Class: IncidentProfile
The attributes that add incident handling semantics to a Finding.
URI: ocsf:IncidentProfile
classDiagram
class IncidentProfile
click IncidentProfile href "../IncidentProfile/"
IncidentProfile <|-- ApplicationSecurityPostureFinding
click ApplicationSecurityPostureFinding href "../ApplicationSecurityPostureFinding/"
IncidentProfile <|-- Finding
click Finding href "../Finding/"
IncidentProfile <|-- IncidentFinding
click IncidentFinding href "../IncidentFinding/"
IncidentProfile : assignee
IncidentProfile --> "0..1" User : assignee
click User href "../User/"
IncidentProfile : assignee_group
IncidentProfile --> "0..1" Group : assignee_group
click Group href "../Group/"
IncidentProfile : impact
IncidentProfile : impact_id
IncidentProfile --> "0..1 _recommended_" ImpactIdEnum : impact_id
click ImpactIdEnum href "../ImpactIdEnum/"
IncidentProfile : impact_score
IncidentProfile : is_suspected_breach
IncidentProfile : priority
IncidentProfile : priority_id
IncidentProfile --> "0..1 _recommended_" PriorityIdEnum : priority_id
click PriorityIdEnum href "../PriorityIdEnum/"
IncidentProfile : src_url
IncidentProfile : ticket
IncidentProfile --> "0..1" Ticket : ticket
click Ticket href "../Ticket/"
IncidentProfile : tickets
IncidentProfile --> "*" Ticket : tickets
click Ticket href "../Ticket/"
IncidentProfile : verdict
IncidentProfile : verdict_id
IncidentProfile --> "0..1 _recommended_" VerdictIdEnum : verdict_id
click VerdictIdEnum href "../VerdictIdEnum/"
Class Properties
| Property | Value |
|---|---|
| Mixin | Yes |
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| assignee | 0..1 User |
The details of the user assigned to an Incident | direct |
| assignee_group | 0..1 Group |
The details of the group assigned to an Incident | direct |
| impact | 0..1 recommended String |
The impact , normalized to the caption of the impact_id value | direct |
| impact_id | 0..1 recommended ImpactIdEnum |
The normalized impact of the incident or finding | direct |
| impact_score | 0..1 recommended Integer |
The impact as an integer value of the finding, valid range 0-100 | direct |
| is_suspected_breach | 0..1 Boolean |
A determination based on analytics as to whether a potential breach was found | direct |
| priority | 0..1 String |
The priority, normalized to the caption of the priority_id value | direct |
| priority_id | 0..1 recommended PriorityIdEnum |
The normalized priority | direct |
| src_url | 0..1 recommended UrlT |
A Url link used to access the original incident | direct |
| ticket | 0..1 Ticket |
The linked ticket in the ticketing system | direct |
| tickets | * Ticket |
The associated ticket(s) in the ticketing system | direct |
| verdict | 0..1 recommended String |
The verdict assigned to an Incident finding | direct |
| verdict_id | 0..1 recommended VerdictIdEnum |
The normalized verdict of an Incident | direct |
Mixin Usage
| mixed into | description |
|---|---|
| ApplicationSecurityPostureFinding | The Application Security Posture Finding event is a notification about any bu... |
| Finding | The Finding event is a generic event that defines a set of attributes availab... |
| IncidentFinding | An Incident Finding reports the creation, update, or closure of security |
In Subsets
Aliases
- Incident
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_profile | incident |
| group | primary |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:IncidentProfile |
| native | ocsf:IncidentProfile |
LinkML Source
Direct
name: IncidentProfile
annotations:
ocsf_profile:
tag: ocsf_profile
value: incident
group:
tag: group
value: primary
description: The attributes that add incident handling semantics to a Finding.
in_subset:
- incident_profile_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Incident
mixin: true
slots:
- assignee
- assignee_group
- impact
- impact_id
- impact_score
- is_suspected_breach
- priority
- priority_id
- src_url
- ticket
- tickets
- verdict
- verdict_id
slot_usage:
assignee:
name: assignee
annotations:
group:
tag: group
value: context
assignee_group:
name: assignee_group
annotations:
group:
tag: group
value: context
impact:
name: impact
annotations:
group:
tag: group
value: primary
recommended: true
impact_id:
name: impact_id
annotations:
group:
tag: group
value: primary
recommended: true
impact_score:
name: impact_score
annotations:
group:
tag: group
value: primary
recommended: true
is_suspected_breach:
name: is_suspected_breach
annotations:
group:
tag: group
value: context
priority:
name: priority
annotations:
group:
tag: group
value: context
priority_id:
name: priority_id
annotations:
group:
tag: group
value: context
recommended: true
src_url:
name: src_url
annotations:
group:
tag: group
value: primary
description: A Url link used to access the original incident.
recommended: true
ticket:
name: ticket
annotations:
group:
tag: group
value: context
tickets:
name: tickets
annotations:
group:
tag: group
value: context
verdict:
name: verdict
annotations:
group:
tag: group
value: primary
recommended: true
verdict_id:
name: verdict_id
annotations:
group:
tag: group
value: primary
recommended: true
Induced
name: IncidentProfile
annotations:
ocsf_profile:
tag: ocsf_profile
value: incident
group:
tag: group
value: primary
description: The attributes that add incident handling semantics to a Finding.
