Class: RelatedEvent
The Related Event object describes an event or another finding related to a
finding. It may or may not be an OCSF event.
URI: ocsf:RelatedEvent
classDiagram
class RelatedEvent
click RelatedEvent href "../RelatedEvent/"
Object <|-- RelatedEvent
click Object href "../Object/"
RelatedEvent : attacks
RelatedEvent --> "*" Attack : attacks
click Attack href "../Attack/"
RelatedEvent : count
RelatedEvent : created_time
RelatedEvent : desc
RelatedEvent : first_seen_time
RelatedEvent : kill_chain
RelatedEvent --> "*" KillChainPhase : kill_chain
click KillChainPhase href "../KillChainPhase/"
RelatedEvent : last_seen_time
RelatedEvent : modified_time
RelatedEvent : observables
RelatedEvent --> "*" Observable : observables
click Observable href "../Observable/"
RelatedEvent : product
RelatedEvent --> "0..1" Product : product
click Product href "../Product/"
RelatedEvent : product_uid
RelatedEvent : severity
RelatedEvent : severity_id
RelatedEvent --> "0..1 _recommended_" SeverityIdEnum : severity_id
click SeverityIdEnum href "../SeverityIdEnum/"
RelatedEvent : status
RelatedEvent : tags
RelatedEvent --> "*" KeyValueObject : tags
click KeyValueObject href "../KeyValueObject/"
RelatedEvent : title
RelatedEvent : traits
RelatedEvent --> "*" Trait : traits
click Trait href "../Trait/"
RelatedEvent : type
RelatedEvent : type_name
RelatedEvent : type_uid
RelatedEvent : uid
Inheritance
- OcsfObject
- Object
- RelatedEvent
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| attacks | * Attack |
An array of MITRE ATT&CKĀ® objects describing identified tactics, techniques & | direct |
| count | 0..1 Integer |
The number of times that activity in the same logical group occurred, as | direct |
| created_time | 0..1 TimestampT |
The time when the related event/finding was created |
direct |
| desc | 0..1 String |
A description of the related event/finding | direct |
| first_seen_time | 0..1 TimestampT |
The time when the finding was first observed | direct |
| kill_chain | * KillChainPhase |
The <a target='_blank' | direct |
| last_seen_time | 0..1 TimestampT |
The time when the finding was most recently observed | direct |
| modified_time | 0..1 TimestampT |
The time when the related event/finding was last modified | direct |
| observables | * Observable |
The observables associated with the event or a finding | direct |
| product | 0..1 Product |
Details about the product that reported the related event/finding | direct |
| product_uid | 0..1 String |
The unique identifier of the product that reported the related event | direct |
| severity | 0..1 String |
The event/finding severity, normalized to the caption of the | direct |
| severity_id | 0..1 recommended SeverityIdEnum |
The normalized identifier of the event/finding severity |
direct |
| status | 0..1 String |
The related event status | direct |
| tags | * KeyValueObject |
The list of tags; {key:value} pairs associated with the related |
direct |
| title | 0..1 String |
A title or a brief phrase summarizing the related event/finding | direct |
| traits | * Trait |
The list of key traits or characteristics extracted from the related | direct |
| type | 0..1 String |
The type of the related event/finding |
direct |
| type_name | 0..1 String |
The type of the related OCSF event, as defined by type_uid |
direct |
| type_uid | 0..1 recommended Integer |
The unique identifier of the related OCSF event type | direct |
| uid | 1 String |
The unique identifier of the related event/finding |
direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| FindingObject | related_events | range | RelatedEvent |
| FindingInfo | related_events | range | RelatedEvent |
In Subsets
Aliases
- Related Event/Finding
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:RelatedEvent |
| native | ocsf:RelatedEvent |
LinkML Source
Direct
name: RelatedEvent
description: 'The Related Event object describes an event or another finding related
to a
finding. It may or may not be an OCSF event.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Related Event/Finding
is_a: Object
slots:
- attacks
- count
- created_time
- desc
- first_seen_time
- kill_chain
- last_seen_time
- modified_time
- observables
- product
- product_uid
- severity
- severity_id
- status
- tags
- title
- traits
- type
- type_name
- type_uid
- uid
slot_usage:
count:
name: count
description: 'The number of times that activity in the same logical group occurred,
as
reported by the related Finding.'
created_time:
name: created_time
description: '<p>The time when the related event/finding was created.</p> If the
related
event/finding is in OCSF and is a Finding, then this value should be equal to
<code>finding_info.created_time</code> in the corresponding Finding. If the
related event/finding is in OCSF and is not a Finding, then this value should
be equal to <code>time</code> in the corresponding event.'
