Class: DataSecurityFinding
A Data Security Finding describes detections or alerts generated by various
data security products such as Data Loss Prevention (DLP), Data Classification,
Secrets Management, Digital Rights Management (DRM), Data Security Posture
Management (DSPM), and similar tools. These detections or alerts can be created
using fingerprinting, statistical analysis, machine learning or other
methodologies. The finding describes the actors and endpoints who accessed or
own the sensitive data, as well as the resources which store the sensitive
data. Note: if the event producer is a security control, the
security_control profile should be applied and its
attacks information, if present, should be duplicated into the
finding_info object.
Note: If the Finding is
an incident, i.e. requires incident workflow, also apply the
incident profile or aggregate this finding into an Incident
Finding.
classDiagram
class DataSecurityFinding
click DataSecurityFinding href "../DataSecurityFinding/"
Finding <|-- DataSecurityFinding
click Finding href "../Finding/"
DataSecurityFinding : action
DataSecurityFinding : action_id
DataSecurityFinding --> "0..1 _recommended_" ActionIdEnum : action_id
click ActionIdEnum href "../ActionIdEnum/"
DataSecurityFinding : activity_id
DataSecurityFinding --> "1" DataSecurityFindingActivityIdEnum : activity_id
click DataSecurityFindingActivityIdEnum href "../DataSecurityFindingActivityIdEnum/"
DataSecurityFinding : activity_name
DataSecurityFinding : actor
DataSecurityFinding --> "0..1 _recommended_" Actor : actor
click Actor href "../Actor/"
DataSecurityFinding : api
DataSecurityFinding --> "0..1" Api : api
click Api href "../Api/"
DataSecurityFinding : assignee
DataSecurityFinding --> "0..1" User : assignee
click User href "../User/"
DataSecurityFinding : assignee_group
DataSecurityFinding --> "0..1" Group : assignee_group
click Group href "../Group/"
DataSecurityFinding : attacks
DataSecurityFinding --> "*" Attack : attacks
click Attack href "../Attack/"
DataSecurityFinding : authorizations
DataSecurityFinding --> "*" Authorization : authorizations
click Authorization href "../Authorization/"
DataSecurityFinding : category_name
DataSecurityFinding : category_uid
DataSecurityFinding --> "1" BaseEventCategoryUidEnum : category_uid
click BaseEventCategoryUidEnum href "../BaseEventCategoryUidEnum/"
DataSecurityFinding : class_name
DataSecurityFinding : class_uid
DataSecurityFinding --> "1" BaseEventClassUidEnum : class_uid
click BaseEventClassUidEnum href "../BaseEventClassUidEnum/"
DataSecurityFinding : cloud
DataSecurityFinding --> "1" Cloud : cloud
click Cloud href "../Cloud/"
DataSecurityFinding : comment
DataSecurityFinding : confidence
DataSecurityFinding : confidence_id
DataSecurityFinding --> "0..1 _recommended_" ConfidenceIdEnum : confidence_id
click ConfidenceIdEnum href "../ConfidenceIdEnum/"
DataSecurityFinding : confidence_score
DataSecurityFinding : count
DataSecurityFinding : data_security
DataSecurityFinding --> "0..1 _recommended_" DataSecurity : data_security
click DataSecurity href "../DataSecurity/"
DataSecurityFinding : database
DataSecurityFinding --> "0..1 _recommended_" Database : database
click Database href "../Database/"
DataSecurityFinding : databucket
DataSecurityFinding --> "0..1 _recommended_" Databucket : databucket
click Databucket href "../Databucket/"
DataSecurityFinding : device
DataSecurityFinding --> "0..1 _recommended_" Device : device
click Device href "../Device/"
DataSecurityFinding : disposition
DataSecurityFinding : disposition_id
DataSecurityFinding --> "0..1 _recommended_" DispositionIdEnum : disposition_id
click DispositionIdEnum href "../DispositionIdEnum/"
DataSecurityFinding : dst_endpoint
DataSecurityFinding --> "0..1 _recommended_" NetworkEndpoint : dst_endpoint
click NetworkEndpoint href "../NetworkEndpoint/"
DataSecurityFinding : duration
DataSecurityFinding : end_time
DataSecurityFinding : enrichments
DataSecurityFinding --> "*" Enrichment : enrichments
click Enrichment href "../Enrichment/"
DataSecurityFinding : file
DataSecurityFinding --> "0..1 _recommended_" File : file
click File href "../File/"
DataSecurityFinding : finding_info
DataSecurityFinding --> "1" FindingInfo : finding_info
click FindingInfo href "../FindingInfo/"
DataSecurityFinding : firewall_rule
DataSecurityFinding --> "0..1" FirewallRule : firewall_rule
click FirewallRule href "../FirewallRule/"
DataSecurityFinding : impact
DataSecurityFinding : impact_id
DataSecurityFinding --> "0..1 _recommended_" ImpactIdEnum : impact_id
click ImpactIdEnum href "../ImpactIdEnum/"
DataSecurityFinding : impact_score
DataSecurityFinding : is_alert
DataSecurityFinding : is_suspected_breach
DataSecurityFinding : malware
DataSecurityFinding --> "*" Malware : malware
click Malware href "../Malware/"
DataSecurityFinding : malware_scan_info
DataSecurityFinding --> "0..1" MalwareScanInfo : malware_scan_info
click MalwareScanInfo href "../MalwareScanInfo/"
DataSecurityFinding : message
DataSecurityFinding : metadata
DataSecurityFinding --> "1" Metadata : metadata
click Metadata href "../Metadata/"
DataSecurityFinding : observables
DataSecurityFinding --> "* _recommended_" Observable : observables
click Observable href "../Observable/"
DataSecurityFinding : osint
DataSecurityFinding --> "1..*" Osint : osint
click Osint href "../Osint/"
DataSecurityFinding : policy
DataSecurityFinding --> "0..1" Policy : policy
click Policy href "../Policy/"
DataSecurityFinding : priority
DataSecurityFinding : priority_id
DataSecurityFinding --> "0..1 _recommended_" PriorityIdEnum : priority_id
click PriorityIdEnum href "../PriorityIdEnum/"
DataSecurityFinding : raw_data
DataSecurityFinding : raw_data_hash
DataSecurityFinding --> "0..1" Fingerprint : raw_data_hash
click Fingerprint href "../Fingerprint/"
DataSecurityFinding : raw_data_size
DataSecurityFinding : resources
DataSecurityFinding --> "* _recommended_" ResourceDetails : resources
click ResourceDetails href "../ResourceDetails/"
DataSecurityFinding : risk_details
DataSecurityFinding : risk_level
DataSecurityFinding : risk_level_id
DataSecurityFinding --> "0..1" RiskLevelIdEnum : risk_level_id
click RiskLevelIdEnum href "../RiskLevelIdEnum/"
DataSecurityFinding : risk_score
DataSecurityFinding : severity
DataSecurityFinding : severity_id
DataSecurityFinding --> "1" SeverityIdEnum : severity_id
click SeverityIdEnum href "../SeverityIdEnum/"
DataSecurityFinding : src_endpoint
DataSecurityFinding --> "0..1 _recommended_" NetworkEndpoint : src_endpoint
click NetworkEndpoint href "../NetworkEndpoint/"
DataSecurityFinding : src_url
DataSecurityFinding : start_time
DataSecurityFinding : status
DataSecurityFinding : status_code
DataSecurityFinding : status_detail
DataSecurityFinding : status_id
DataSecurityFinding --> "0..1 _recommended_" FindingStatusIdEnum : status_id
click FindingStatusIdEnum href "../FindingStatusIdEnum/"
DataSecurityFinding : table
DataSecurityFinding --> "0..1 _recommended_" Table : table
click Table href "../Table/"
DataSecurityFinding : ticket
DataSecurityFinding --> "0..1" Ticket : ticket
click Ticket href "../Ticket/"
DataSecurityFinding : tickets
DataSecurityFinding --> "*" Ticket : tickets
click Ticket href "../Ticket/"
DataSecurityFinding : time
DataSecurityFinding : timezone_offset
DataSecurityFinding : type_name
DataSecurityFinding : type_uid
DataSecurityFinding : unmapped
DataSecurityFinding --> "0..1" Object : unmapped
