Related Event/Finding

related_event

The Related Event object describes an event or another finding related to a finding. It may or may not be an OCSF event.

Attributes

CaptionNameTypeDescription
MITRE ATT&CK® DetailsattacksMITRE ATT&CK®[]

An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques.

CountcountInteger

The number of times that activity in the same logical group occurred, as reported by the related Finding.

Created Timecreated_timeTimestamp

The time when the related event/finding was created.

DescriptiondescString

A description of the related event/finding.

First Seenfirst_seen_timeTimestamp

The time when the finding was first observed — e.g., the time when a vulnerability was first detected.
It can differ from the created_time timestamp, which reflects the time this finding was created.

Kill Chainkill_chainKill Chain Phase[]

The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.

Last Seenlast_seen_timeTimestamp

The time when the finding was most recently observed — e.g., the time when a vulnerability was most recently detected.
It can differ from the modified_time timestamp, which reflects the time this finding was last modified.

Modified Timemodified_timeTimestamp

The time when the related event/finding was last modified.

ObservablesobservablesObservable[]

The observables associated with the event or a finding.

ProductproductProduct[]

Details about the product that reported the related event/finding.

Product Identifierproduct_uidString

The unique identifier of the product that reported the related event.

🚧 WARNING: DEPRECATED

Product Identifier has been deprecated since 1.4.0. Use the uid attribute in the product object instead. See specific usage.

Raw Dataraw_dataJSON

Group:context
The event data as received from the event source.

Record IDrecord_idString

Group:primary
Unique identifier for the object

SeverityseverityString

The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.

Severity IDseverity_idInteger

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.

  • 0: Unknown (UNKNOWN)
  • 1: Informational (INFORMATIONAL)
  • 2: Low (LOW)
  • 3: Medium (MEDIUM)
  • 4: High (HIGH)
  • 5: Critical (CRITICAL)
  • 6: Fatal (FATAL)
  • 99: Other (OTHER)
TagstagsKey:Value object[]

The list of tags; {key:value} pairs associated with the related event/finding.

TitletitleString

A title or a brief phrase summarizing the related event/finding.

TypetypeString

The type of the related event/finding.
Populate this field if the related event/finding is not in OCSF.
If it is in OCSF, then use type_name and type_uid instead.

Type Nametype_nameString

The type of the related OCSF event, as defined by type_uid.

For example: Process Activity: Launch.

Populate if the related event/finding is in OCSF.

Type IDtype_uidLong

The unique identifier of the related OCSF event type.

For example: 100701.

Populate if the related event/finding is in OCSF.

Unique IDuidString

The unique identifier of the related event/finding.

If the related event/finding is in OCSF, then this value must be equal to metadata.uid in the corresponding event.

UnmappedunmappedUnmapped[]

Data from the source that was not mapped into the schema.

Relationships

Related Event/Finding shown in context

Inbound Relationships

These objects and events reference Related Event/Finding in their attributes:

Outbound Relationships

Related Event/Finding references the following objects and events in its attributes:

This page describes ocsf-1.4.0