Metadata
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Correlation UID | correlation_uid |
String | The unique identifier used to correlate events. |
| Data Classification | data_classification |
Data Classification[] | The Data Classification object includes information about data classification levels and data category types. |
| Event Code | event_code |
String | The Event ID or Code that the product uses to describe the event. |
| Schema Extension | extension |
Schema Extension[] |
The schema extension used to create the event.
|
| Schema Extensions | extensions |
Schema Extension[] | The schema extensions used to create the event. |
| Labels | labels |
String[] |
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. For example:["network", "connection.ip:destination", "device.ip:source"]
|
| Log Level | log_level |
String | The audit level at which an event was generated. |
| Log Name | log_name |
String | The event log name. For example, syslog file name or Windows logging subsystem: Security. |
| Log Provider | log_provider |
String | The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. |
| Log Version | log_version |
String | The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. |
| Logged Time | logged_time |
Timestamp |
The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. |
| Loggers | loggers |
Logger[] | An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow. |
| Modified Time | modified_time |
Timestamp | The time when the event was last modified or enriched. |
| Original Time | original_time |
String | The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. |
| Processed Time | processed_time |
Timestamp | The event processed time, such as an ETL operation. |
| Product | product |
Product[] | The product that reported the event. |
| Profiles | profiles |
String[] |
The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.
|
| Raw Data | raw_data |
JSON | The event data as received from the event source. |
| Record ID | record_id |
String | Unique identifier for the object |
| Sequence Number | sequence |
Integer | Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. |
| Tenant UID | tenant_uid |
String | The unique tenant identifier. |
| Event UID | uid |
String | The logging system-assigned unique identifier of an event instance. |
| Unmapped Data | unmapped |
Unmapped[] | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
| Version | version |
String | The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes. |
Relationships
Inbound Relationships
These objects and events reference Metadata in their attributes:
- Process Remediation Activity
- SMB Activity
- Security Finding
- Module Query
- Device Config State
- Networks Query
- Finding
- Account Change
- Admin Group Query
- Application Lifecycle
- Discovery Result
- File Query
- File Hosting Activity
- Scheduled Job Activity
- Base Event
- Folder Query
- Incident Finding
- Memory Activity
- Data Security Finding
- Email URL Activity
- Software Inventory Info
- Network Remediation Activity
- API Activity
- Network File Activity
- RDP Activity
- Compliance Finding
- Entity Management
- Application Activity
- Job Query
- Email Delivery Activity
- File Remediation Activity
- Email File Activity
- Device Inventory Info
- HTTP Activity
- User Inventory Info
- Datastore Activity
- User Session Query
- User Access Management
- User Query
- FTP Activity
- Operating System Patch State
- Peripheral Device Query
- Authentication
- Network
- Process Query
- Windows Service Activity
- Network Connection Query
- Web Resources Activity
- File System Activity
- Registry Key Query
- Registry Key Activity
- OSINT Inventory Info
- Registry Value Activity
- Authorize Session
- Scan Activity
- Remediation Activity
- Group Management
- SSH Activity
- Service Query
- System Activity
- Event Log Activity
- Tunnel Activity
- DNS Activity
- Kernel Activity
- Network Activity
- Module Activity
- Discovery
- Registry Value Query
- Web Resource Access Activity
- Kernel Object Query
- Process Activity
- Email Activity
- NTP Activity
- Identity & Access Management
- DHCP Activity
- Device Config State Change
- Detection Finding
- Windows Resource Activity
- Prefetch Query
- Kernel Extension Activity
- Vulnerability Finding
Outbound Relationships
Metadata references the following objects and events in its attributes:
This page describes qdm-1.3.2+ocsf-1.3.0
Updated about 1 month ago