click Object href "../Object/"
DataSecurityFinding : vendor_attributes
DataSecurityFinding --> "0..1" VendorAttributes : vendor_attributes
click VendorAttributes href "../VendorAttributes/"
DataSecurityFinding : verdict
DataSecurityFinding : verdict_id
DataSecurityFinding --> "0..1 _recommended_" VerdictIdEnum : verdict_id
click VerdictIdEnum href "../VerdictIdEnum/"
Inheritance
- BaseEvent [ CloudProfile DatetimeProfile HostProfile OsintProfile SecurityControlProfile]
- Finding [ IncidentProfile]
- DataSecurityFinding
- Finding [ IncidentProfile]
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| activity_id | 1 DataSecurityFindingActivityIdEnum |
The normalized identifier of the Data Security Finding activity | direct |
| activity_name | 0..1 String |
The Data Security finding activity name, as defined by the | direct |
| actor | 0..1 recommended Actor |
Describes details about the actor implicated in the data security finding | direct |
| confidence | 0..1 String |
The confidence, normalized to the caption of the confidence_id value | direct |
| confidence_id | 0..1 recommended ConfidenceIdEnum |
The normalized confidence refers to the accuracy of the rule that created the | direct |
| confidence_score | 0..1 Integer |
The confidence score as reported by the event source | direct |
| data_security | 0..1 recommended DataSecurity |
The Data Security object describes the characteristics, techniques and conten... | direct |
| database | 0..1 recommended Database |
Describes the database where classified or sensitive data is stored in, or wa... | direct |
| databucket | 0..1 recommended Databucket |
Describes the databucket where classified or sensitive data is stored in, or | direct |
| device | 0..1 recommended Device |
Describes the device where classified or sensitive data is stored in, or was | direct |
| dst_endpoint | 0..1 recommended NetworkEndpoint |
Describes the endpoint where classified or sensitive data is stored in, or wa... | direct |
| file | 0..1 recommended File |
Describes a file that contains classified or sensitive data | direct |
| impact | 0..1 recommended String |
The impact , normalized to the caption of the impact_id value | direct |
| impact_id | 0..1 recommended ImpactIdEnum |
The normalized impact of the incident or finding | direct |
| impact_score | 0..1 recommended Integer |
The impact as an integer value of the finding, valid range 0-100 | direct |
| is_alert | 0..1 recommended Boolean |
Indicates that the event is considered to be an alertable signal | direct |
| resources | * recommended ResourceDetails |
Describes details about additional resources, where classified or sensitive | direct |
| risk_details | 0..1 String |
Describes the risk associated with the finding | direct |
| risk_level | 0..1 String |
The risk level, normalized to the caption of the risk_level_id value | direct |
| risk_level_id | 0..1 RiskLevelIdEnum |
The normalized risk level id | direct |
| risk_score | 0..1 Integer |
The risk score as reported by the event source | direct |
| src_endpoint | 0..1 recommended NetworkEndpoint |
Details about the source endpoint where classified or sensitive data was | direct |
| table | 0..1 recommended Table |
Describes the table where classified or sensitive data is stored in, or was | direct |
| comment | 0..1 String |
A user provided comment about the finding | Finding |
| end_time | 0..1 TimestampT |
The time of the most recent event included in the finding | Finding, BaseEvent |
| finding_info | 1 FindingInfo |
Describes the supporting information about a generated finding | Finding |
| start_time | 0..1 TimestampT |
The time of the least recent event included in the finding | Finding, BaseEvent |
| status | 0..1 recommended String |
The normalized status of the Finding set by the consumer normalized to the | Finding, BaseEvent |
| status_id | 0..1 recommended FindingStatusIdEnum |
The normalized status identifier of the Finding, set by the consumer | Finding, BaseEvent |
| vendor_attributes | 0..1 VendorAttributes |
The Vendor Attributes object can be used to represent values of attributes | Finding |
| assignee | 0..1 User |
The details of the user assigned to an Incident | IncidentProfile |
| assignee_group | 0..1 Group |
The details of the group assigned to an Incident | IncidentProfile |
| is_suspected_breach | 0..1 Boolean |
A determination based on analytics as to whether a potential breach was found | IncidentProfile |
| priority | 0..1 String |
The priority, normalized to the caption of the priority_id value | IncidentProfile |
| priority_id | 0..1 recommended PriorityIdEnum |
The normalized priority | IncidentProfile |
| src_url | 0..1 recommended UrlT |
A Url link used to access the original incident | IncidentProfile |
| ticket | 0..1 Ticket |
The linked ticket in the ticketing system | IncidentProfile |
| tickets | * Ticket |
The associated ticket(s) in the ticketing system | IncidentProfile |
| verdict | 0..1 recommended String |
The verdict assigned to an Incident finding | IncidentProfile |
| verdict_id | 0..1 recommended VerdictIdEnum |
The normalized verdict of an Incident | IncidentProfile |
| category_name | 0..1 String |
The event category name, as defined by category_uid value | BaseEvent |
| category_uid | 1 BaseEventCategoryUidEnum |
The category unique identifier of the event | BaseEvent |
| class_name | 0..1 String |
The event class name, as defined by class_uid value | BaseEvent |
| class_uid | 1 BaseEventClassUidEnum |
The unique identifier of a class | BaseEvent |
| count | 0..1 Integer |
The number of times that events in the same logical group occurred during the | BaseEvent |
| duration | 0..1 Integer |
The event duration or aggregate time, the amount of time the event covers fro... | BaseEvent |
| enrichments | * Enrichment |
The additional information from an external data source, which is associated | BaseEvent |
| message | 0..1 recommended String |
The description of the event/finding, as defined by the source | BaseEvent |
| metadata | 1 Metadata |
The metadata associated with the event or a finding | BaseEvent |
| observables | * recommended Observable |
The observables associated with the event or a finding | BaseEvent |
| raw_data | 0..1 String |
The raw event/finding data as received from the source | BaseEvent |
| raw_data_hash | 0..1 Fingerprint |
The hash, which describes the content of the raw_data field | BaseEvent |
| raw_data_size | 0..1 Integer |
The size of the raw data which was transformed into an OCSF event, in bytes | BaseEvent |
| severity | 0..1 String |
The event/finding severity, normalized to the caption of the | BaseEvent |
| severity_id | 1 SeverityIdEnum |
The normalized identifier of the event/finding severity |
BaseEvent |
| status_code | 0..1 recommended String |
The event status code, as reported by the event source | BaseEvent |
| status_detail | 0..1 recommended String |
The status detail contains additional information about the event/finding | BaseEvent |
| time | 1 TimestampT |
The normalized event occurrence time or the finding creation time | BaseEvent |
| timezone_offset | 0..1 recommended Integer |
The number of minutes that the reported event time is ahead or |
BaseEvent |
| type_name | 0..1 String |
The event/finding type name, as defined by the type_uid | BaseEvent |
| type_uid | 1 Integer |
The event/finding type ID | BaseEvent |
| unmapped | 0..1 Object |
