Related Event/Finding
related_event
The Related Event object describes an event or another finding related to a finding. It may or may not be an OCSF event.
Attributes
Caption | Name | Type | Description |
---|---|---|---|
MITRE ATT&CK® Details | attacks | MITRE ATT&CK®[] | An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. |
Count | count | Integer | The number of times that activity in the same logical group occurred, as reported by the related Finding. |
Created Time | created_time | Timestamp | The time when the related event/finding was created. |
Description | desc | String | A description of the related event/finding. |
First Seen | first_seen_time | Timestamp | The time when the finding was first observed — e.g., the time when a vulnerability was first detected. |
Kill Chain | kill_chain | Kill Chain Phase[] | The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. |
Last Seen | last_seen_time | Timestamp | The time when the finding was most recently observed — e.g., the time when a vulnerability was most recently detected. |
Modified Time | modified_time | Timestamp | The time when the related event/finding was last modified. |
Observables | observables | Observable[] | The observables associated with the event or a finding. |
Product | product | Product[] | Details about the product that reported the related event/finding. |
Product Identifier | product_uid | String | The unique identifier of the product that reported the related event.
|
Raw Data | raw_data | JSON | Group: |
Record ID | record_id | String | Group: |
Severity | severity | String | The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source. |
Severity ID | severity_id | Integer | The normalized identifier of the event/finding severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.
|
Tags | tags | Key:Value object[] | The list of tags; |
Title | title | String | A title or a brief phrase summarizing the related event/finding. |
Type | type | String | The type of the related event/finding. |
Type Name | type_name | String | The type of the related OCSF event, as defined by For example: |
Type ID | type_uid | Long | The unique identifier of the related OCSF event type. For example: |
Unique ID | uid | String | The unique identifier of the related event/finding. If the related event/finding is in OCSF, then this value must be equal tometadata.uid in the corresponding event. |
Unmapped | unmapped | Unmapped[] | Data from the source that was not mapped into the schema. |
Relationships
Inbound Relationships
These objects and events reference Related Event/Finding in their attributes:
Outbound Relationships
Related Event/Finding references the following objects and events in its attributes:
This page describes ocsf-1.4.0
Updated 9 days ago