desc:
name: desc
description: A description of the related event/finding.
first_seen_time:
name: first_seen_time
description: 'The time when the finding was first observed. e.g. The time when
a
vulnerability was first observed.<br>It can differ from the
<code>created_time</code> timestamp, which reflects the time this finding was
created.'
last_seen_time:
name: last_seen_time
description: 'The time when the finding was most recently observed. e.g. The time
when a
vulnerability was most recently observed.<br>It can differ from the
<code>modified_time</code> timestamp, which reflects the time this finding was
last modified.'
modified_time:
name: modified_time
description: The time when the related event/finding was last modified.
product:
name: product
description: Details about the product that reported the related event/finding.
product_uid:
name: product_uid
description: The unique identifier of the product that reported the related event.
severity_id:
name: severity_id
recommended: true
status:
name: status
description: 'The related event status. Should correspond to the label of the
status_id (or
''Other'' status value for status_id = 99) of the related event.'
tags:
name: tags
description: 'The list of tags; <code>{key:value}</code> pairs associated with
the related
event/finding.'
title:
name: title
description: A title or a brief phrase summarizing the related event/finding.
traits:
name: traits
description: 'The list of key traits or characteristics extracted from the related
event/finding that influenced or contributed to the overall finding''s outcome.'
type:
name: type
description: '<p>The type of the related event/finding.</p>Populate if the related
event/finding is <code>NOT</code> in OCSF. If it is in OCSF, then utilize
<code>type_name, type_uid</code> instead.'
type_name:
name: type_name
description: 'The type of the related OCSF event, as defined by <code>type_uid</code>.<p>For
example: <code>Process Activity: Launch.</code></p>Populate if the related
event/finding is in OCSF.'
type_uid:
name: type_uid
description: 'The unique identifier of the related OCSF event type. <p>For example:
<code>100701.</code></p>Populate if the related event/finding is in OCSF.'
recommended: true
uid:
name: uid
description: '<p>The unique identifier of the related event/finding.</p> If the
related
event/finding is in OCSF, then this value must be equal to
<code>metadata.uid</code> in the corresponding event.'
required: true
Induced
name: RelatedEvent
description: 'The Related Event object describes an event or another finding related
to a
finding. It may or may not be an OCSF event.'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Related Event/Finding
is_a: Object
slot_usage:
count:
name: count
description: 'The number of times that activity in the same logical group occurred,
as
reported by the related Finding.'
created_time:
name: created_time
description: '<p>The time when the related event/finding was created.</p> If the
related
event/finding is in OCSF and is a Finding, then this value should be equal to
<code>finding_info.created_time</code> in the corresponding Finding. If the
related event/finding is in OCSF and is not a Finding, then this value should
be equal to <code>time</code> in the corresponding event.'
desc:
name: desc
description: A description of the related event/finding.
first_seen_time:
name: first_seen_time
description: 'The time when the finding was first observed. e.g. The time when
a
vulnerability was first observed.<br>It can differ from the
<code>created_time</code> timestamp, which reflects the time this finding was
created.'
last_seen_time:
name: last_seen_time
description: 'The time when the finding was most recently observed. e.g. The time
when a
vulnerability was most recently observed.<br>It can differ from the
<code>modified_time</code> timestamp, which reflects the time this finding was
last modified.'
modified_time:
name: modified_time
description: The time when the related event/finding was last modified.
product:
name: product
description: Details about the product that reported the related event/finding.
product_uid:
name: product_uid
description: The unique identifier of the product that reported the related event.
severity_id:
name: severity_id
recommended: true
status:
name: status
description: 'The related event status. Should correspond to the label of the
status_id (or
''Other'' status value for status_id = 99) of the related event.'
tags:
name: tags
description: 'The list of tags; <code>{key:value}</code> pairs associated with
the related
event/finding.'
title:
name: title
description: A title or a brief phrase summarizing the related event/finding.
traits:
name: traits
description: 'The list of key traits or characteristics extracted from the related
event/finding that influenced or contributed to the overall finding''s outcome.'
type:
name: type
description: '<p>The type of the related event/finding.</p>Populate if the related
event/finding is <code>NOT</code> in OCSF. If it is in OCSF, then utilize
<code>type_name, type_uid</code> instead.'
type_name:
name: type_name
description: 'The type of the related OCSF event, as defined by <code>type_uid</code>.<p>For
example: <code>Process Activity: Launch.</code></p>Populate if the related
event/finding is in OCSF.'
type_uid:
name: type_uid
description: 'The unique identifier of the related OCSF event type. <p>For example:
<code>100701.</code></p>Populate if the related event/finding is in OCSF.'