The attributes that are not mapped to the event schema | BaseEvent |
| api | 0..1 Api |
Describes details about a typical API (Application Programming Interface) cal... | CloudProfile |
| cloud | 1 Cloud |
Describes details about the Cloud environment where the event or finding was | CloudProfile |
| osint | 1..* Osint |
The OSINT (Open Source Intelligence) object contains details related to an | OsintProfile |
| action | 0..1 String |
The normalized caption of action_id |
SecurityControlProfile |
| action_id | 0..1 recommended ActionIdEnum |
The action taken by a control or other policy-based system leading to an | SecurityControlProfile |
| attacks | * Attack |
An array of MITRE ATT&CK® objects describing identified tactics, techniques & | SecurityControlProfile |
| authorizations | * Authorization |
Provides details about an authorization, such as authorization outcome, and a... | SecurityControlProfile |
| disposition | 0..1 String |
The disposition name, normalized to the caption of the disposition_id value | SecurityControlProfile |
| disposition_id | 0..1 recommended DispositionIdEnum |
Describes the outcome or action taken by a security control, such as access | SecurityControlProfile |
| firewall_rule | 0..1 FirewallRule |
The firewall rule that pertains to the control that triggered the event, if | SecurityControlProfile |
| malware | * Malware |
A list of Malware objects, describing details about the identified malware | SecurityControlProfile |
| malware_scan_info | 0..1 MalwareScanInfo |
Describes details about the scan job that identified malware on the target | SecurityControlProfile |
| policy | 0..1 Policy |
The policy that pertains to the control that triggered the event, if | SecurityControlProfile |
In Subsets
Aliases
- Data Security Finding
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_event_uid | 6 |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:DataSecurityFinding |
| native | ocsf:DataSecurityFinding |
LinkML Source
Direct
name: DataSecurityFinding
annotations:
ocsf_event_uid:
tag: ocsf_event_uid
value: 6
description: 'A Data Security Finding describes detections or alerts generated by
various
data security products such as Data Loss Prevention (DLP), Data Classification,
Secrets Management, Digital Rights Management (DRM), Data Security Posture
Management (DSPM), and similar tools. These detections or alerts can be created
using fingerprinting, statistical analysis, machine learning or other
methodologies. The finding describes the actors and endpoints who accessed or
own the sensitive data, as well as the resources which store the sensitive
data. Note: if the event producer is a security control, the
<code>security_control</code> profile should be applied and its
<code>attacks</code> information, if present, should be duplicated into the
<code>finding_info</code> object. <br><strong>Note: </strong>If the Finding is
an incident, i.e. requires incident workflow, also apply the
<code>incident</code> profile or aggregate this finding into an <code>Incident
Finding</code>.'
in_subset:
- findings_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Data Security Finding
is_a: Finding
slots:
- activity_id
- activity_name
- actor
- confidence
- confidence_id
- confidence_score
- data_security
- database
- databucket
- device
- dst_endpoint
- file
- impact
- impact_id
- impact_score
- is_alert
- resources
- risk_details
- risk_level
- risk_level_id
- risk_score
- src_endpoint
- table
slot_usage:
activity_id:
name: activity_id
description: The normalized identifier of the Data Security Finding activity.
range: DataSecurityFindingActivityIdEnum
required: true
activity_name:
name: activity_name
description: 'The Data Security finding activity name, as defined by the
<code>activity_id</code>.'
actor:
name: actor
annotations:
group:
tag: group
value: context
description: 'Describes details about the actor implicated in the data security
finding.
Either an actor that owns a particular digital file or information store, or
an
actor which accessed classified or sensitive data.'
recommended: true
confidence:
name: confidence
annotations:
group:
tag: group
value: context
confidence_id:
name: confidence_id
annotations:
group:
tag: group
value: context
recommended: true
confidence_score:
name: confidence_score
annotations:
group:
tag: group
value: context
data_security:
name: data_security
annotations:
group:
tag: group
value: context
recommended: true
database:
name: database
annotations:
group:
tag: group
value: primary
description: 'Describes the database where classified or sensitive data is stored
in, or was
accessed from. Databases are typically datastore services that contain an
organized collection of structured and/or semi-structured data.'
recommended: true
databucket:
name: databucket
annotations:
group:
tag: group
value: primary
description: 'Describes the databucket where classified or sensitive data is stored
in, or
was accessed from. The data bucket object is a basic container that holds data,
typically organized through the use of data partitions.'
recommended: true
device:
name: device
annotations:
group:
tag: group
value: context
description: 'Describes the device where classified or sensitive data is stored
in, or was
accessed from.'
recommended: true
dst_endpoint:
name: dst_endpoint
annotations:
group:
tag: group
value: context
description: 'Describes the endpoint where classified or sensitive data is stored
in, or was
accessed from.'
recommended: true
file:
name: file
annotations:
group:
tag: group
value: primary
description: Describes a file that contains classified or sensitive data.
recommended: true
impact:
name: impact
annotations:
group:
tag: group
value: context
impact_id:
name: impact_id
annotations:
group:
tag: group
value: context
impact_score:
name: impact_score
annotations:
group:
tag: group
value: context
is_alert:
name: is_alert
annotations:
group:
tag: group
value: primary
description: 'Indicates that the event is considered to be an alertable signal.
For example,
an <code>activity_id</code> of ''Create'' could constitute an alertable signal
and the value would be <code>true</code>, while ''Close'' likely would not and
either omit the attribute or set its value to <code>false</code>. Note that
other events with the <code>security_control</code> profile may also be deemed
alertable signals and may also carry <code>is_alert = true</code> attributes.'
recommended: true
resources:
name: resources
annotations:
group:
tag: group
value: primary
description: 'Describes details about additional resources, where classified or
sensitive
data is stored in, or was accessed from. <p> You can populate this object, if
the specific resource type objects available in the class (<code>database,
databucket, table, file</code>) aren''t sufficient; OR <br> You can also choose
to duplicate <code>uid, name</code> of the specific resources objects, for a
consistent access to resource uids across all findings.'
recommended: true
risk_details:
name: risk_details
annotations:
group:
tag: group
value: context
risk_level:
name: risk_level
annotations:
group:
tag: group
value: context
risk_level_id:
name: risk_level_id
annotations:
group:
tag: group
value: context
risk_score:
name: risk_score
annotations:
group:
tag: group
value: context
src_endpoint:
name: src_endpoint
annotations:
group:
tag: group
value: context
description: 'Details about the source endpoint where classified or sensitive
data was
accessed from.'
