Skip to content

Finding Information

The Finding Information object describes metadata related to a security finding generated by a security tool or system.

Attributes

Section titled “Attributes”

title

  • Type: string_t
  • Requirement: required

A title or a brief phrase summarizing the reported finding.

uid

  • Type: string_t
  • Requirement: required

The unique identifier of the reported finding.

analytic

  • Type: analytic
  • Requirement: recommended

The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.

attacks

  • Type: attack
  • Requirement: optional

The MITRE ATT&CK® technique and associated tactics related to the finding.

created_time

  • Type: timestamp_t
  • Requirement: optional

The time when the finding was created.

created_time_dt

  • Type: datetime_t
  • Requirement: optional

The time when the finding was created.

data_sources

  • Type: string_t
  • Requirement: optional

A list of data sources utilized in generation of the finding.

desc

  • Type: string_t
  • Requirement: optional

The description of the reported finding.

first_seen_time

  • Type: timestamp_t
  • Requirement: optional

The time when the finding was first observed. e.g. The time when a vulnerability was first observed.

It can differ from the created_time timestamp, which reflects the time this finding was created.

first_seen_time_dt

  • Type: datetime_t
  • Requirement: optional

The time when the finding was first observed. e.g. The time when a vulnerability was first observed.

It can differ from the created_time timestamp, which reflects the time this finding was created.

kill_chain

The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.

last_seen_time

  • Type: timestamp_t
  • Requirement: optional

The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.

It can differ from the modified_time timestamp, which reflects the time this finding was last modified.

last_seen_time_dt

  • Type: datetime_t
  • Requirement: optional

The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.

It can differ from the modified_time timestamp, which reflects the time this finding was last modified.

modified_time

  • Type: timestamp_t
  • Requirement: optional

The time when the finding was last modified.

modified_time_dt

  • Type: datetime_t
  • Requirement: optional

The time when the finding was last modified.

product_uid

  • Type: string_t
  • Requirement: optional

The unique identifier of the product that reported the finding.

related_analytics

Other analytics related to this finding.

related_events

Describes events and/or other findings related to the finding as identified by the security product.

src_url

  • Type: url_t
  • Requirement: optional

The URL pointing to the source of the finding.

types

  • Type: string_t
  • Requirement: optional

One or more types of the reported finding.

Used By

Section titled “Used By”