Security Finding
[2001]
Class
Applicable Profiles: Cloud Container Data Classification Date/Time Host Linux Users macOS Users OSINT Security Control
Findings Category
Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products
DEPRECATED since v1.1.0
Use the new specific classes according to the use-case: Vulnerability Finding, Compliance Finding, Detection Finding, Incident Finding, Data Security Finding.
| Name | Caption | Group | Requirement | Type | Description | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| activity_id | Activity ID | classification | Required | Integer | The normalized identifier of the activity that triggered the event.
This is an enum attribute; its string sibling is activity_name. |
||||||||||||||||
| activity_name | Activity | classification | Optional | String | The event activity name, as defined by the activity_id. This is the string sibling of enum attribute activity_id. |
||||||||||||||||
| analytic | Analytic | primary | Recommended | Analytic | The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion. | ||||||||||||||||
| attacks | MITRE ATT&CK® and ATLAS™ Details | context | Optional | MITRE ATT&CK® & ATLAS™ Array | An array of MITRE ATT&CK® objects describing the tactics, techniques & sub-techniques associated to the Finding. |
||||||||||||||||
| category_name | Category | classification | Optional | String | The event category name, as defined by category_uid value: Findings. This is the string sibling of enum attribute category_uid. |
||||||||||||||||
| category_uid | Category ID | classification | Required | Integer | The category unique identifier of the event.
This is an enum attribute; its string sibling is category_name. |
||||||||||||||||
| cis_csc | CIS CSC | context | Optional | CIS CSC Array | The CIS Critical Security Controls is a list of top 20 actions and practices an organization’s security team can take on such that cyber attacks or malware, are minimized and prevented. DEPRECATED since v1.5.0 Use CIS Controls for standard benchmark controls. |
||||||||||||||||
| class_name | Class | classification | Optional | String | The event class name, as defined by class_uid value: Security Finding. This is the string sibling of enum attribute class_uid. |
||||||||||||||||
| class_uid | Class ID | classification | Required | Integer | The unique identifier of a class. A class describes the attributes available in an event.
This is an enum attribute; its string sibling is class_name. |
||||||||||||||||
| compliance | Compliance | context | Optional | Compliance | The compliance object provides context to compliance findings (e.g., a check against a specific regulatory or best practice framework such as CIS, NIST etc.) and contains compliance related details. | ||||||||||||||||
| confidence | Confidence | primary | Recommended | String | The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source. This is the string sibling of enum attribute confidence_id. |
||||||||||||||||
| confidence_id | Confidence ID | primary | Recommended | Integer | The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature.
This is an enum attribute; its string sibling is confidence. |
||||||||||||||||
| confidence_score | Confidence Score | primary | Recommended | Integer | The confidence score as reported by the event source. | ||||||||||||||||
| count | Count | occurrence | Optional | Integer | The number of times that events in the same logical group occurred during the event Start Time to End Time period. | ||||||||||||||||
| data_sources | Data Sources | context | Optional | String Array | A list of data sources utilized in generation of the finding. | ||||||||||||||||
| duration | Duration Milliseconds | occurrence | Optional | Long | The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. |
||||||||||||||||
| end_time | End Time | occurrence | Optional | Timestamp | The end time of a time period, or the time of the most recent event included in the aggregate event. | ||||||||||||||||
| enrichments | Enrichments | context | Optional | Enrichment Array | The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}] |
||||||||||||||||
| evidence | Evidence | context | Optional | JSON | The data the finding exposes to the analyst. DEPRECATED since v1.1.0 Use the evidences attribute instead. |
||||||||||||||||
| finding | Finding | primary | Required | Finding | The Finding object provides details about a finding/detection generated by a security tool. | ||||||||||||||||
| impact | Impact | primary | Recommended | String | The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source. This is the string sibling of enum attribute impact_id. |
||||||||||||||||
| impact_id | Impact ID | primary | Recommended | Integer | The normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.