recommended: true
table:
name: table
annotations:
group:
tag: group
value: primary
description: 'Describes the table where classified or sensitive data is stored
in, or was
accessed from. The table object represents a table within a structured
relational database, warehouse, lake, or similar.'
recommended: true
Induced
name: DataSecurityFinding
annotations:
ocsf_event_uid:
tag: ocsf_event_uid
value: 6
description: 'A Data Security Finding describes detections or alerts generated by
various
data security products such as Data Loss Prevention (DLP), Data Classification,
Secrets Management, Digital Rights Management (DRM), Data Security Posture
Management (DSPM), and similar tools. These detections or alerts can be created
using fingerprinting, statistical analysis, machine learning or other
methodologies. The finding describes the actors and endpoints who accessed or
own the sensitive data, as well as the resources which store the sensitive
data. Note: if the event producer is a security control, the
<code>security_control</code> profile should be applied and its
<code>attacks</code> information, if present, should be duplicated into the
<code>finding_info</code> object. <br><strong>Note: </strong>If the Finding is
an incident, i.e. requires incident workflow, also apply the
<code>incident</code> profile or aggregate this finding into an <code>Incident
Finding</code>.'
in_subset:
- findings_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Data Security Finding
is_a: Finding
slot_usage:
activity_id:
name: activity_id
description: The normalized identifier of the Data Security Finding activity.
range: DataSecurityFindingActivityIdEnum
required: true
activity_name:
name: activity_name
description: 'The Data Security finding activity name, as defined by the
<code>activity_id</code>.'
actor:
name: actor
annotations:
group:
tag: group
value: context
description: 'Describes details about the actor implicated in the data security
finding.
Either an actor that owns a particular digital file or information store, or
an
actor which accessed classified or sensitive data.'
recommended: true
confidence:
name: confidence
annotations:
group:
tag: group
value: context
confidence_id:
name: confidence_id
annotations:
group:
tag: group
value: context
recommended: true
confidence_score:
name: confidence_score
annotations:
group:
tag: group
value: context
data_security:
name: data_security
annotations:
group:
tag: group
value: context
recommended: true
database:
name: database
annotations:
group:
tag: group
value: primary
description: 'Describes the database where classified or sensitive data is stored
in, or was
accessed from. Databases are typically datastore services that contain an
organized collection of structured and/or semi-structured data.'
recommended: true
databucket:
name: databucket
annotations:
group:
tag: group
value: primary
description: 'Describes the databucket where classified or sensitive data is stored
in, or
was accessed from. The data bucket object is a basic container that holds data,
typically organized through the use of data partitions.'
recommended: true
device:
name: device
annotations:
group:
tag: group
value: context
description: 'Describes the device where classified or sensitive data is stored
in, or was
accessed from.'
recommended: true
dst_endpoint:
name: dst_endpoint
annotations:
group:
tag: group
value: context
description: 'Describes the endpoint where classified or sensitive data is stored
in, or was
accessed from.'
recommended: true
file:
name: file
annotations:
group:
tag: group
value: primary
description: Describes a file that contains classified or sensitive data.
recommended: true
impact:
name: impact
annotations:
group:
tag: group
value: context
impact_id:
name: impact_id
annotations:
group:
tag: group
value: context
impact_score:
name: impact_score
annotations:
group:
tag: group
value: context
is_alert:
name: is_alert
annotations:
group:
tag: group
value: primary
description: 'Indicates that the event is considered to be an alertable signal.
For example,
an <code>activity_id</code> of ''Create'' could constitute an alertable signal
and the value would be <code>true</code>, while ''Close'' likely would not and
either omit the attribute or set its value to <code>false</code>. Note that
other events with the <code>security_control</code> profile may also be deemed
alertable signals and may also carry <code>is_alert = true</code> attributes.'
recommended: true
resources:
name: resources
annotations:
group:
tag: group
value: primary
description: 'Describes details about additional resources, where classified or
sensitive
data is stored in, or was accessed from. <p> You can populate this object, if
the specific resource type objects available in the class (<code>database,
databucket, table, file</code>) aren''t sufficient; OR <br> You can also choose
to duplicate <code>uid, name</code> of the specific resources objects, for a
consistent access to resource uids across all findings.'
recommended: true
risk_details:
name: risk_details
annotations:
group:
tag: group
value: context
risk_level:
name: risk_level
annotations:
group:
tag: group
value: context
risk_level_id:
name: risk_level_id
annotations:
group:
tag: group
value: context
risk_score:
name: risk_score
annotations:
group:
tag: group
value: context
src_endpoint:
name: src_endpoint
annotations:
group:
tag: group
value: context
description: 'Details about the source endpoint where classified or sensitive
data was
accessed from.'
recommended: true
table:
name: table
annotations:
group:
tag: group
value: primary
description: 'Describes the table where classified or sensitive data is stored
in, or was
accessed from. The table object represents a table within a structured
relational database, warehouse, lake, or similar.'
recommended: true
attributes:
activity_id:
name: activity_id
annotations:
group:
tag: group
value: classification
description: The normalized identifier of the Data Security Finding activity.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Activity ID
rank: 1000
alias: activity_id
owner: DataSecurityFinding
domain_of:
- BaseEvent
- ApiActivity
- ApplicationError
- ApplicationLifecycle
- DatastoreActivity
- FileHosting
- ScanActivity
- WebResourceAccessActivity
- WebResourcesActivity
- DiscoveryEvent
- DiscoveryResult
- DataSecurityFinding
- Finding
- IncidentFinding
- SecurityFinding
- AccountChange
- Authentication
- AuthorizeSession
- EntityManagement
- GroupManagement
- UserAccess
- DhcpActivity
- DnsActivity
- EmailActivity
- EmailFileActivity
- EmailUrlActivity
- FtpActivity
- HttpActivity
- NetworkActivity
- NetworkFileActivity
- NtpActivity
- RdpActivity
- SmbActivity
- SshActivity
- TunnelActivity
- RemediationActivity
- EventLogActvity
- FileActivity
- KernelActivity
- KernelExtensionActivity
- MemoryActivity
- ModuleActivity
- PeripheralActivity
- ProcessActivity
- ScheduledJobActivity
- ScriptActivity
- AirborneBroadcastActivity
- DroneFlightsActivity
- RegistryKeyActivity
- RegistryValueActivity
- WindowsResourceActivity
- WindowsServiceActivity
range: DataSecurityFindingActivityIdEnum
required: true
activity_name:
name: activity_name
annotations:
group:
tag: group
value: classification
description: 'The Data Security finding activity name, as defined by the
<code>activity_id</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Activity
rank: 1000
alias: activity_name
owner: DataSecurityFinding
domain_of:
- BaseEvent
- DataSecurityFinding
- Finding
- IncidentFinding
range: string
actor:
name: actor
annotations:
group:
tag: group
value: context
description: 'Describes details about the actor implicated in the data security
finding.
