Related Event/Finding

related_event

The Related Event object describes an event or another finding related to a finding. It may or may not be an OCSF event.

Attributes

CaptionNameTypeDescription
MITRE ATT&CK® Details attacks MITRE ATT&CK®[] An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques.
Count count Integer The number of times that activity in the same logical group occurred, as reported by the related Finding.
Created Time created_time Timestamp The time when the related event/finding was created.
Description desc String A description of the related event/finding.
First Seen first_seen_time Timestamp The time when the finding was first observed. e.g. The time when a vulnerability was first observed.
It can differ from the created_time timestamp, which reflects the time this finding was created.
Kill Chain kill_chain Kill Chain Phase[] The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.
Last Seen last_seen_time Timestamp The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.
It can differ from the modified_time timestamp, which reflects the time this finding was last modified.
Modified Time modified_time Timestamp The time when the related event/finding was last modified.
Observables observables Observable[] The observables associated with the event or a finding.
Product product Product[] Details about the product that reported the related event/finding.
Product Identifier product_uid String The unique identifier of the product that reported the related event.

🚧 WARNING: DEPRECATED

Product Identifier has been deprecated since 1.4.0. Use the uid attribute in the product object instead. See specific usage.

Raw Data raw_data JSON Group:context
The event data as received from the event source.
Record ID record_id String Group:primary
Unique identifier for the object
Severity severity String The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
Severity ID severity_id Integer

The normalized identifier of the event/finding severity.

The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.
  • 0: Unknown (UNKNOWN)
  • 1: Informational (INFORMATIONAL)
  • 2: Low (LOW)
  • 3: Medium (MEDIUM)
  • 4: High (HIGH)
  • 5: Critical (CRITICAL)
  • 6: Fatal (FATAL)
  • 99: Other (OTHER)
Tags tags Key:Value object[] The list of tags; {key:value} pairs associated with the related event/finding.
Title title String A title or a brief phrase summarizing the related event/finding.
Type type String The type of the related event/finding.

Populate if the related event/finding is NOT in OCSF. If it is in OCSF, then utilize type_name, type_uid instead.
Type Name type_name String The type of the related OCSF event, as defined by type_uid.

For example: Process Activity: Launch.

Populate if the related event/finding is in OCSF.
Type ID type_uid Long The unique identifier of the related OCSF event type.

For example: 100701.

Populate if the related event/finding is in OCSF.
Unique ID uid String The unique identifier of the related event/finding.

If the related event/finding is in OCSF, then this value must be equal to metadata.uid in the corresponding event.
Unmapped unmapped Unmapped[] Data from the source that was not mapped into the schema.

Relationships

Related Event/Finding shown in context

Inbound Relationships

These objects and events reference Related Event/Finding in their attributes:

Outbound Relationships

Related Event/Finding references the following objects and events in its attributes:

This page describes ocsf-1.4.0