The Finding Information object describes metadata related to a security finding generated by a security tool or system.
Attributes
Section titled “Attributes”uid
- Type:
string_t - Requirement: required
The unique identifier of the reported finding.
analytic
- Type:
analytic - Requirement: recommended
The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.
title
- Type:
string_t - Requirement: recommended
A title or a brief phrase summarizing the reported finding.
attack_graph
- Type:
graph - Requirement: optional
An Attack Graph describes possible routes an attacker could take through an environment. It describes relationships between resources and their findings, such as malware detections, vulnerabilities, misconfigurations, and other security actions.
attacks
- Type:
attack - Requirement: optional
The MITRE ATT&CK® technique and associated tactics related to the finding.
created_time
- Type:
timestamp_t - Requirement: optional
The time when the finding was created.
created_time_dt
- Type:
datetime_t - Requirement: optional
The time when the finding was created.
data_sources
- Type:
string_t - Requirement: optional
A list of data sources utilized in generation of the finding.
desc
- Type:
string_t - Requirement: optional
The description of the reported finding.
first_seen_time
- Type:
timestamp_t - Requirement: optional
The time when the finding was first observed. e.g. The time when a vulnerability was first observed.
It can differ from the created_time timestamp, which reflects the time this finding was created.
first_seen_time_dt
- Type:
datetime_t - Requirement: optional
The time when the finding was first observed. e.g. The time when a vulnerability was first observed.
It can differ from the created_time timestamp, which reflects the time this finding was created.
kill_chain
- Type:
kill_chain_phase - Requirement: optional
The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.
last_seen_time
- Type:
timestamp_t - Requirement: optional
The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.
It can differ from the modified_time timestamp, which reflects the time this finding was last modified.
last_seen_time_dt
- Type:
datetime_t - Requirement: optional
The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.
It can differ from the modified_time timestamp, which reflects the time this finding was last modified.
modified_time
- Type:
timestamp_t - Requirement: optional
The time when the finding was last modified.
modified_time_dt
- Type:
datetime_t - Requirement: optional
The time when the finding was last modified.
product
- Type:
product - Requirement: optional
Details about the product that reported the finding.
product_uid
- Type:
string_t - Requirement: optional
The unique identifier of the product that reported the finding.
related_analytics
- Type:
analytic - Requirement: optional
Other analytics related to this finding.
related_events
- Type:
related_event - Requirement: optional
Describes events and/or other findings related to the finding as identified by the security product. Note that these events may or may not be in OCSF.
related_events_count
- Type:
integer_t - Requirement: optional
Number of related events or findings.
src_url
- Type:
url_t - Requirement: optional
The URL pointing to the source of the finding.
tags
- Type:
key_value_object - Requirement: optional
The list of tags; {key:value} pairs associated with the finding.
traits
- Type:
trait - Requirement: optional
The list of key traits or characteristics extracted from the finding.
types
- Type:
string_t - Requirement: optional
One or more types of the reported finding.
uid_alt
- Type:
string_t - Requirement: optional
The alternative unique identifier of the reported finding.