Class: Metadata
The Metadata object describes the metadata associated with the event.
URI: ocsf:Metadata
classDiagram
class Metadata
click Metadata href "../Metadata/"
DataClassificationProfile <|-- Metadata
click DataClassificationProfile href "../DataClassificationProfile/"
Object <|-- Metadata
click Object href "../Object/"
Metadata : correlation_uid
Metadata : data_classification
Metadata --> "0..1 _recommended_" DataClassification : data_classification
click DataClassification href "../DataClassification/"
Metadata : data_classifications
Metadata --> "* _recommended_" DataClassification : data_classifications
click DataClassification href "../DataClassification/"
Metadata : debug
Metadata : event_code
Metadata : extension
Metadata --> "0..1" Extension : extension
click Extension href "../Extension/"
Metadata : extensions
Metadata --> "*" Extension : extensions
click Extension href "../Extension/"
Metadata : is_truncated
Metadata : labels
Metadata : log_format
Metadata : log_level
Metadata : log_name
Metadata : log_provider
Metadata : log_source
Metadata : log_version
Metadata : logged_time
Metadata : loggers
Metadata --> "*" Logger : loggers
click Logger href "../Logger/"
Metadata : modified_time
Metadata : original_event_uid
Metadata : original_time
Metadata : processed_time
Metadata : product
Metadata --> "1" Product : product
click Product href "../Product/"
Metadata : profiles
Metadata : reporter
Metadata --> "0..1 _recommended_" Reporter : reporter
click Reporter href "../Reporter/"
Metadata : sequence
Metadata : source
Metadata : tags
Metadata --> "*" KeyValueObject : tags
click KeyValueObject href "../KeyValueObject/"
Metadata : tenant_uid
Metadata : total_queued_duration
Metadata --> "0..1" Timespan : total_queued_duration
click Timespan href "../Timespan/"
Metadata : transformation_info_list
Metadata --> "*" TransformationInfo : transformation_info_list
click TransformationInfo href "../TransformationInfo/"
Metadata : transmit_time
Metadata : type
Metadata : uid
Metadata : untruncated_size
Metadata : version
Inheritance
- OcsfObject
- Object
- Metadata [ DataClassificationProfile]
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| correlation_uid | 0..1 String |
A unique identifier used to correlate this OCSF event with other related OCSF | direct |
| debug | * String |
Debug information about non-fatal issues with this OCSF event | direct |
| event_code | 0..1 String |
The identifier of the original event | direct |
| extension | 0..1 Extension |
The schema extension used to create the event | direct |
| extensions | * Extension |
The schema extensions used to create the event | direct |
| is_truncated | 0..1 Boolean |
Indicates whether the OCSF event data has been truncated due to size | direct |
| labels | * String |
The list of labels attached to the event | direct |
| log_format | 0..1 String |
The format of data in the log where the data originated | direct |
| log_level | 0..1 String |
The level at which an event was logged | direct |
| log_name | 0..1 recommended String |
The event log name, typically for the consumer of the event | direct |
| log_provider | 0..1 String |
The logging provider or logging service that logged the event | direct |
| log_source | 0..1 String |
The log system or component where the data originated | direct |
| log_version | 0..1 String |
The event log schema version of the original event | direct |
| logged_time | 0..1 TimestampT |
The time when the logging system collected and logged the event |
direct |
| loggers | * Logger |
An array of Logger objects that describe the pipeline of devices and logging | direct |
| modified_time | 0..1 TimestampT |
The time when the event was last modified or enriched | direct |
| original_event_uid | 0..1 String |
The unique identifier assigned to the event in its original logging system | direct |
| original_time | 0..1 recommended String |
The original event time as reported by the event source | direct |
| processed_time | 0..1 TimestampT |
The event processed time, such as an ETL operation | direct |
| product | 1 Product |
The product that reported the event | direct |
| profiles | * String |
The list of profiles used to create the event | direct |
| reporter | 0..1 recommended Reporter |
The entity from which the event or finding was first reported | direct |
| sequence | 0..1 Integer |
Sequence number of the event | direct |
| source | 0..1 String |
The source of the event or finding | direct |
| tags | * KeyValueObject |
The list of tags; {key:value} pairs associated to the event |
direct |
| tenant_uid | 0..1 recommended String |
The unique tenant identifier | direct |
| total_queued_duration | 0..1 Timespan |
The amount of time an event spent in a queue awaiting processing | direct |
| transformation_info_list | * TransformationInfo |
An array of transformation info that describes the mappings or transforms | direct |
| transmit_time | 0..1 TimestampT |
