Class: FindingInfo
The Finding Information object describes metadata related to a security finding
generated by a security tool or system.
URI: ocsf:FindingInfo
classDiagram
class FindingInfo
click FindingInfo href "../FindingInfo/"
Object <|-- FindingInfo
click Object href "../Object/"
FindingInfo : analytic
FindingInfo --> "0..1 _recommended_" Analytic : analytic
click Analytic href "../Analytic/"
FindingInfo : attack_graph
FindingInfo --> "0..1" Graph : attack_graph
click Graph href "../Graph/"
FindingInfo : attacks
FindingInfo --> "*" Attack : attacks
click Attack href "../Attack/"
FindingInfo : created_time
FindingInfo : data_sources
FindingInfo : desc
FindingInfo : first_seen_time
FindingInfo : kill_chain
FindingInfo --> "*" KillChainPhase : kill_chain
click KillChainPhase href "../KillChainPhase/"
FindingInfo : last_seen_time
FindingInfo : modified_time
FindingInfo : product
FindingInfo --> "0..1" Product : product
click Product href "../Product/"
FindingInfo : product_uid
FindingInfo : related_analytics
FindingInfo --> "*" Analytic : related_analytics
click Analytic href "../Analytic/"
FindingInfo : related_events
FindingInfo --> "*" RelatedEvent : related_events
click RelatedEvent href "../RelatedEvent/"
FindingInfo : related_events_count
FindingInfo : src_url
FindingInfo : tags
FindingInfo --> "*" KeyValueObject : tags
click KeyValueObject href "../KeyValueObject/"
FindingInfo : title
FindingInfo : traits
FindingInfo --> "*" Trait : traits
click Trait href "../Trait/"
FindingInfo : types
FindingInfo : uid
FindingInfo : uid_alt
Inheritance
- OcsfObject
- Object
- FindingInfo
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| analytic | 0..1 recommended Analytic |
The analytic technique used to analyze and derive insights from the data or | direct |
| attack_graph | 0..1 Graph |
An Attack Graph describes possible routes an attacker could take through an | direct |
| attacks | * Attack |
The <a target='_blank' href='https://attack | direct |
| created_time | 0..1 TimestampT |
The time when the finding was created | direct |
| data_sources | * String |
A list of data sources utilized in generation of the finding | direct |
| desc | 0..1 String |
The description of the reported finding | direct |
| first_seen_time | 0..1 TimestampT |
The time when the finding was first observed | direct |
| kill_chain | * KillChainPhase |
The <a target='_blank' | direct |
| last_seen_time | 0..1 TimestampT |
The time when the finding was most recently observed | direct |
| modified_time | 0..1 TimestampT |
The time when the finding was last modified | direct |
| product | 0..1 Product |
Details about the product that reported the finding | direct |
| product_uid | 0..1 String |
The unique identifier of the product that reported the finding | direct |
| related_analytics | * Analytic |
Other analytics related to this finding | direct |
| related_events | * RelatedEvent |
Describes events and/or other findings related to the finding as identified b... | direct |
| related_events_count | 0..1 Integer |
Number of related events or findings | direct |
| src_url | 0..1 UrlT |
The URL pointing to the source of the finding | direct |
| tags | * KeyValueObject |
The list of tags; {key:value} pairs associated with the finding |
direct |
| title | 0..1 recommended String |
A title or a brief phrase summarizing the reported finding | direct |
| traits | * Trait |
The list of key traits or characteristics extracted from the finding | direct |
| types | * String |
One or more types of the reported finding | direct |
| uid | 1 String |
The unique identifier of the reported finding | direct |
| uid_alt | 0..1 String |
The alternative unique identifier of the reported finding | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| ApplicationSecurityPostureFinding | finding_info | range | FindingInfo |
| ComplianceFinding | finding_info | range | FindingInfo |
| DataSecurityFinding | finding_info | range | FindingInfo |
| DetectionFinding | finding_info | range | FindingInfo |
| Finding | finding_info | range | FindingInfo |
| IamAnalysisFinding | finding_info | range | FindingInfo |
| IncidentFinding | finding_info_list | range | FindingInfo |
| VulnerabilityFinding | finding_info | range | FindingInfo |
In Subsets
Aliases
- Finding Information
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:FindingInfo |
| native | ocsf:FindingInfo |
LinkML Source
Direct
name: FindingInfo
description: 'The Finding Information object describes metadata related to a security
finding
generated by a security tool or system.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Finding Information
is_a: Object
slots:
- analytic
- attack_graph
- attacks
- created_time
- data_sources
- desc
- first_seen_time
- kill_chain
- last_seen_time
- modified_time
- product
- product_uid
- related_analytics
- related_events
- related_events_count
- src_url
- tags
- title
- traits
- types
- uid
- uid_alt
slot_usage:
analytic:
name: analytic
recommended: true
attack_graph:
name: attack_graph
annotations:
group:
tag: group
value: context
attacks:
name: attacks
description: 'The <a target=''_blank'' href=''https://attack.mitre.org''>MITRE
ATT&CK®</a>
technique and associated tactics related to the finding.'