recommended: true
uid:
name: uid
description: '<p>The unique identifier of the related event/finding.</p> If the
related
event/finding is in OCSF, then this value must be equal to
<code>metadata.uid</code> in the corresponding event.'
required: true
attributes:
attacks:
name: attacks
description: 'An array of MITRE ATT&CKĀ® objects describing identified tactics,
techniques &
sub-techniques. The objects are compatible with MITRE ATLASā¢ tactics,
techniques & sub-techniques.'
notes:
- MITRE ATT&CKĀ® ā https://attack.mitre.org
- MITRE ATLAS ā https://atlas.mitre.org/matrices/ATLAS
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://attack.mitre.org
- https://atlas.mitre.org/matrices/ATLAS
aliases:
- MITRE ATT&CKĀ® and ATLASā¢ Details
rank: 1000
alias: attacks
owner: RelatedEvent
domain_of:
- Osint
- RelatedEvent
- FindingInfo
- SecurityControlProfile
- IncidentFinding
- SecurityFinding
range: Attack
multivalued: true
count:
name: count
description: 'The number of times that activity in the same logical group occurred,
as
reported by the related Finding.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Count
rank: 1000
alias: count
owner: RelatedEvent
domain_of:
- Observation
- RelatedEvent
- Session
- DiscoveryDetails
- UnmannedSystemOperatingArea
- BaseEvent
range: integer
created_time:
name: created_time
description: '<p>The time when the related event/finding was created.</p> If the
related
event/finding is in OCSF and is a Finding, then this value should be equal to
<code>finding_info.created_time</code> in the corresponding Finding. If the
related event/finding is in OCSF and is not a Finding, then this value should
be equal to <code>time</code> in the corresponding event.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Created Time
rank: 1000
alias: created_time
owner: RelatedEvent
domain_of:
- Osint
- RelatedEvent
- Sbom
- Scim
- Session
- Sso
- Token
- Whois
- Resource
- Advisory
- AuthenticationToken
- Certificate
- Cve
- Database
- Databucket
- DigitalSignature
- Enrichment
- Epss
- File
- FindingObject
- FindingInfo
- Job
- KbArticle
- LdapPerson
- ProcessEntity
- Table
- Device
range: TimestampT
desc:
name: desc
description: A description of the related event/finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Description
rank: 1000
alias: desc
owner: RelatedEvent
domain_of:
- Osint
- RelatedEvent
- Remediation
- Vulnerability
- Advisory
- Analytic
- ApplicationObject
- Assessment
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- Compliance
- Cve
- Database
- Databucket
- Enrichment
- File
- FindingObject
- FindingInfo
- Graph
- Group
- Job
- Location
- Node
- Policy
- Rule
- Table
- WebResource
- Device
- IncidentFinding
range: string
first_seen_time:
name: first_seen_time
description: 'The time when the finding was first observed. e.g. The time when
a
vulnerability was first observed.<br>It can differ from the
<code>created_time</code> timestamp, which reflects the time this finding was
created.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- First Seen
rank: 1000
alias: first_seen_time
owner: RelatedEvent
domain_of:
- RelatedEvent
- Vulnerability
- FindingObject
- FindingInfo
- IdentityActivityMetrics
- Device
range: TimestampT
kill_chain:
name: kill_chain
description: 'The <a target=''_blank''
href=''https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html''>Cyber
Kill ChainĀ®</a> provides a detailed description of each phase and its
associated activities within the broader context of a cyber attack.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Kill Chain
rank: 1000
alias: kill_chain
owner: RelatedEvent
domain_of:
- Osint
- RelatedEvent
- FindingInfo
- SecurityFinding
range: KillChainPhase
multivalued: true
last_seen_time:
name: last_seen_time
description: 'The time when the finding was most recently observed. e.g. The time
when a
vulnerability was most recently observed.<br>It can differ from the
<code>modified_time</code> timestamp, which reflects the time this finding was
last modified.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Last Seen
rank: 1000
alias: last_seen_time
owner: RelatedEvent
domain_of:
- RelatedEvent
- Vulnerability
- Whois
- FindingObject
- FindingInfo
- IdentityActivityMetrics
- Device
range: TimestampT
modified_time:
name: modified_time
description: The time when the related event/finding was last modified.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Modified Time
rank: 1000
alias: modified_time
owner: RelatedEvent
domain_of:
- Osint
- RelatedEvent
- Scim
- Sso
- Token
- Resource
- Advisory
- Cve
- Database
- Databucket
- File
- FindingObject
- FindingInfo
- LdapPerson
- Metadata
- Table
- Device
- RegKey
- RegValue
range: TimestampT
observables:
name: observables
description: The observables associated with the event or a finding.