The time when the event was transmitted from the logging device to it's next | direct |
| type | 0..1 String |
The type of the event or finding as a subset of the source of th... |
direct |
| uid | 0..1 String |
A unique identifier assigned to the OCSF event | direct |
| untruncated_size | 0..1 Integer |
The original size of the OCSF event data in kilobytes before any truncation | direct |
| version | 1 String |
The version of the OCSF schema, using Semantic Versioning Specification (<a | direct |
| data_classification | 0..1 recommended DataClassification |
The Data Classification object includes information about data classification | DataClassificationProfile |
| data_classifications | * recommended DataClassification |
A list of Data Classification objects, that include information about data | DataClassificationProfile |
Usages
In Subsets
Aliases
- Metadata
See Also
Notes
- D3FEND™ Ontology d3f:Metadata — https://d3fend.mitre.org/dao/artifact/d3f:Metadata/
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Metadata |
| native | ocsf:Metadata |
LinkML Source
Direct
name: Metadata
description: The Metadata object describes the metadata associated with the event.
notes:
- 'D3FEND™ Ontology d3f:Metadata —
https://d3fend.mitre.org/dao/artifact/d3f:Metadata/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:Metadata/
aliases:
- Metadata
is_a: Object
mixins:
- DataClassificationProfile
slots:
- correlation_uid
- debug
- event_code
- extension
- extensions
- is_truncated
- labels
- log_format
- log_level
- log_name
- log_provider
- log_source
- log_version
- logged_time
- loggers
- modified_time
- original_event_uid
- original_time
- processed_time
- product
- profiles
- reporter
- sequence
- source
- tags
- tenant_uid
- total_queued_duration
- transformation_info_list
- transmit_time
- type
- uid
- untruncated_size
- version
slot_usage:
correlation_uid:
name: correlation_uid
description: 'A unique identifier used to correlate this OCSF event with other
related OCSF
events, distinct from the event''s <code>uid</code> value. This enables linking
multiple OCSF events that are part of the same activity, transaction, or
security incident across different systems or time periods.'
event_code:
name: event_code
description: 'The identifier of the original event. For example the numerical
Windows Event
Code or Cisco syslog code.'
is_truncated:
name: is_truncated
description: 'Indicates whether the OCSF event data has been truncated due to
size
limitations. When <code>true</code>, some event data may have been omitted to
fit within system constraints.'
labels:
name: labels
description: 'The list of labels attached to the event. For example: <code>["sample",
"dev"]</code>'
log_format:
name: log_format
description: 'The format of data in the log where the data originated. For example
CSV, XML,
Windows Multiline, JSON, syslog or Cisco Log Schema.'
log_level:
name: log_level
description: 'The level at which an event was logged. This can be log provider
specific. For
example the audit level.'
log_name:
name: log_name
description: 'The event log name, typically for the consumer of the event. For
example, the
storage bucket name, SIEM repository index name, etc.'
recommended: true
log_provider:
name: log_provider
description: 'The logging provider or logging service that logged the event. For
example AWS
CloudWatch or Splunk.'
log_source:
name: log_source
description: 'The log system or component where the data originated. For example,
a file
path, syslog server name or a Windows hostname and logging subsystem such as
Security.'
log_version:
name: log_version
description: 'The event log schema version of the original event. For example
the syslog
version or the Cisco Log Schema version'
modified_time:
name: modified_time
description: The time when the event was last modified or enriched.
original_event_uid:
name: original_event_uid
description: 'The unique identifier assigned to the event in its original logging
system
before transformation to OCSF format. This field preserves the source system''s
native event identifier, enabling traceability back to the raw log entry. For
example, a Windows Event Record ID, a syslog message ID, a Splunk _cd value,
or
a database transaction log sequence number.'
original_time:
name: original_time
recommended: true
product:
name: product
required: true
reporter:
name: reporter
description: The entity from which the event or finding was first reported.
recommended: true
source:
name: source
description: 'The source of the event or finding. This can be any distinguishing
name for the
logical origin of the data — for example, ''CloudTrail Events'', or a use case
like ''Attack Simulations'' or ''Vulnerability Scans''.'
tags:
name: tags
description: The list of tags; <code>{key:value}</code> pairs associated to the
event.
tenant_uid:
name: tenant_uid
recommended: true
total_queued_duration:
name: total_queued_duration
description: 'The amount of time an event spent in a queue awaiting processing.
