Related Event/Finding

related_event

The Related Event object describes an event or another finding related to a finding. It may or may not be an OCSF event.

Attributes

Caption	Name	Type	Description
MITRE ATT&CK® Details	`attacks`	MITRE ATT&CK®[]	An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques.
Count	`count`	Integer	The number of times that activity in the same logical group occurred, as reported by the related Finding.
Created Time	`created_time`	Timestamp	The time when the related event/finding was created.
Description	`desc`	String	A description of the related event/finding.
First Seen	`first_seen_time`	Timestamp	The time when the finding was first observed — e.g., the time when a vulnerability was first detected. It can differ from the `created_time` timestamp, which reflects the time this finding was created.
Kill Chain	`kill_chain`	Kill Chain Phase[]	The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.
Last Seen	`last_seen_time`	Timestamp	The time when the finding was most recently observed — e.g., the time when a vulnerability was most recently detected. It can differ from the `modified_time` timestamp, which reflects the time this finding was last modified.
Modified Time	`modified_time`	Timestamp	The time when the related event/finding was last modified.
Observables	`observables`	Observable[]	The observables associated with the event or a finding.
Product	`product`	Product[]	Details about the product that reported the related event/finding.
Product Identifier	`product_uid`	String	The unique identifier of the product that reported the related event. 🚧 WARNING: DEPRECATED Product Identifier has been deprecated since 1.4.0. Use the `uid` attribute in the `product` object instead. See specific usage.
Raw Data	`raw_data`	JSON	Group:`context` The event data as received from the event source.
Record ID	`record_id`	String	Group:`primary` Unique identifier for the object
Severity	`severity`	String	The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
Severity ID	`severity_id`	Integer	The normalized identifier of the event/finding severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events. `0`: Unknown (`UNKNOWN`) `1`: Informational (`INFORMATIONAL`) `2`: Low (`LOW`) `3`: Medium (`MEDIUM`) `4`: High (`HIGH`) `5`: Critical (`CRITICAL`) `6`: Fatal (`FATAL`) `99`: Other (`OTHER`)
Tags	`tags`	Key:Value object[]	The list of tags; `{key:value}` pairs associated with the related event/finding.
Title	`title`	String	A title or a brief phrase summarizing the related event/finding.
Type	`type`	String	The type of the related event/finding. Populate this field if the related event/finding is not in OCSF. If it is in OCSF, then use `type_name` and `type_uid` instead.
Type Name	`type_name`	String	The type of the related OCSF event, as defined by `type_uid`. For example: `Process Activity: Launch.` Populate if the related event/finding is in OCSF.
Type ID	`type_uid`	Long	The unique identifier of the related OCSF event type. For example: `100701.` Populate if the related event/finding is in OCSF.
Unique ID	`uid`	String	The unique identifier of the related event/finding. If the related event/finding is in OCSF, then this value must be equal to `metadata.uid` in the corresponding event.
Unmapped	`unmapped`	Unmapped[]	Data from the source that was not mapped into the schema.

Relationships

Inbound Relationships

These objects and events reference Related Event/Finding in their attributes:

Outbound Relationships

Related Event/Finding references the following objects and events in its attributes:

This page describes ocsf-1.4.0