Related Event/Finding
related_event
The Related Event object describes an event or another finding related to a finding. It may or may not be an OCSF event.
Attributes
Caption | Name | Type | Description |
---|---|---|---|
MITRE ATT&CK® Details | attacks |
MITRE ATT&CK®[] | An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. |
Count | count |
Integer | The number of times that activity in the same logical group occurred, as reported by the related Finding. |
Created Time | created_time |
Timestamp | The time when the related event/finding was created. |
Description | desc |
String | A description of the related event/finding. |
First Seen | first_seen_time |
Timestamp |
The time when the finding was first observed. e.g. The time when a vulnerability was first observed. It can differ from the created_time timestamp, which reflects the time this finding was created.
|
Kill Chain | kill_chain |
Kill Chain Phase[] | The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. |
Last Seen | last_seen_time |
Timestamp |
The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed. It can differ from the modified_time timestamp, which reflects the time this finding was last modified.
|
Modified Time | modified_time |
Timestamp | The time when the related event/finding was last modified. |
Observables | observables |
Observable[] | The observables associated with the event or a finding. |
Product | product |
Product[] | Details about the product that reported the related event/finding. |
Product Identifier | product_uid |
String |
The unique identifier of the product that reported the related event.
|
Raw Data | raw_data |
JSON |
Group:context The event data as received from the event source. |
Record ID | record_id |
String |
Group:primary Unique identifier for the object |
Severity | severity |
String | The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source. |
Severity ID | severity_id |
Integer |
The normalized identifier of the event/finding severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.
|
Tags | tags |
Key:Value object[] |
The list of tags; {key:value} pairs associated with the related event/finding.
|
Title | title |
String | A title or a brief phrase summarizing the related event/finding. |
Type | type |
String |
The type of the related event/finding.Populate if the related event/finding is NOT in OCSF. If it is in OCSF, then utilize type_name, type_uid instead.
|
Type Name | type_name |
String |
The type of the related OCSF event, as defined by type_uid .For example: |
Type ID | type_uid |
Long |
The unique identifier of the related OCSF event type. For example: |
Unique ID | uid |
String |
The unique identifier of the related event/finding. If the related event/finding is in OCSF, then this value must be equal to metadata.uid in the corresponding event.
|
Unmapped | unmapped |
Unmapped[] | Data from the source that was not mapped into the schema. |
Relationships
Inbound Relationships
These objects and events reference Related Event/Finding in their attributes:
Outbound Relationships
Related Event/Finding references the following objects and events in its attributes:
This page describes ocsf-1.4.0
Updated 3 days ago