In this case,
the value is the difference between <code>processed_time</code> and
<code>logged_time</code>. This duration is inclusive of all queues between the
originator of the event and the intended long-term storage destination of the
event.'
transmit_time:
name: transmit_time
description: 'The time when the event was transmitted from the logging device
to it''s next
destination.'
type:
name: type
description: 'The type of the event or finding as a subset of the <code>source</code>
of the
event. This can be any distinguishing characteristic of the data. For example
''Management Events'' or ''Device Penetration Test''.'
uid:
name: uid
description: 'A unique identifier assigned to the OCSF event. This ID is specific
to the OCSF
event itself and is distinct from the original event identifier in the source
system (see <code>original_event_uid</code>).'
untruncated_size:
name: untruncated_size
description: 'The original size of the OCSF event data in kilobytes before any
truncation
occurred. This field is typically populated when <code>is_truncated</code> is
<code>true</code> to indicate the full size of the original event.'
version:
name: version
description: 'The version of the OCSF schema, using Semantic Versioning Specification
(<a
target=''_blank'' href=''https://semver.org''>SemVer</a>). For example:
<code>1.0.0.</code> Event consumers use the version to determine the available
event attributes.'
required: true
Induced
name: Metadata
description: The Metadata object describes the metadata associated with the event.
notes:
- 'D3FEND™ Ontology d3f:Metadata —
https://d3fend.mitre.org/dao/artifact/d3f:Metadata/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:Metadata/
aliases:
- Metadata
is_a: Object
mixins:
- DataClassificationProfile
slot_usage:
correlation_uid:
name: correlation_uid
description: 'A unique identifier used to correlate this OCSF event with other
related OCSF
events, distinct from the event''s <code>uid</code> value. This enables linking
multiple OCSF events that are part of the same activity, transaction, or
security incident across different systems or time periods.'
event_code:
name: event_code
description: 'The identifier of the original event. For example the numerical
Windows Event
Code or Cisco syslog code.'
is_truncated:
name: is_truncated
description: 'Indicates whether the OCSF event data has been truncated due to
size
limitations. When <code>true</code>, some event data may have been omitted to
fit within system constraints.'
labels:
name: labels
description: 'The list of labels attached to the event. For example: <code>["sample",
"dev"]</code>'
log_format:
name: log_format
description: 'The format of data in the log where the data originated. For example
CSV, XML,
Windows Multiline, JSON, syslog or Cisco Log Schema.'
log_level:
name: log_level
description: 'The level at which an event was logged. This can be log provider
specific. For
example the audit level.'
log_name:
name: log_name
description: 'The event log name, typically for the consumer of the event. For
example, the
storage bucket name, SIEM repository index name, etc.'
recommended: true
log_provider:
name: log_provider
description: 'The logging provider or logging service that logged the event. For
example AWS
CloudWatch or Splunk.'
log_source:
name: log_source
description: 'The log system or component where the data originated. For example,
a file
path, syslog server name or a Windows hostname and logging subsystem such as
Security.'
log_version:
name: log_version
description: 'The event log schema version of the original event. For example
the syslog
version or the Cisco Log Schema version'
modified_time:
name: modified_time
description: The time when the event was last modified or enriched.
original_event_uid:
name: original_event_uid
description: 'The unique identifier assigned to the event in its original logging
system
before transformation to OCSF format. This field preserves the source system''s
native event identifier, enabling traceability back to the raw log entry. For
example, a Windows Event Record ID, a syslog message ID, a Splunk _cd value,
or
a database transaction log sequence number.'
original_time:
name: original_time
recommended: true
product:
name: product
required: true
reporter:
name: reporter
description: The entity from which the event or finding was first reported.
recommended: true
source:
name: source
description: 'The source of the event or finding. This can be any distinguishing
name for the
logical origin of the data — for example, ''CloudTrail Events'', or a use case
like ''Attack Simulations'' or ''Vulnerability Scans''.'
tags:
name: tags
description: The list of tags; <code>{key:value}</code> pairs associated to the
event.
tenant_uid:
name: tenant_uid
recommended: true
total_queued_duration:
name: total_queued_duration
description: 'The amount of time an event spent in a queue awaiting processing.
