metadata

The Metadata object describes the metadata associated with the event.

Attributes

CaptionNameTypeDescription
Correlation UID correlation_uid String The unique identifier used to correlate events.
Data Classification data_classification Data Classification[] Group:context
The Data Classification object includes information about data classification levels and data category types.

🚧 WARNING: DEPRECATED

Data Classification has been deprecated since 1.4.0. Use the attribute data_classifications instead

Data Classification data_classifications Data Classification[] Group:context
A list of Data Classification objects, that include information about data classification levels and data category types, indentified by a classifier.
Debug Information debug String[] Debug information about non-fatal issues with this OCSF event. Each issue is a line in this string array.
Event Code event_code String The Event ID, Code, or Name that the product uses to primarily identify the event.
Schema Extension extension Schema Extension[] The schema extension used to create the event.

🚧 WARNING: DEPRECATED

Schema Extension has been deprecated since 1.1.0. Use the extensions attribute instead.

Schema Extensions extensions Schema Extension[] The schema extensions used to create the event.
Labels labels String[] The list of labels attached to the event. For example: ["sample", "dev"]
Log Level log_level String The audit level at which an event was generated.
Log Name log_name String The event log name. For example, syslog file name or Windows logging subsystem: Security.
Log Provider log_provider String The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
Log Version log_version String The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
Logged Time logged_time Timestamp

The time when the logging system collected and logged the event.

This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
Loggers loggers Logger[] An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
Modified Time modified_time Timestamp The time when the event was last modified or enriched.
Original Time original_time String The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
Processed Time processed_time Timestamp The event processed time, such as an ETL operation.
Product product Product[] The product that reported the event.
Profiles profiles String[] The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.
Raw Data raw_data JSON Group:context
The event data as received from the event source.
Record ID record_id String Group:primary
Unique identifier for the object
Sequence Number sequence Integer Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
Tags tags Key:Value object[] The list of tags; {key:value} pairs associated to the event.
Tenant UID tenant_uid String The unique tenant identifier.
Event UID uid String The logging system-assigned unique identifier of an event instance.
Unmapped unmapped Unmapped[] Data from the source that was not mapped into the schema.
Version version String The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.

Relationships

Metadata shown in context

Inbound Relationships

These objects and events reference Metadata in their attributes:

Outbound Relationships

Metadata references the following objects and events in its attributes:

This page describes ocsf-1.4.0