Metadata

The unique identifier used to correlate events.

Group:context
The Data Classification object includes information about data classification levels and data category types.

🚧 WARNING: DEPRECATED

Data Classification has been deprecated since 1.4.0. Use the attribute data_classifications instead

Group:context
A list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.

Debug information about non-fatal issues with this OCSF event. Each issue is a line in this string array.

The Event ID, Code, or Name that the product uses to primarily identify the event.

The schema extension used to create the event.

🚧 WARNING: DEPRECATED

Schema Extension has been deprecated since 1.1.0. Use the extensions attribute instead.

The schema extensions used to create the event.

Indicates whether the OCSF event data has been truncated due to size limitations. When true, some event data may have been omitted to fit within system constraints.

The list of labels attached to the event. For example: ["sample", "dev"]

The audit level at which an event was generated.

The event log name. For example, syslog file name or Windows logging subsystem: Security.

The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.

The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.

The time when the logging system collected and logged the event.This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.

An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.

The time when the event was last modified or enriched.

The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.

The event processed time, such as an ETL operation.

The product that reported the event.

The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.

Group:context
The event data as received from the event source.

Group:primary
Unique identifier for the object

Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.

The list of tags; key:value pairs associated to the event.

The unique tenant identifier.

An array of transformation info that describes the mappings or transforms applied to the data.

The logging system-assigned unique identifier of an event instance.

Data from the source that was not mapped into the schema.

The original size of the OCSF event data in kilobytes before any truncation occurred. This field is typically populated when is_truncated is true to indicate the full size of the original event.

The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.