The Finding Information object describes metadata related to a security finding generated by a security tool or system.
Attributes
Section titled “Attributes”uid
- Type:
string_t - Requirement: required
The unique identifier of the reported finding.
analytic
- Type:
analytic - Requirement: recommended
The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.
title
- Type:
string_t - Requirement: recommended
A title or a brief phrase summarizing the reported finding.
attacks
- Type:
attack - Requirement: optional
The MITRE ATT&CK® technique and associated tactics related to the finding.
created_time
- Type:
timestamp_t - Requirement: optional
The time when the finding was created.
created_time_dt
- Type:
datetime_t - Requirement: optional
The time when the finding was created.
data_sources
- Type:
string_t - Requirement: optional
A list of data sources utilized in generation of the finding.
desc
- Type:
string_t - Requirement: optional
The description of the reported finding.
first_seen_time
- Type:
timestamp_t - Requirement: optional
The time when the finding was first observed. e.g. The time when a vulnerability was first observed.
It can differ from the created_time timestamp, which reflects the time this finding was created.
first_seen_time_dt
- Type:
datetime_t - Requirement: optional
The time when the finding was first observed. e.g. The time when a vulnerability was first observed.
It can differ from the created_time timestamp, which reflects the time this finding was created.
kill_chain
- Type:
kill_chain_phase - Requirement: optional
The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.
last_seen_time
- Type:
timestamp_t - Requirement: optional
The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.
It can differ from the modified_time timestamp, which reflects the time this finding was last modified.
last_seen_time_dt
- Type:
datetime_t - Requirement: optional
The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.
It can differ from the modified_time timestamp, which reflects the time this finding was last modified.
modified_time
- Type:
timestamp_t - Requirement: optional
The time when the finding was last modified.
modified_time_dt
- Type:
datetime_t - Requirement: optional
The time when the finding was last modified.
product
- Type:
product - Requirement: optional
Details about the product that reported the finding.
product_uid
- Type:
string_t - Requirement: optional
The unique identifier of the product that reported the finding.
related_analytics
- Type:
analytic - Requirement: optional
Other analytics related to this finding.
related_events
- Type:
related_event - Requirement: optional
Describes events and/or other findings related to the finding as identified by the security product. Note that these events may or may not be in OCSF.
related_events_count
- Type:
integer_t - Requirement: optional
Number of related events or findings.
src_url
- Type:
url_t - Requirement: optional
The URL pointing to the source of the finding.
tags
- Type:
key_value_object - Requirement: optional
The list of tags; {key:value} pairs associated with the finding.
traits
- Type:
trait - Requirement: optional
The list of key traits or characteristics extracted from the finding.
types
- Type:
string_t - Requirement: optional
One or more types of the reported finding.
uid_alt
- Type:
string_t - Requirement: optional
The alternative unique identifier of the reported finding.