In this case,
the value is the difference between <code>processed_time</code> and
<code>logged_time</code>. This duration is inclusive of all queues between the
originator of the event and the intended long-term storage destination of the
event.'
transmit_time:
name: transmit_time
description: 'The time when the event was transmitted from the logging device
to it''s next
destination.'
type:
name: type
description: 'The type of the event or finding as a subset of the <code>source</code>
of the
event. This can be any distinguishing characteristic of the data. For example
''Management Events'' or ''Device Penetration Test''.'
uid:
name: uid
description: 'A unique identifier assigned to the OCSF event. This ID is specific
to the OCSF
event itself and is distinct from the original event identifier in the source
system (see <code>original_event_uid</code>).'
untruncated_size:
name: untruncated_size
description: 'The original size of the OCSF event data in kilobytes before any
truncation
occurred. This field is typically populated when <code>is_truncated</code> is
<code>true</code> to indicate the full size of the original event.'
version:
name: version
description: 'The version of the OCSF schema, using Semantic Versioning Specification
(<a
target=''_blank'' href=''https://semver.org''>SemVer</a>). For example:
<code>1.0.0.</code> Event consumers use the version to determine the available
event attributes.'
required: true
attributes:
correlation_uid:
name: correlation_uid
description: 'A unique identifier used to correlate this OCSF event with other
related OCSF
events, distinct from the event''s <code>uid</code> value. This enables linking
multiple OCSF events that are part of the same activity, transaction, or
security incident across different systems or time periods.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Correlation UID
rank: 1000
alias: correlation_uid
owner: Metadata
domain_of:
- Metadata
range: string
debug:
name: debug
description: 'Debug information about non-fatal issues with this OCSF event. Each
issue is a
line in this string array.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Debug Information
rank: 1000
alias: debug
owner: Metadata
domain_of:
- Metadata
range: string
multivalued: true
event_code:
name: event_code
description: 'The identifier of the original event. For example the numerical
Windows Event
Code or Cisco syslog code.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Event Code
rank: 1000
alias: event_code
owner: Metadata
domain_of:
- Metadata
range: string
extension:
name: extension
description: The schema extension used to create the event.
deprecated: Use the <code>extensions</code> attribute instead. (since 1.1.0)
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Schema Extension
rank: 1000
alias: extension
owner: Metadata
domain_of:
- Metadata
range: Extension
extensions:
name: extensions
description: The schema extensions used to create the event.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Schema Extensions
rank: 1000
alias: extensions
owner: Metadata
domain_of:
- Metadata
range: Extension
multivalued: true
is_truncated:
name: is_truncated
description: 'Indicates whether the OCSF event data has been truncated due to
size
limitations. When <code>true</code>, some event data may have been omitted to
fit within system constraints.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Is Truncated
rank: 1000
alias: is_truncated
owner: Metadata
domain_of:
- Logger
- LongString
- Metadata
range: boolean
labels:
name: labels
description: 'The list of labels attached to the event. For example: <code>["sample",
"dev"]</code>'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Labels
rank: 1000
alias: labels
owner: Metadata
domain_of:
- Osint
- Resource
- Account
- ApplicationObject
- Container
- Image
- LdapPerson
- Metadata
- Service
range: string
multivalued: true
log_format:
name: log_format
description: 'The format of data in the log where the data originated. For example
CSV, XML,
Windows Multiline, JSON, syslog or Cisco Log Schema.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Log Format
rank: 1000
alias: log_format
owner: Metadata
domain_of:
- Logger
- Metadata
range: string
log_level:
name: log_level
description: 'The level at which an event was logged. This can be log provider
specific. For
example the audit level.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Log Level
rank: 1000
alias: log_level
owner: Metadata
domain_of:
- Logger
- Metadata
range: string
log_name:
name: log_name
description: 'The event log name, typically for the consumer of the event. For
example, the
storage bucket name, SIEM repository index name, etc.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Log Name
rank: 1000
alias: log_name
owner: Metadata
domain_of:
- Logger
- Metadata
- EventLogActvity
range: string
recommended: true
log_provider:
name: log_provider
description: 'The logging provider or logging service that logged the event. For
example AWS
CloudWatch or Splunk.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Log Provider
rank: 1000
alias: log_provider
owner: Metadata
domain_of:
- Logger
- Metadata
- EventLogActvity
range: string
log_source:
name: log_source
description: 'The log system or component where the data originated. For example,
a file
path, syslog server name or a Windows hostname and logging subsystem such as
Security.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Log Source
rank: 1000
alias: log_source
owner: Metadata
domain_of:
- Metadata