in_subset:
- incident_profile_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Incident
mixin: true
slot_usage:
assignee:
name: assignee
annotations:
group:
tag: group
value: context
assignee_group:
name: assignee_group
annotations:
group:
tag: group
value: context
impact:
name: impact
annotations:
group:
tag: group
value: primary
recommended: true
impact_id:
name: impact_id
annotations:
group:
tag: group
value: primary
recommended: true
impact_score:
name: impact_score
annotations:
group:
tag: group
value: primary
recommended: true
is_suspected_breach:
name: is_suspected_breach
annotations:
group:
tag: group
value: context
priority:
name: priority
annotations:
group:
tag: group
value: context
priority_id:
name: priority_id
annotations:
group:
tag: group
value: context
recommended: true
src_url:
name: src_url
annotations:
group:
tag: group
value: primary
description: A Url link used to access the original incident.
recommended: true
ticket:
name: ticket
annotations:
group:
tag: group
value: context
tickets:
name: tickets
annotations:
group:
tag: group
value: context
verdict:
name: verdict
annotations:
group:
tag: group
value: primary
recommended: true
verdict_id:
name: verdict_id
annotations:
group:
tag: group
value: primary
recommended: true
attributes:
assignee:
name: assignee
annotations:
group:
tag: group
value: context
description: The details of the user assigned to an Incident.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Assignee
rank: 1000
alias: assignee
owner: IncidentProfile
domain_of:
- IncidentProfile
- IncidentFinding
range: User
assignee_group:
name: assignee_group
annotations:
group:
tag: group
value: context
description: The details of the group assigned to an Incident.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Assignee Group
rank: 1000
alias: assignee_group
owner: IncidentProfile
domain_of:
- IncidentProfile
- IncidentFinding
range: Group
impact:
name: impact
annotations:
group:
tag: group
value: primary
description: 'The impact , normalized to the caption of the impact_id value. In
the case of
''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Impact
rank: 1000
alias: impact
owner: IncidentProfile
domain_of:
- IncidentProfile
- DataSecurityFinding
- DetectionFinding
- IncidentFinding
- SecurityFinding
range: string
recommended: true
impact_id:
name: impact_id
annotations:
group:
tag: group
value: primary
description: 'The normalized impact of the incident or finding. Per NIST, this
is the
magnitude of harm that can be expected to result from the consequences of
unauthorized disclosure, modification, destruction, or loss of information or
information system availability.'
notes:
- NIST SP 800-172 from FIPS 199 — https://doi.org/10.6028/NIST.FIPS.199
- NIST Computer Security Resource Center — https://doi.org/10.6028/NIST.FIPS.199
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://doi.org/10.6028/NIST.FIPS.199
- https://doi.org/10.6028/NIST.FIPS.199
aliases:
- Impact ID
rank: 1000
alias: impact_id
owner: IncidentProfile
domain_of:
- IncidentProfile
- DataSecurityFinding
- DetectionFinding
- IncidentFinding
- SecurityFinding
range: ImpactIdEnum
recommended: true
impact_score:
name: impact_score
annotations:
group:
tag: group
value: primary
description: The impact as an integer value of the finding, valid range 0-100.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Impact Score
rank: 1000
alias: impact_score
owner: IncidentProfile
domain_of:
- IncidentProfile
- DataSecurityFinding
- DetectionFinding
- IncidentFinding
- SecurityFinding
range: integer
recommended: true
is_suspected_breach:
name: is_suspected_breach
annotations:
group:
tag: group
value: context
description: A determination based on analytics as to whether a potential breach
was found.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Suspected Breach
rank: 1000
alias: is_suspected_breach
owner: IncidentProfile
domain_of:
- IncidentProfile
- IncidentFinding
range: boolean
priority:
name: priority
annotations:
group:
tag: group
value: context
description: 'The priority, normalized to the caption of the priority_id value.
In the case
of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Priority
rank: 1000
alias: priority
owner: IncidentProfile
domain_of:
- IncidentProfile
- IncidentFinding
range: string
priority_id:
name: priority_id
annotations:
group:
tag: group
value: context
description: 'The normalized priority. Priority identifies the relative importance
of the
incident or finding. It is a measurement of urgency.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Priority ID
rank: 1000
alias: priority_id
owner: IncidentProfile
domain_of:
- IncidentProfile
- IncidentFinding
range: PriorityIdEnum
recommended: true
src_url:
name: src_url
annotations:
group:
tag: group
value: primary
description: A Url link used to access the original incident.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Source URL
rank: 1000
alias: src_url
owner: IncidentProfile
domain_of:
- Osint
- Package
- Ticket
- Advisory
- Cvss
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Enrichment
- FindingObject
- FindingInfo
- KbArticle
- Mitigation
- SubTechnique
- Tactic
- Technique
- IncidentProfile
- IncidentFinding
range: UrlT
recommended: true
ticket:
name: ticket
annotations:
group:
tag: group
value: context
description: The linked ticket in the ticketing system.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Ticket
rank: 1000
alias: ticket
owner: IncidentProfile
domain_of:
- IncidentProfile
- IncidentFinding
range: Ticket
tickets:
name: tickets
annotations:
group:
tag: group
value: context
description: 'The associated ticket(s) in the ticketing system. Each ticket contains
details
like ticket ID, status, etc.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Tickets
rank: 1000
alias: tickets
owner: IncidentProfile
domain_of:
- IncidentProfile
- IncidentFinding
range: Ticket
multivalued: true
verdict:
name: verdict
annotations:
group:
tag: group
value: primary
description: The verdict assigned to an Incident finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Verdict
rank: 1000
alias: verdict
owner: IncidentProfile
domain_of:
- Evidences
- IncidentProfile
- IncidentFinding
range: string
recommended: true
verdict_id:
name: verdict_id
annotations:
group:
tag: group
value: primary
description: The normalized verdict of an Incident.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Verdict ID
rank: 1000
alias: verdict_id
owner: IncidentProfile
domain_of:
- Evidences
- IncidentProfile
- IncidentFinding
range: VerdictIdEnum
recommended: true