Related Event/Finding

An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.

The number of times that activity in the same logical group occurred, as reported by the related Finding.

The time when the related event/finding was created.

A description of the related event/finding.

The time when the finding was first observed. e.g. The time when a vulnerability was first observed.It can differ from the created_time timestamp, which reflects the time this finding was created.

The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.

The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.It can differ from the modified_time timestamp, which reflects the time this finding was last modified.

The time when the related event/finding was last modified.

The observables associated with the event or a finding.

Details about the product that reported the related event/finding.

The unique identifier of the product that reported the related event.

🚧 WARNING: DEPRECATED

Product Identifier has been deprecated since 1.4.0. Use the uid attribute in the product object instead. See specific usage.

Group:context
The event data as received from the event source.

Group:primary
Unique identifier for the object

The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.

The normalized identifier of the event/finding severity.The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.

• 0: Unknown (UNKNOWN)
• 1: Informational (INFORMATIONAL)
• 2: Low (LOW)
• 3: Medium (MEDIUM)
• 4: High (HIGH)
• 5: Critical (CRITICAL)
• 6: Fatal (FATAL)
• 99: Other (OTHER)

The related event status. Should correspond to the label of the status_id (or 'Other' status value for status_id = 99) of the related event.

The list of tags; key:value pairs associated with the related event/finding.

A title or a brief phrase summarizing the related event/finding.

The list of key traits or characteristics extracted from the related event/finding that influenced or contributed to the overall finding's outcome.

The type of the related event/finding.Populate if the related event/finding is NOT in OCSF. If it is in OCSF, then utilize type_name, type_uid instead.

The type of the related OCSF event, as defined by type_uid.For example: Process Activity: Launch.Populate if the related event/finding is in OCSF.

The unique identifier of the related OCSF event type. For example: 100701.Populate if the related event/finding is in OCSF.

The unique identifier of the related event/finding. If the related event/finding is in OCSF, then this value must be equal to metadata.uid in the corresponding event.

Data from the source that was not mapped into the schema.