created_time:
name: created_time
description: The time when the finding was created.
desc:
name: desc
description: The description of the reported finding.
first_seen_time:
name: first_seen_time
description: 'The time when the finding was first observed. e.g. The time when
a
vulnerability was first observed. <p>It can differ from the
<code>created_time</code> timestamp, which reflects the time this finding was
created.</p>'
last_seen_time:
name: last_seen_time
description: 'The time when the finding was most recently observed. e.g. The time
when a
vulnerability was most recently observed. <p>It can differ from the
<code>modified_time</code> timestamp, which reflects the time this finding was
last modified.</p>'
modified_time:
name: modified_time
description: The time when the finding was last modified.
product:
name: product
description: Details about the product that reported the finding.
product_uid:
name: product_uid
description: The unique identifier of the product that reported the finding.
related_analytics:
name: related_analytics
description: Other analytics related to this finding.
src_url:
name: src_url
description: The URL pointing to the source of the finding.
tags:
name: tags
description: The list of tags; <code>{key:value}</code> pairs associated with
the finding.
title:
name: title
description: A title or a brief phrase summarizing the reported finding.
recommended: true
traits:
name: traits
description: The list of key traits or characteristics extracted from the finding.
types:
name: types
description: One or more types of the reported finding.
uid:
name: uid
description: The unique identifier of the reported finding.
required: true
uid_alt:
name: uid_alt
description: The alternative unique identifier of the reported finding.
Induced
name: FindingInfo
description: 'The Finding Information object describes metadata related to a security
finding
generated by a security tool or system.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Finding Information
is_a: Object
slot_usage:
analytic:
name: analytic
recommended: true
attack_graph:
name: attack_graph
annotations:
group:
tag: group
value: context
attacks:
name: attacks
description: 'The <a target=''_blank'' href=''https://attack.mitre.org''>MITRE
ATT&CK®</a>
technique and associated tactics related to the finding.'
created_time:
name: created_time
description: The time when the finding was created.
desc:
name: desc
description: The description of the reported finding.
first_seen_time:
name: first_seen_time
description: 'The time when the finding was first observed. e.g. The time when
a
vulnerability was first observed. <p>It can differ from the
<code>created_time</code> timestamp, which reflects the time this finding was
created.</p>'
last_seen_time:
name: last_seen_time
description: 'The time when the finding was most recently observed. e.g. The time
when a
vulnerability was most recently observed. <p>It can differ from the
<code>modified_time</code> timestamp, which reflects the time this finding was
last modified.</p>'
modified_time:
name: modified_time
description: The time when the finding was last modified.
product:
name: product
description: Details about the product that reported the finding.
product_uid:
name: product_uid
description: The unique identifier of the product that reported the finding.
related_analytics:
name: related_analytics
description: Other analytics related to this finding.
src_url:
name: src_url
description: The URL pointing to the source of the finding.
tags:
name: tags
description: The list of tags; <code>{key:value}</code> pairs associated with
the finding.
title:
name: title
description: A title or a brief phrase summarizing the reported finding.
recommended: true
traits:
name: traits
description: The list of key traits or characteristics extracted from the finding.
types:
name: types
description: One or more types of the reported finding.
uid:
name: uid
description: The unique identifier of the reported finding.
required: true
uid_alt:
name: uid_alt
description: The alternative unique identifier of the reported finding.