range: string
log_version:
name: log_version
description: 'The event log schema version of the original event. For example
the syslog
version or the Cisco Log Schema version'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Log Version
rank: 1000
alias: log_version
owner: Metadata
domain_of:
- Logger
- Metadata
range: string
logged_time:
name: logged_time
description: '<p>The time when the logging system collected and logged the event.</p>This
attribute is distinct from the event time in that event time typically contain
the time extracted from the original event. Most of the time, these two times
will be different.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Logged Time
rank: 1000
alias: logged_time
owner: Metadata
domain_of:
- Logger
- Metadata
range: TimestampT
loggers:
name: loggers
description: 'An array of Logger objects that describe the pipeline of devices
and logging
products between the event source and its eventual destination. Note, this
attribute can be used when there is a complex end-to-end path of event flow
and/or to track the chain of custody of the data.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Loggers
rank: 1000
alias: loggers
owner: Metadata
domain_of:
- Metadata
range: Logger
multivalued: true
modified_time:
name: modified_time
description: The time when the event was last modified or enriched.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Modified Time
rank: 1000
alias: modified_time
owner: Metadata
domain_of:
- Osint
- RelatedEvent
- Scim
- Sso
- Token
- Resource
- Advisory
- Cve
- Database
- Databucket
- File
- FindingObject
- FindingInfo
- LdapPerson
- Metadata
- Table
- Device
- RegKey
- RegValue
range: TimestampT
original_event_uid:
name: original_event_uid
description: 'The unique identifier assigned to the event in its original logging
system
before transformation to OCSF format. This field preserves the source system''s
native event identifier, enabling traceability back to the raw log entry. For
example, a Windows Event Record ID, a syslog message ID, a Splunk _cd value,
or
a database transaction log sequence number.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Original Event ID
rank: 1000
alias: original_event_uid
owner: Metadata
domain_of:
- Metadata
range: string
original_time:
name: original_time
description: 'The original event time as reported by the event source. For example,
the time
in the original format from system event log such as Syslog on Unix/Linux and
the System event file on Windows. Omit if event is generated instead of
collected via logs.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Original Time
rank: 1000
alias: original_time
owner: Metadata
domain_of:
- Metadata
range: string
recommended: true
processed_time:
name: processed_time
description: The event processed time, such as an ETL operation.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Processed Time
rank: 1000
alias: processed_time
owner: Metadata
domain_of:
- Metadata
range: TimestampT
product:
name: product
description: The product that reported the event.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Product
rank: 1000
alias: product
owner: Metadata
domain_of:
- RelatedEvent
- Sbom
- Advisory
- Cve
- File
- FindingObject
- FindingInfo
- KbArticle
- Logger
- Metadata
- TransformationInfo
- SoftwareInfo
range: Product
required: true
profiles:
name: profiles
description: 'The list of profiles used to create the event. Profiles should
be referenced
by their <code>name</code> attribute for core profiles, or
<code>extension/name</code> for profiles from extensions.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Profiles
rank: 1000
alias: profiles
owner: Metadata
domain_of:
- Metadata
range: string
multivalued: true
reporter:
name: reporter
description: The entity from which the event or finding was first reported.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Reporter
rank: 1000
alias: reporter
owner: Metadata
domain_of:
- Metadata
range: Reporter
recommended: true
sequence:
name: sequence
description: 'Sequence number of the event. The sequence number is a value available
in some
events, to make the exact ordering of events unambiguous, regardless of the
event time precision.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Sequence Number
rank: 1000
alias: sequence
owner: Metadata
domain_of:
- Metadata
range: integer
source:
name: source
description: 'The source of the event or finding. This can be any distinguishing
name for the
logical origin of the data — for example, ''CloudTrail Events'', or a use case
like ''Attack Simulations'' or ''Vulnerability Scans''.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Source
rank: 1000
alias: source
owner: Metadata
domain_of:
- Packet
- Edge
- Metadata
range: string
tags:
name: tags
description: The list of tags; <code>{key:value}</code> pairs associated to the
event.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Tags
rank: 1000
alias: tags
owner: Metadata
domain_of:
- RelatedEvent
- Resource
- Account
- ApplicationObject
- Container
- File
- FindingInfo
- Image
- LdapPerson
- Metadata
- Service
range: KeyValueObject
multivalued: true
tenant_uid:
name: tenant_uid
description: The unique tenant identifier.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Tenant UID
rank: 1000
alias: tenant_uid
owner: Metadata
domain_of:
- Token
- Idp
- Metadata
range: string
recommended: true
total_queued_duration:
name: total_queued_duration
description: 'The amount of time an event spent in a queue awaiting processing.
