. |
Version | version |
String | The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes. |
Relationships
Inbound Relationships
These objects and events reference Metadata in their attributes:
- Kernel Object Query
- Web Resource Access Activity
- Email URL Activity
- Discovery
- Web Resources Activity
- Network Connection Query
- Kernel Activity
- Memory Activity
- Script Activity
- Authentication
- Group Management
- Software Inventory Info
- Unmanned Systems
- NTP Activity
- Job Query
- Registry Key Activity
- Authorize Session
- Detection Finding
- User Session Query
- Module Query
- Scheduled Job Activity
- Device Inventory Info
- Process Remediation Activity
- Remediation Activity
- Network Remediation Activity
- User Access Management
- API Activity
- DHCP Activity
- Device Config State Change
- Drone Flights Activity
- Admin Group Query
- Security Finding
- Prefetch Query
- Email File Activity
- Networks Query
- Network Activity
- Network File Activity
- File System Activity
- Event Log Activity
- Compliance Finding
- File Query
- User Inventory Info
- File Remediation Activity
- Application Activity
- HTTP Activity
- Module Activity
- Application Lifecycle
- Datastore Activity
- FTP Activity
- Base Event
- Vulnerability Finding
- Cloud Resources Inventory Info
- Registry Value Query
- Tunnel Activity
- Network
- Windows Resource Activity
- Peripheral Device Query
- Airborne Broadcast Activity
- Process Activity
- Device Config State
- Kernel Extension Activity
- User Query
- System Activity
- Email Activity
- Operating System Patch State
- RDP Activity
- Application Error
- Startup Item Query
- Registry Key Query
- Service Query
- Entity Management
- DNS Activity
- Registry Value Activity
- Process Query
- Data Security Finding
- File Hosting Activity
- Folder Query
- SMB Activity
- Finding
- Incident Finding
- Windows Service Activity
- Scan Activity
- SSH Activity
- Account Change
- Identity & Access Management
- Discovery Result
- OSINT Inventory Info
Outbound Relationships
Metadata references the following objects and events in its attributes:
This page describes ocsf-1.4.0
Updated 11 days ago