This is an enum attribute; its string sibling is impact. |
||||||||||||||||
| impact_score | Impact Score | primary | Recommended | Integer | The impact as an integer value of the finding, valid range 0-100. | ||||||||||||||||
| kill_chain | Kill Chain | context | Optional | Kill Chain Phase Array | The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. | ||||||||||||||||
| malware | Malware | context | Optional | Malware Array | A list of Malware objects, describing details about the identified malware. | ||||||||||||||||
| message | Message | primary | Recommended | String | The description of the event/finding, as defined by the source. | ||||||||||||||||
| metadata | Metadata | context | Required | Metadata | The metadata associated with the event or a finding. | ||||||||||||||||
| nist | NIST List | context | Optional | String Array | The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk. | ||||||||||||||||
| observables | Observables | primary | Recommended | Observable Array | The observables associated with the event or a finding. Refs:OCSF Observables FAQ |
||||||||||||||||
| process | Process O | context | Optional | Process | The process object. | ||||||||||||||||
| raw_data | Raw Data | context | Optional | String | The raw event/finding data as received from the source. | ||||||||||||||||
| raw_data_hash | Raw Data Hash O | context | Optional | Fingerprint | The hash, which describes the content of the raw_data field. | ||||||||||||||||
| raw_data_size | Raw Data Size | context | Optional | Long | The size of the raw data which was transformed into an OCSF event, in bytes. | ||||||||||||||||
| resources | Resources Array | primary | Recommended | Resource Details Array | Describes details about resources that were affected by the activity/event. | ||||||||||||||||
| risk_level | Risk Level | primary | Recommended | String | The risk level, normalized to the caption of the risk_level_id value. This is the string sibling of enum attribute risk_level_id. |
||||||||||||||||
| risk_level_id | Risk Level ID | primary | Recommended | Integer | The normalized risk level id.
This is an enum attribute; its string sibling is risk_level. |
||||||||||||||||
| risk_score | Risk Score | primary | Recommended | Integer | The risk score as reported by the event source. | ||||||||||||||||
| severity | Severity | classification | Optional | String | The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source. This is the string sibling of enum attribute severity_id. |
||||||||||||||||
| severity_id | Severity ID | classification | Required | Integer | The normalized identifier of the event/finding severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.
This is an enum attribute; its string sibling is severity. |
||||||||||||||||
| start_time | Start Time | occurrence | Optional | Timestamp | The start time of a time period, or the time of the least recent event included in the aggregate event. | ||||||||||||||||
| state | State | context | Optional | String | The normalized state of a security finding. This is the string sibling of enum attribute state_id. |
||||||||||||||||
| state_id | State ID | context | Required | Integer | The normalized state identifier of a security finding.
This is an enum attribute; its string sibling is state. |
||||||||||||||||
| status | Status | primary | Recommended | String | The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. This is the string sibling of enum attribute status_id. |
||||||||||||||||
| status_code | Status Code | primary | Recommended | String | The event status code, as reported by the event source. For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18. |
||||||||||||||||
| status_detail | Status Detail | primary | Recommended | String | The status detail contains additional information about the event/finding outcome. | ||||||||||||||||
| status_id | Status ID | primary | Recommended | Integer | The normalized identifier of the event status.
This is an enum attribute; its string sibling is status. |
||||||||||||||||
| time | Event Time | occurrence | Required | Timestamp | The normalized event occurrence time or the finding creation time. | ||||||||||||||||
| timezone_offset | Timezone Offset | occurrence | Recommended | Integer | The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080. |
||||||||||||||||
| type_name | Type Name | classification | Optional | String | The event/finding type name, as defined by the type_uid. This is the string sibling of enum attribute type_uid. |
||||||||||||||||
| type_uid | Type ID | classification | Required | Long | The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.
This is an enum attribute; its string sibling is type_name. |
||||||||||||||||
| unmapped | Unmapped Data | context | Optional | Object | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | ||||||||||||||||
| vulnerabilities | Vulnerabilities | context | Optional | Vulnerability Details Array | This object describes vulnerabilities reported in a security finding. |