In this case,
the value is the difference between <code>processed_time</code> and
<code>logged_time</code>. This duration is inclusive of all queues between the
originator of the event and the intended long-term storage destination of the
event.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Total Queued Duration
rank: 1000
alias: total_queued_duration
owner: Metadata
domain_of:
- Metadata
range: Timespan
transformation_info_list:
name: transformation_info_list
description: 'An array of transformation info that describes the mappings or transforms
applied to the data.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Transformation Info
rank: 1000
alias: transformation_info_list
owner: Metadata
domain_of:
- Metadata
range: TransformationInfo
multivalued: true
transmit_time:
name: transmit_time
description: 'The time when the event was transmitted from the logging device
to it''s next
destination.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Transmission Time
rank: 1000
alias: transmit_time
owner: Metadata
domain_of:
- Logger
- Metadata
range: TimestampT
type:
name: type
description: 'The type of the event or finding as a subset of the <code>source</code>
of the
event. This can be any distinguishing characteristic of the data. For example
''Management Events'' or ''Device Penetration Test''.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: Metadata
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
uid:
name: uid
description: 'A unique identifier assigned to the OCSF event. This ID is specific
to the OCSF
event itself and is distinct from the original event identifier in the source
system (see <code>original_event_uid</code>).'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: Metadata
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
untruncated_size:
name: untruncated_size
description: 'The original size of the OCSF event data in kilobytes before any
truncation
occurred. This field is typically populated when <code>is_truncated</code> is
<code>true</code> to indicate the full size of the original event.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Untruncated Size
rank: 1000
alias: untruncated_size
owner: Metadata
domain_of:
- Logger
- LongString
- Metadata
range: integer
version:
name: version
description: 'The version of the OCSF schema, using Semantic Versioning Specification
(<a
target=''_blank'' href=''https://semver.org''>SemVer</a>). For example:
<code>1.0.0.</code> Event consumers use the version to determine the available
event attributes.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Version
rank: 1000
alias: version
owner: Metadata
domain_of:
- Os
- Package
- RpcInterface
- Sbom
- Scim
- SoftwareComponent
- Tls
- Agent
- AiModel
- Analytic
- Api
- ApplicationObject
- Attack
- Certificate
- Check
- CisControl
- CisCsc
- Cvss
- D3fend
- Databucket
- Epss
- Extension
- Feature
- File
- HttpRequest
- Logger
- ManagedEntity
- Metadata
- Policy
- Product
- ResourceDetails
- Rule
- Service
- NtpActivity
range: string
required: true
data_classification:
name: data_classification
annotations:
group:
tag: group
value: context
description: 'The Data Classification object includes information about data classification
levels and data category types.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Data Classification
rank: 1000
alias: data_classification
owner: Metadata
domain_of:
- DataClassificationProfile
range: DataClassification
recommended: true
data_classifications:
name: data_classifications
annotations:
group:
tag: group
value: context
description: 'A list of Data Classification objects, that include information
about data
classification levels and data category types, identified by a classifier.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Data Classification
rank: 1000
alias: data_classifications
owner: Metadata
domain_of:
- DataClassificationProfile
range: DataClassification
recommended: true
multivalued: true