Skip to content

Related Event/Finding

The Related Event object describes an event or another finding related to a finding. It may or may not be an OCSF event.

Attributes

Section titled “Attributes”

uid

  • Type: string_t
  • Requirement: required

The unique identifier of the related event/finding. If the related event/finding is in OCSF, then this value must be equal to metadata.uid in the corresponding event.

severity_id

  • Type: integer_t
  • Requirement: recommended
  • Values:
    • 0 - Unknown: The event/finding severity is unknown.
    • 1 - Informational: Informational message. No action required.
    • 2 - Low: The user decides if action is needed.
    • 3 - Medium: Action is required but the situation is not serious at this time.
    • 4 - High: Action is required immediately.
    • 5 - Critical: Action is required immediately and the scope is broad.
    • 6 - Fatal: An error occurred but it is too late to take remedial action.
    • 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.

The normalized identifier of the event/finding severity.The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.

type_uid

  • Type: long_t
  • Requirement: recommended

The unique identifier of the related OCSF event type.

For example: 100701.Populate if the related event/finding is in OCSF.

attacks

  • Type: attack
  • Requirement: optional

An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.

count

  • Type: integer_t
  • Requirement: optional

The number of times that activity in the same logical group occurred, as reported by the related Finding.

created_time

  • Type: timestamp_t
  • Requirement: optional

The time when the related event/finding was created.

created_time_dt

  • Type: datetime_t
  • Requirement: optional

The time when the related event/finding was created.

desc

  • Type: string_t
  • Requirement: optional

A description of the related event/finding.

first_seen_time

  • Type: timestamp_t
  • Requirement: optional

The time when the finding was first observed. e.g. The time when a vulnerability was first observed. It can differ from the created_time timestamp, which reflects the time this finding was created.

first_seen_time_dt

  • Type: datetime_t
  • Requirement: optional

The time when the finding was first observed. e.g. The time when a vulnerability was first observed. It can differ from the created_time timestamp, which reflects the time this finding was created.

kill_chain

The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.

last_seen_time

  • Type: timestamp_t
  • Requirement: optional

The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed. It can differ from the modified_time timestamp, which reflects the time this finding was last modified.

last_seen_time_dt

  • Type: datetime_t
  • Requirement: optional

The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed. It can differ from the modified_time timestamp, which reflects the time this finding was last modified.

modified_time

  • Type: timestamp_t
  • Requirement: optional

The time when the related event/finding was last modified.

modified_time_dt

  • Type: datetime_t
  • Requirement: optional

The time when the related event/finding was last modified.

observables

The observables associated with the event or a finding.

product

  • Type: product
  • Requirement: optional

Details about the product that reported the related event/finding.

product_uid

  • Type: string_t
  • Requirement: optional

The unique identifier of the product that reported the related event.

severity

  • Type: string_t
  • Requirement: optional

The event/finding severity, normalized to the caption of the severity_id value. In the case of ‘Other’, it is defined by the source.

status

  • Type: string_t
  • Requirement: optional

The related event status. Should correspond to the label of the status_id (or ‘Other’ status value for status_id = 99) of the related event.

tags

The list of tags; {key:value} pairs associated with the related event/finding.

title

  • Type: string_t
  • Requirement: optional

A title or a brief phrase summarizing the related event/finding.

traits

  • Type: trait
  • Requirement: optional

The list of key traits or characteristics extracted from the related event/finding that influenced or contributed to the overall finding’s outcome.

type

  • Type: string_t
  • Requirement: optional

The type of the related event/finding.Populate if the related event/finding is NOT in OCSF. If it is in OCSF, then utilize type_name, type_uid instead.

type_name

  • Type: string_t
  • Requirement: optional

The type of the related OCSF event, as defined by type_uid.

For example: Process Activity: Launch.Populate if the related event/finding is in OCSF.