Either an actor that owns a particular digital file or information store, or
an
actor which accessed classified or sensitive data.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Actor
rank: 1000
alias: actor
owner: DataSecurityFinding
domain_of:
- Evidences
- HostProfile
- ApiActivity
- DatastoreActivity
- FileHosting
- ConfigState
- DeviceConfigStateChange
- InventoryInfo
- OsintInventoryInfo
- SoftwareInfo
- UserInventory
- DataSecurityFinding
- IamEvent
- NetworkFileActivity
- SystemEvent
- EventLogActvity
- FileActivity
- KernelExtensionActivity
- ModuleActivity
- ProcessActivity
- ScheduledJobActivity
- RegistryKeyActivity
- RegistryValueActivity
range: Actor
recommended: true
confidence:
name: confidence
annotations:
group:
tag: group
value: context
description: 'The confidence, normalized to the caption of the confidence_id value.
In the
case of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Confidence
rank: 1000
alias: confidence
owner: DataSecurityFinding
domain_of:
- Osint
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- Finding
- IncidentFinding
- SecurityFinding
range: string
confidence_id:
name: confidence_id
annotations:
group:
tag: group
value: context
description: 'The normalized confidence refers to the accuracy of the rule that
created the
finding. A rule with a low confidence means that the finding scope is wide and
may create finding reports that may not be malicious in nature.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Confidence ID
rank: 1000
alias: confidence_id
owner: DataSecurityFinding
domain_of:
- Osint
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- Finding
- IncidentFinding
- SecurityFinding
range: ConfidenceIdEnum
recommended: true
confidence_score:
name: confidence_score
annotations:
group:
tag: group
value: context
description: The confidence score as reported by the event source.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Confidence Score
rank: 1000
alias: confidence_score
owner: DataSecurityFinding
domain_of:
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- Finding
- IncidentFinding
- SecurityFinding
range: integer
data_security:
name: data_security
annotations:
group:
tag: group
value: context
description: 'The Data Security object describes the characteristics, techniques
and content
of a Data Loss Prevention (DLP), Data Loss Detection (DLD), Data
Classification, or similar tools'' finding, alert, or detection mechanism(s).'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Data Security
rank: 1000
alias: data_security
owner: DataSecurityFinding
domain_of:
- DataSecurityFinding
range: DataSecurity
recommended: true
database:
name: database
annotations:
group:
tag: group
value: primary
description: 'Describes the database where classified or sensitive data is stored
in, or was
accessed from. Databases are typically datastore services that contain an
organized collection of structured and/or semi-structured data.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Database
rank: 1000
alias: database
owner: DataSecurityFinding
domain_of:
- Evidences
- DatastoreActivity
- CloudResourcesInventoryInfo
- DataSecurityFinding
range: Database
recommended: true
databucket:
name: databucket
annotations:
group:
tag: group
value: primary
description: 'Describes the databucket where classified or sensitive data is stored
in, or
was accessed from. The data bucket object is a basic container that holds data,
typically organized through the use of data partitions.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Databucket
rank: 1000
alias: databucket
owner: DataSecurityFinding
domain_of:
- Evidences
- DatastoreActivity
- CloudResourcesInventoryInfo
- DataSecurityFinding
range: Databucket
recommended: true
device:
name: device
annotations:
group:
tag: group
value: context
description: 'Describes the device where classified or sensitive data is stored
in, or was
accessed from.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Device
rank: 1000
alias: device
owner: DataSecurityFinding
domain_of:
- AuthFactor
- Evidences
- Logger
- ManagedEntity
- HostProfile
- ConfigState
- DeviceConfigStateChange
- EvidenceInfo
- InventoryInfo
- PatchState
- SoftwareInfo
- DataSecurityFinding
- Finding
- RdpActivity
- TunnelActivity
- SystemEvent
- EventLogActvity
range: Device
recommended: true
dst_endpoint:
name: dst_endpoint
annotations:
group:
tag: group
value: context
description: 'Describes the endpoint where classified or sensitive data is stored
in, or was
accessed from.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Destination Endpoint
rank: 1000
alias: dst_endpoint
owner: DataSecurityFinding
domain_of:
- Evidences
- LoadBalancer
- ApiActivity
- DatastoreActivity
- FileHosting
- WebResourcesActivity
- DataSecurityFinding
- Authentication
- AuthorizeSession
- NetworkEvent
- DhcpActivity
- DnsActivity
- EmailActivity
- NetworkActivity
- NetworkFileActivity
- TunnelActivity
- EventLogActvity
- UnmannedSystemsEvent
- AirborneBroadcastActivity
range: NetworkEndpoint
recommended: true
file:
name: file
annotations:
group:
tag: group
value: primary
description: Describes a file that contains classified or sensitive data.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- File
rank: 1000
alias: file
owner: DataSecurityFinding
domain_of:
- Osint
- QueryEvidence
- Script
- AffectedCode
- Databucket
- Evidences
- Job
- KernelDriver
- Module
- Process
- FileHosting
- FileQuery
- DataSecurityFinding
- EmailFileActivity
- FtpActivity
- HttpActivity
- NetworkFileActivity
- RdpActivity
- SmbActivity
- SshActivity
- FileRemediationActivity
- EventLogActvity
- FileActivity
range: File
recommended: true
impact:
name: impact
annotations:
group:
tag: group
value: context
description: 'The impact , normalized to the caption of the impact_id value. In
the case of
''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Impact
rank: 1000
alias: impact
owner: DataSecurityFinding
domain_of:
- IncidentProfile
- DataSecurityFinding
- DetectionFinding
- IncidentFinding
- SecurityFinding
range: string
recommended: true
impact_id:
name: impact_id
annotations:
group:
tag: group
value: context
description: 'The normalized impact of the incident or finding. Per NIST, this
is the
magnitude of harm that can be expected to result from the consequences of
unauthorized disclosure, modification, destruction, or loss of information or
information system availability.'
notes:
- NIST SP 800-172 from FIPS 199 — https://doi.org/10.6028/NIST.FIPS.199
- NIST Computer Security Resource Center — https://doi.org/10.6028/NIST.FIPS.199
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://doi.org/10.6028/NIST.FIPS.199
- https://doi.org/10.6028/NIST.FIPS.199
aliases:
- Impact ID
rank: 1000
alias: impact_id
owner: DataSecurityFinding
domain_of:
- IncidentProfile
- DataSecurityFinding
- DetectionFinding
- IncidentFinding
- SecurityFinding
range: ImpactIdEnum
recommended: true
impact_score:
name: impact_score
annotations:
group:
tag: group
value: context
description: The impact as an integer value of the finding, valid range 0-100.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Impact Score
rank: 1000
alias: impact_score
owner: DataSecurityFinding
domain_of:
- IncidentProfile
- DataSecurityFinding
- DetectionFinding
- IncidentFinding
- SecurityFinding
range: integer
recommended: true
is_alert:
name: is_alert
annotations:
group:
tag: group
value: primary
description: 'Indicates that the event is considered to be an alertable signal.