attributes:
analytic:
name: analytic
description: 'The analytic technique used to analyze and derive insights from
the data or
information that led to the finding or conclusion.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Analytic
rank: 1000
alias: analytic
owner: FindingInfo
domain_of:
- FindingInfo
- SecurityFinding
range: Analytic
recommended: true
attack_graph:
name: attack_graph
annotations:
group:
tag: group
value: context
description: 'An Attack Graph describes possible routes an attacker could take
through an
environment. It describes relationships between resources and their findings,
such as malware detections, vulnerabilities, misconfigurations, and other
security actions.'
notes:
- 'MS Defender description of Attack Path —
https://learn.microsoft.com/en-us/azure/defender-for-cloud/how-to-manage-attack-path'
- 'SentinelOne Attack Path documentation —
https://www.sentinelone.com/cybersecurity-101/cybersecurity/attack-path-analysis/'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://learn.microsoft.com/en-us/azure/defender-for-cloud/how-to-manage-attack-path
- https://www.sentinelone.com/cybersecurity-101/cybersecurity/attack-path-analysis/
aliases:
- Attack Graph
rank: 1000
alias: attack_graph
owner: FindingInfo
domain_of:
- FindingInfo
range: Graph
attacks:
name: attacks
description: 'The <a target=''_blank'' href=''https://attack.mitre.org''>MITRE
ATT&CK®</a>
technique and associated tactics related to the finding.'
notes:
- MITRE ATT&CK® — https://attack.mitre.org
- MITRE ATLAS — https://atlas.mitre.org/matrices/ATLAS
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://attack.mitre.org
- https://atlas.mitre.org/matrices/ATLAS
aliases:
- MITRE ATT&CK® and ATLAS™ Details
rank: 1000
alias: attacks
owner: FindingInfo
domain_of:
- Osint
- RelatedEvent
- FindingInfo
- SecurityControlProfile
- IncidentFinding
- SecurityFinding
range: Attack
multivalued: true
created_time:
name: created_time
description: The time when the finding was created.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Created Time
rank: 1000
alias: created_time
owner: FindingInfo
domain_of:
- Osint
- RelatedEvent
- Sbom
- Scim
- Session
- Sso
- Token
- Whois
- Resource
- Advisory
- AuthenticationToken
- Certificate
- Cve
- Database
- Databucket
- DigitalSignature
- Enrichment
- Epss
- File
- FindingObject
- FindingInfo
- Job
- KbArticle
- LdapPerson
- ProcessEntity
- Table
- Device
range: TimestampT
data_sources:
name: data_sources
description: A list of data sources utilized in generation of the finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Data Sources
rank: 1000
alias: data_sources
owner: FindingInfo
domain_of:
- FindingInfo
- SecurityFinding
range: string
multivalued: true
desc:
name: desc
description: The description of the reported finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Description
rank: 1000
alias: desc
owner: FindingInfo
domain_of:
- Osint
- RelatedEvent
- Remediation
- Vulnerability
- Advisory
- Analytic
- ApplicationObject
- Assessment
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- Compliance
- Cve
- Database
- Databucket
- Enrichment
- File
- FindingObject
- FindingInfo
- Graph
- Group
- Job
- Location
- Node
- Policy
- Rule
- Table
- WebResource
- Device
- IncidentFinding
range: string
first_seen_time:
name: first_seen_time
description: 'The time when the finding was first observed. e.g. The time when
a
vulnerability was first observed. <p>It can differ from the
<code>created_time</code> timestamp, which reflects the time this finding was
created.</p>'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- First Seen
rank: 1000
alias: first_seen_time
owner: FindingInfo
domain_of:
- RelatedEvent
- Vulnerability
- FindingObject
- FindingInfo
- IdentityActivityMetrics
- Device
range: TimestampT
kill_chain:
name: kill_chain
description: 'The <a target=''_blank''
href=''https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html''>Cyber
Kill Chain®</a> provides a detailed description of each phase and its
associated activities within the broader context of a cyber attack.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Kill Chain
rank: 1000
alias: kill_chain
owner: FindingInfo
domain_of:
- Osint
- RelatedEvent
- FindingInfo
- SecurityFinding
range: KillChainPhase
multivalued: true
last_seen_time:
name: last_seen_time
description: 'The time when the finding was most recently observed. e.g. The time
when a
vulnerability was most recently observed. <p>It can differ from the
<code>modified_time</code> timestamp, which reflects the time this finding was
last modified.</p>'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Last Seen
rank: 1000
alias: last_seen_time
owner: FindingInfo
domain_of:
- RelatedEvent
- Vulnerability
- Whois
- FindingObject
- FindingInfo
- IdentityActivityMetrics
- Device
range: TimestampT
modified_time:
name: modified_time
description: The time when the finding was last modified.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Modified Time
rank: 1000
alias: modified_time
owner: FindingInfo
domain_of:
- Osint
- RelatedEvent
- Scim
- Sso
- Token
- Resource
- Advisory
- Cve
- Database
- Databucket
- File
- FindingObject
- FindingInfo
- LdapPerson
- Metadata
- Table
- Device
- RegKey
- RegValue
range: TimestampT
product:
name: product
description: Details about the product that reported the finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Product
rank: 1000
alias: product
owner: FindingInfo
domain_of:
- RelatedEvent
- Sbom
- Advisory
- Cve
- File
- FindingObject
- FindingInfo
- KbArticle
- Logger
- Metadata
- TransformationInfo
- SoftwareInfo
range: Product
product_uid:
name: product_uid
description: The unique identifier of the product that reported the finding.