notes:
- 'OCSF Observables FAQ ā
https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md
aliases:
- Observables
rank: 1000
alias: observables
owner: RelatedEvent
domain_of:
- RelatedEvent
- BaseEvent
range: Observable
multivalued: true
product:
name: product
description: Details about the product that reported the related event/finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Product
rank: 1000
alias: product
owner: RelatedEvent
domain_of:
- RelatedEvent
- Sbom
- Advisory
- Cve
- File
- FindingObject
- FindingInfo
- KbArticle
- Logger
- Metadata
- TransformationInfo
- SoftwareInfo
range: Product
product_uid:
name: product_uid
description: The unique identifier of the product that reported the related event.
deprecated: 'Use the <code>uid</code> attribute in the <code>product</code> object
instead.
See specific usage. (since 1.4.0)'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Product Identifier
rank: 1000
alias: product_uid
owner: RelatedEvent
domain_of:
- RelatedEvent
- FindingObject
- FindingInfo
range: string
severity:
name: severity
description: 'The event/finding severity, normalized to the caption of the
<code>severity_id</code> value. In the case of ''Other'', it is defined by the
source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Severity
rank: 1000
alias: severity
owner: RelatedEvent
domain_of:
- Osint
- RelatedEvent
- VendorAttributes
- Vulnerability
- Check
- Cvss
- KbArticle
- Malware
- BaseEvent
range: string
severity_id:
name: severity_id
annotations:
sibling:
tag: sibling
value: severity
description: '<p>The normalized identifier of the event/finding severity.</p>The
normalized
severity is a measurement the effort and expense required to manage and resolve
an event or incident. Smaller numerical values represent lower impact events,
and larger numerical values represent higher impact events.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Severity ID
rank: 1000
alias: severity_id
owner: RelatedEvent
domain_of:
- Osint
- RelatedEvent
- VendorAttributes
- Check
- Malware
- BaseEvent
range: SeverityIdEnum
recommended: true
status:
name: status
description: 'The related event status. Should correspond to the label of the
status_id (or
''Other'' status value for status_id = 99) of the related event.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Status
rank: 1000
alias: status
owner: RelatedEvent
domain_of:
- RelatedEvent
- Ticket
- Whois
- AdditionalRestriction
- Check
- Compliance
- DataClassification
- HttpResponse
- BaseEvent
- Finding
- IncidentFinding
- DroneFlightsActivity
range: string
tags:
name: tags
description: 'The list of tags; <code>{key:value}</code> pairs associated with
the related
event/finding.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Tags
rank: 1000
alias: tags
owner: RelatedEvent
domain_of:
- RelatedEvent
- Resource
- Account
- ApplicationObject
- Container
- File
- FindingInfo
- Image
- LdapPerson
- Metadata
- Service
range: KeyValueObject
multivalued: true
title:
name: title
description: A title or a brief phrase summarizing the related event/finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Title
rank: 1000
alias: title
owner: RelatedEvent
domain_of:
- RelatedEvent
- Ticket
- Vulnerability
- Advisory
- Cve
- FindingObject
- FindingInfo
- KbArticle
range: string
traits:
name: traits
description: 'The list of key traits or characteristics extracted from the related
event/finding that influenced or contributed to the overall finding''s outcome.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Traits
rank: 1000
alias: traits
owner: RelatedEvent
domain_of:
- RelatedEvent
- FindingInfo
range: Trait
multivalued: true
type:
name: type
description: '<p>The type of the related event/finding.</p>Populate if the related
event/finding is <code>NOT</code> in OCSF. If it is in OCSF, then utilize
<code>type_name, type_uid</code> instead.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: RelatedEvent
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
type_name:
name: type_name
description: 'The type of the related OCSF event, as defined by <code>type_uid</code>.<p>For
example: <code>Process Activity: Launch.</code></p>Populate if the related
event/finding is in OCSF.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type Name
rank: 1000
alias: type_name
owner: RelatedEvent
domain_of:
- RelatedEvent
- BaseEvent
range: string
type_uid:
name: type_uid
annotations:
sibling:
tag: sibling
value: type_name
description: 'The unique identifier of the related OCSF event type. <p>For example:
<code>100701.</code></p>Populate if the related event/finding is in OCSF.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_uid
owner: RelatedEvent
domain_of:
- Observable
- RelatedEvent
- BaseEvent
range: integer
recommended: true
uid:
name: uid
description: '<p>The unique identifier of the related event/finding.</p> If the
related
event/finding is in OCSF, then this value must be equal to
<code>metadata.uid</code> in the corresponding event.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: RelatedEvent
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
required: true