For example,
an <code>activity_id</code> of ''Create'' could constitute an alertable signal
and the value would be <code>true</code>, while ''Close'' likely would not and
either omit the attribute or set its value to <code>false</code>. Note that
other events with the <code>security_control</code> profile may also be deemed
alertable signals and may also carry <code>is_alert = true</code> attributes.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Alert
rank: 1000
alias: is_alert
owner: DataSecurityFinding
domain_of:
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
range: boolean
recommended: true
resources:
name: resources
annotations:
group:
tag: group
value: primary
description: 'Describes details about additional resources, where classified or
sensitive
data is stored in, or was accessed from. <p> You can populate this object, if
the specific resource type objects available in the class (<code>database,
databucket, table, file</code>) aren''t sufficient; OR <br> You can also choose
to duplicate <code>uid, name</code> of the specific resources objects, for a
consistent access to resource uids across all findings.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Resources Array
rank: 1000
alias: resources
owner: DataSecurityFinding
domain_of:
- Evidences
- ApiActivity
- CloudResourcesInventoryInfo
- ApplicationSecurityPostureFinding
- ComplianceFinding
- DataSecurityFinding
- DetectionFinding
- IamAnalysisFinding
- SecurityFinding
- VulnerabilityFinding
- UserAccess
range: ResourceDetails
recommended: true
multivalued: true
risk_details:
name: risk_details
annotations:
group:
tag: group
value: context
description: Describes the risk associated with the finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Details
rank: 1000
alias: risk_details
owner: DataSecurityFinding
domain_of:
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
range: string
risk_level:
name: risk_level
annotations:
group:
tag: group
value: context
description: The risk level, normalized to the caption of the risk_level_id value.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Level
rank: 1000
alias: risk_level
owner: DataSecurityFinding
domain_of:
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: string
risk_level_id:
name: risk_level_id
annotations:
group:
tag: group
value: context
description: The normalized risk level id.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Level ID
rank: 1000
alias: risk_level_id
owner: DataSecurityFinding
domain_of:
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: RiskLevelIdEnum
risk_score:
name: risk_score
annotations:
group:
tag: group
value: context
description: The risk score as reported by the event source.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Score
rank: 1000
alias: risk_score
owner: DataSecurityFinding
domain_of:
- Osint
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: integer
src_endpoint:
name: src_endpoint
annotations:
group:
tag: group
value: context
description: 'Details about the source endpoint where classified or sensitive
data was
accessed from.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Source Endpoint
rank: 1000
alias: src_endpoint
owner: DataSecurityFinding
domain_of:
- Evidences
- ApiActivity
- DatastoreActivity
- FileHosting
- WebResourceAccessActivity
- WebResourcesActivity
- DataSecurityFinding
- IamEvent
- NetworkEvent
- DhcpActivity
- EmailActivity
- NetworkActivity
- NetworkFileActivity
- TunnelActivity
- EventLogActvity
- UnmannedSystemsEvent
- AirborneBroadcastActivity
- DroneFlightsActivity
range: NetworkEndpoint
recommended: true
table:
name: table
annotations:
group:
tag: group
value: primary
description: 'Describes the table where classified or sensitive data is stored
in, or was
accessed from. The table object represents a table within a structured
relational database, warehouse, lake, or similar.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Table
rank: 1000
alias: table
owner: DataSecurityFinding
domain_of:
- DatastoreActivity
- CloudResourcesInventoryInfo
- DataSecurityFinding
range: Table
recommended: true
comment:
name: comment
annotations:
group:
tag: group
value: context
description: A user provided comment about the finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Comment
rank: 1000
alias: comment
owner: DataSecurityFinding
domain_of:
- Osint
- Finding
- IncidentFinding
- EntityManagement
- DroneFlightsActivity
range: string
end_time:
name: end_time
annotations:
group:
tag: group
value: occurrence
description: The time of the most recent event included in the finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- End Time
rank: 1000
alias: end_time
owner: DataSecurityFinding
domain_of:
- Span
- Timespan
- Trace
- NetworkTraffic
- UnmannedSystemOperatingArea
- MalwareScanInfo
- BaseEvent
- ScanActivity
- Finding
- IncidentFinding
range: TimestampT
finding_info:
name: finding_info
annotations:
group:
tag: group
value: primary
description: Describes the supporting information about a generated finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Finding Information
rank: 1000
alias: finding_info
owner: DataSecurityFinding
domain_of:
- Finding
range: FindingInfo
required: true
start_time:
name: start_time
annotations:
group:
tag: group
value: occurrence
description: The time of the least recent event included in the finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Start Time
rank: 1000
alias: start_time
owner: DataSecurityFinding
domain_of:
- Span
- Timespan
- Trace
- NetworkTraffic
- UnmannedSystemOperatingArea
- MalwareScanInfo
- BaseEvent
- ScanActivity
- Finding
- IncidentFinding
range: TimestampT
status:
name: status
annotations:
group:
tag: group
value: context
description: 'The normalized status of the Finding set by the consumer normalized
to the
caption of the status_id value. In the case of ''Other'', it is defined by the
source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Status
rank: 1000
alias: status
owner: DataSecurityFinding
domain_of:
- RelatedEvent
- Ticket
- Whois
- AdditionalRestriction
- Check
- Compliance
- DataClassification
- HttpResponse
- BaseEvent
- Finding
- IncidentFinding
- DroneFlightsActivity
range: string
recommended: true
status_id:
name: status_id
annotations:
group:
tag: group
value: context
description: The normalized status identifier of the Finding, set by the consumer.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Status ID
rank: 1000
alias: status_id
owner: DataSecurityFinding
domain_of:
- Ticket
- AdditionalRestriction
- Check
- Compliance
- DataClassification
- BaseEvent
- Finding
- IncidentFinding
- RemediationActivity
- DroneFlightsActivity
range: FindingStatusIdEnum
recommended: true
vendor_attributes:
name: vendor_attributes
annotations:
group:
tag: group
value: context
description: 'The Vendor Attributes object can be used to represent values of
attributes
populated by the Vendor/Finding Provider. It can help distinguish between the
vendor-provided values and consumer-updated values, of key attributes like
<code>severity_id</code>.<br>The original finding producer should not populate
this object. It should be populated by consuming systems that support data
mutability.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Vendor Attributes
rank: 1000
alias: vendor_attributes
owner: DataSecurityFinding
domain_of:
- Finding
- IncidentFinding
range: VendorAttributes
assignee:
name: assignee
annotations:
group:
tag: group
value: context
description: The details of the user assigned to an Incident.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Assignee
rank: 1000
alias: assignee
owner: DataSecurityFinding
domain_of:
- IncidentProfile
- IncidentFinding
range: User
assignee_group:
name: assignee_group
annotations:
group:
tag: group
value: context
description: The details of the group assigned to an Incident.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Assignee Group
rank: 1000
alias: assignee_group
owner: DataSecurityFinding
domain_of:
- IncidentProfile
- IncidentFinding
range: Group
is_suspected_breach:
name: is_suspected_breach
annotations:
group:
tag: group
value: context
description: A determination based on analytics as to whether a potential breach
was found.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Suspected Breach
rank: 1000
alias: is_suspected_breach
owner: DataSecurityFinding
domain_of:
- IncidentProfile
- IncidentFinding
range: boolean
priority:
name: priority
annotations:
group:
tag: group
value: context
description: 'The priority, normalized to the caption of the priority_id value.