deprecated: 'Use the <code>uid</code> attribute in the <code>product</code> object
instead.
See specific usage. (since 1.4.0)'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Product Identifier
rank: 1000
alias: product_uid
owner: FindingInfo
domain_of:
- RelatedEvent
- FindingObject
- FindingInfo
range: string
related_analytics:
name: related_analytics
description: Other analytics related to this finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Related Analytics
rank: 1000
alias: related_analytics
owner: FindingInfo
domain_of:
- Osint
- Analytic
- FindingInfo
range: Analytic
multivalued: true
related_events:
name: related_events
description: 'Describes events and/or other findings related to the finding as
identified by
the security product. Note that these events may or may not be in OCSF.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Related Events/Findings
rank: 1000
alias: related_events
owner: FindingInfo
domain_of:
- FindingObject
- FindingInfo
range: RelatedEvent
multivalued: true
related_events_count:
name: related_events_count
description: Number of related events or findings.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Related Events/Findings Count
rank: 1000
alias: related_events_count
owner: FindingInfo
domain_of:
- FindingInfo
range: integer
src_url:
name: src_url
description: The URL pointing to the source of the finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Source URL
rank: 1000
alias: src_url
owner: FindingInfo
domain_of:
- Osint
- Package
- Ticket
- Advisory
- Cvss
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Enrichment
- FindingObject
- FindingInfo
- KbArticle
- Mitigation
- SubTechnique
- Tactic
- Technique
- IncidentProfile
- IncidentFinding
range: UrlT
tags:
name: tags
description: The list of tags; <code>{key:value}</code> pairs associated with
the finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Tags
rank: 1000
alias: tags
owner: FindingInfo
domain_of:
- RelatedEvent
- Resource
- Account
- ApplicationObject
- Container
- File
- FindingInfo
- Image
- LdapPerson
- Metadata
- Service
range: KeyValueObject
multivalued: true
title:
name: title
description: A title or a brief phrase summarizing the reported finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Title
rank: 1000
alias: title
owner: FindingInfo
domain_of:
- RelatedEvent
- Ticket
- Vulnerability
- Advisory
- Cve
- FindingObject
- FindingInfo
- KbArticle
range: string
recommended: true
traits:
name: traits
description: The list of key traits or characteristics extracted from the finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Traits
rank: 1000
alias: traits
owner: FindingInfo
domain_of:
- RelatedEvent
- FindingInfo
range: Trait
multivalued: true
types:
name: types
description: One or more types of the reported finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Types
rank: 1000
alias: types
owner: FindingInfo
domain_of:
- FindingObject
- FindingInfo
range: string
multivalued: true
uid:
name: uid
description: The unique identifier of the reported finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: FindingInfo
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
required: true
uid_alt:
name: uid_alt
description: The alternative unique identifier of the reported finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Alternate ID
rank: 1000
alias: uid_alt
owner: FindingInfo
domain_of:
- Scim
- Session
- Resource
- Agent
- Aircraft
- ApplicationObject
- FindingInfo
- Group
- UnmannedAerialSystem
- User
- Device
range: string