In the case
of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Priority
rank: 1000
alias: priority
owner: DataSecurityFinding
domain_of:
- IncidentProfile
- IncidentFinding
range: string
priority_id:
name: priority_id
annotations:
group:
tag: group
value: context
description: 'The normalized priority. Priority identifies the relative importance
of the
incident or finding. It is a measurement of urgency.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Priority ID
rank: 1000
alias: priority_id
owner: DataSecurityFinding
domain_of:
- IncidentProfile
- IncidentFinding
range: PriorityIdEnum
recommended: true
src_url:
name: src_url
annotations:
group:
tag: group
value: primary
description: A Url link used to access the original incident.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Source URL
rank: 1000
alias: src_url
owner: DataSecurityFinding
domain_of:
- Osint
- Package
- Ticket
- Advisory
- Cvss
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Enrichment
- FindingObject
- FindingInfo
- KbArticle
- Mitigation
- SubTechnique
- Tactic
- Technique
- IncidentProfile
- IncidentFinding
range: UrlT
recommended: true
ticket:
name: ticket
annotations:
group:
tag: group
value: context
description: The linked ticket in the ticketing system.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Ticket
rank: 1000
alias: ticket
owner: DataSecurityFinding
domain_of:
- IncidentProfile
- IncidentFinding
range: Ticket
tickets:
name: tickets
annotations:
group:
tag: group
value: context
description: 'The associated ticket(s) in the ticketing system. Each ticket contains
details
like ticket ID, status, etc.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Tickets
rank: 1000
alias: tickets
owner: DataSecurityFinding
domain_of:
- IncidentProfile
- IncidentFinding
range: Ticket
multivalued: true
verdict:
name: verdict
annotations:
group:
tag: group
value: primary
description: The verdict assigned to an Incident finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Verdict
rank: 1000
alias: verdict
owner: DataSecurityFinding
domain_of:
- Evidences
- IncidentProfile
- IncidentFinding
range: string
recommended: true
verdict_id:
name: verdict_id
annotations:
group:
tag: group
value: primary
description: The normalized verdict of an Incident.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Verdict ID
rank: 1000
alias: verdict_id
owner: DataSecurityFinding
domain_of:
- Evidences
- IncidentProfile
- IncidentFinding
range: VerdictIdEnum
recommended: true
category_name:
name: category_name
annotations:
group:
tag: group
value: classification
description: The event category name, as defined by category_uid value.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Category
rank: 1000
alias: category_name
owner: DataSecurityFinding
domain_of:
- BaseEvent
range: string
category_uid:
name: category_uid
annotations:
group:
tag: group
value: classification
description: The category unique identifier of the event.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Category ID
rank: 1000
alias: category_uid
owner: DataSecurityFinding
domain_of:
- BaseEvent
range: BaseEventCategoryUidEnum
required: true
class_name:
name: class_name
annotations:
group:
tag: group
value: classification
description: The event class name, as defined by class_uid value.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Class
rank: 1000
alias: class_name
owner: DataSecurityFinding
domain_of:
- BaseEvent
range: string
class_uid:
name: class_uid
annotations:
group:
tag: group
value: classification
description: 'The unique identifier of a class. A class describes the attributes
available in
an event.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Class ID
rank: 1000
alias: class_uid
owner: DataSecurityFinding
domain_of:
- BaseEvent
range: BaseEventClassUidEnum
required: true
count:
name: count
annotations:
group:
tag: group
value: occurrence
description: 'The number of times that events in the same logical group occurred
during the
event <strong>Start Time</strong> to <strong>End Time</strong> period.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Count
rank: 1000
alias: count
owner: DataSecurityFinding
domain_of:
- Observation
- RelatedEvent
- Session
- DiscoveryDetails
- UnmannedSystemOperatingArea
- BaseEvent
range: integer
duration:
name: duration
annotations:
group:
tag: group
value: occurrence
description: 'The event duration or aggregate time, the amount of time the event
covers from
<code>start_time</code> to <code>end_time</code> in milliseconds.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Duration Milliseconds
rank: 1000
alias: duration
owner: DataSecurityFinding
domain_of:
- Span
- Timespan
- Trace
- FirewallRule
- BaseEvent
- ScanActivity
range: integer
enrichments:
name: enrichments
annotations:
group:
tag: group
value: context
description: 'The additional information from an external data source, which is
associated
with the event or a finding. For example add location information for the IP
address in the DNS answers:</p><code>[{"name": "answers.ip", "value":
"92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent":
"Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc":
"Yemen"}}]</code>'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Enrichments
rank: 1000
alias: enrichments
owner: DataSecurityFinding
domain_of:
- BaseEvent
range: Enrichment
multivalued: true
message:
name: message
annotations:
group:
tag: group
value: primary
description: The description of the event/finding, as defined by the source.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Message
rank: 1000
alias: message
owner: DataSecurityFinding
domain_of:
- Response
- Span
- HttpResponse
- LoadBalancer
- BaseEvent
- ApplicationError
range: string
recommended: true
metadata:
name: metadata
annotations:
group:
tag: group
value: context
description: The metadata associated with the event or a finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Metadata
rank: 1000
alias: metadata
owner: DataSecurityFinding
domain_of:
- BaseEvent
range: Metadata
required: true
observables:
name: observables
annotations:
group:
tag: group
value: primary
description: The observables associated with the event or a finding.
notes:
- 'OCSF Observables FAQ —
https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md
aliases:
- Observables
rank: 1000
alias: observables
owner: DataSecurityFinding
domain_of:
- RelatedEvent
- BaseEvent
range: Observable
recommended: true
multivalued: true
raw_data:
name: raw_data
annotations:
group:
tag: group
value: context
description: The raw event/finding data as received from the source.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Raw Data
rank: 1000
alias: raw_data
owner: DataSecurityFinding
domain_of:
- BaseEvent
range: string
raw_data_hash:
name: raw_data_hash
annotations:
group:
tag: group
value: context
description: The hash, which describes the content of the raw_data field.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Raw Data Hash
rank: 1000
alias: raw_data_hash
owner: DataSecurityFinding
domain_of:
- BaseEvent
range: Fingerprint
raw_data_size:
name: raw_data_size
annotations:
group:
tag: group
value: context
description: The size of the raw data which was transformed into an OCSF event,
in bytes.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Raw Data Size
rank: 1000
alias: raw_data_size
owner: DataSecurityFinding
domain_of:
- BaseEvent
range: integer
severity:
name: severity
annotations:
group:
tag: group
value: classification
description: 'The event/finding severity, normalized to the caption of the
<code>severity_id</code> value. In the case of ''Other'', it is defined by the
source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Severity
rank: 1000
alias: severity
owner: DataSecurityFinding
domain_of:
- Osint
- RelatedEvent
- VendorAttributes
- Vulnerability
- Check
- Cvss
- KbArticle
- Malware
- BaseEvent
range: string
severity_id:
name: severity_id
annotations:
group:
tag: group
value: classification
description: '<p>The normalized identifier of the event/finding severity.</p>The
normalized
severity is a measurement the effort and expense required to manage and resolve
an event or incident. Smaller numerical values represent lower impact events,
and larger numerical values represent higher impact events.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Severity ID
rank: 1000
alias: severity_id
owner: DataSecurityFinding
domain_of:
- Osint
- RelatedEvent
- VendorAttributes
- Check
- Malware
- BaseEvent
range: SeverityIdEnum
required: true
status_code:
name: status_code
annotations:
group:
tag: group
value: primary
description: 'The event status code, as reported by the event source.<br /><br
/>For example,
in a Windows Failed Authentication event, this would be the value of ''Failure
Code'', e.g. 0x18.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Status Code
rank: 1000
alias: status_code
owner: DataSecurityFinding
domain_of:
- Span
- Compliance
- BaseEvent
- EventLogActvity
range: string
recommended: true
status_detail:
name: status_detail
annotations:
group:
tag: group
value: primary
description: 'The status detail contains additional information about the event/finding
outcome.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Status Detail
rank: 1000
alias: status_detail
owner: DataSecurityFinding
domain_of:
- Compliance
- LoadBalancer
- BaseEvent
- Authentication
- EventLogActvity
range: string
recommended: true
time:
name: time
annotations:
group:
tag: group
value: occurrence
description: The normalized event occurrence time or the finding creation time.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Event Time
rank: 1000
alias: time
owner: DataSecurityFinding
domain_of:
- TransformationInfo
- BaseEvent
range: TimestampT
required: true
timezone_offset:
name: timezone_offset
annotations:
group:
tag: group
value: occurrence
description: 'The number of minutes that the reported event <code>time</code>
is ahead or
behind UTC, in the range -1,080 to +1,080.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Timezone Offset
rank: 1000
alias: timezone_offset
owner: DataSecurityFinding
domain_of:
- BaseEvent
range: integer
recommended: true
type_name:
name: type_name
annotations:
group:
tag: group
value: classification
description: The event/finding type name, as defined by the type_uid.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type Name
rank: 1000
alias: type_name
owner: DataSecurityFinding
domain_of:
- RelatedEvent
- BaseEvent
range: string
type_uid:
name: type_uid
annotations:
group:
tag: group
value: classification
description: 'The event/finding type ID. It identifies the event''s semantics
and structure.
The value is calculated by the logging system as: <code>class_uid * 100 +
activity_id</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_uid
owner: DataSecurityFinding
domain_of:
- Observable
- RelatedEvent
- BaseEvent
range: integer
required: true
unmapped:
name: unmapped
annotations:
group:
tag: group
value: context
description: 'The attributes that are not mapped to the event schema. The names
and values of
those attributes are specific to the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unmapped Data
rank: 1000
alias: unmapped
owner: DataSecurityFinding
domain_of:
- BaseEvent
range: Object
api:
name: api
annotations:
group:
tag: group
value: context
description: Describes details about a typical API (Application Programming Interface)
call.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- API Details
rank: 1000
alias: api
owner: DataSecurityFinding
domain_of:
- Evidences
- CloudProfile
- ApiActivity
range: Api
cloud:
name: cloud
annotations:
group:
tag: group
value: primary
description: 'Describes details about the Cloud environment where the event or
finding was
created.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Cloud
rank: 1000
alias: cloud
owner: DataSecurityFinding
domain_of:
- CloudProfile
- CloudResourcesInventoryInfo
range: Cloud
required: true
osint:
name: osint
annotations:
group:
tag: group
value: primary
description: 'The OSINT (Open Source Intelligence) object contains details related
to an
indicator such as the indicator itself, related indicators, geolocation,
registrar information, subdomains, analyst commentary, and other contextual
information. This information can be used to further enrich a detection or
finding by providing decisioning support to other analysts and engineers.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- OSINT
rank: 1000
alias: osint
owner: DataSecurityFinding
domain_of:
- OsintProfile
- OsintInventoryInfo
range: Osint
required: true
multivalued: true
action:
name: action
description: The normalized caption of <code>action_id</code>.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Action
rank: 1000
alias: action
owner: DataSecurityFinding
domain_of:
- SecurityControlProfile
range: string
action_id:
name: action_id
annotations:
sibling:
tag: sibling
value: action
description: 'The action taken by a control or other policy-based system leading
to an
outcome or disposition. An unknown action may still correspond to a known
disposition. Refer to <code>disposition_id</code> for the outcome of the
action.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Action ID
rank: 1000
alias: action_id
owner: DataSecurityFinding
domain_of:
- SecurityControlProfile
range: ActionIdEnum
recommended: true
attacks:
name: attacks
description: 'An array of MITRE ATT&CK® objects describing identified tactics,
techniques &
sub-techniques. The objects are compatible with MITRE ATLAS™ tactics,
techniques & sub-techniques.'
notes:
- MITRE ATT&CK® — https://attack.mitre.org
- MITRE ATLAS — https://atlas.mitre.org/matrices/ATLAS
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://attack.mitre.org
- https://atlas.mitre.org/matrices/ATLAS
aliases:
- MITRE ATT&CK® and ATLAS™ Details
rank: 1000
alias: attacks
owner: DataSecurityFinding
domain_of:
- Osint
- RelatedEvent
- FindingInfo
- SecurityControlProfile
- IncidentFinding
- SecurityFinding
range: Attack
multivalued: true
authorizations:
name: authorizations
description: 'Provides details about an authorization, such as authorization outcome,
and any
associated policies related to the activity/event.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Authorization Information
rank: 1000
alias: authorizations
owner: DataSecurityFinding
domain_of:
- Actor
- SecurityControlProfile
range: Authorization
multivalued: true
disposition:
name: disposition
description: 'The disposition name, normalized to the caption of the disposition_id
value. In
the case of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Disposition
rank: 1000
alias: disposition
owner: DataSecurityFinding
domain_of:
- SecurityControlProfile
range: string
disposition_id:
name: disposition_id
annotations:
sibling:
tag: sibling
value: disposition
description: 'Describes the outcome or action taken by a security control, such
as access
control checks, malware detections or various types of policy violations.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Disposition ID
rank: 1000
alias: disposition_id
owner: DataSecurityFinding
domain_of:
- SecurityControlProfile
range: DispositionIdEnum
recommended: true
firewall_rule:
name: firewall_rule
description: 'The firewall rule that pertains to the control that triggered the
event, if
applicable.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Firewall Rule
rank: 1000
alias: firewall_rule
owner: DataSecurityFinding
domain_of:
- SecurityControlProfile
range: FirewallRule
malware:
name: malware
description: A list of Malware objects, describing details about the identified
malware.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Malware
rank: 1000
alias: malware
owner: DataSecurityFinding
domain_of:
- Osint
- SecurityControlProfile
- DetectionFinding
- SecurityFinding
range: Malware
multivalued: true
malware_scan_info:
name: malware_scan_info
description: 'Describes details about the scan job that identified malware on
the target
system.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Malware Scan Info
rank: 1000
alias: malware_scan_info
owner: DataSecurityFinding
domain_of:
- SecurityControlProfile
- DetectionFinding
range: MalwareScanInfo
policy:
name: policy
description: 'The policy that pertains to the control that triggered the event,
if
applicable. For example the name of an anti-malware policy or an access control
policy.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Policy
rank: 1000
alias: policy
owner: DataSecurityFinding
domain_of:
- PermissionAnalysisResult
- AdditionalRestriction
- Assessment
- Authorization
- DataClassification
- DataSecurity
- ManagedEntity
- SecurityControlProfile
- ScanActivity
- AccountChange
range: Policy