Class: SecurityFinding (DEPRECATED)
Security Finding events describe findings, detections, anomalies, alerts and/or
actions performed by security products
URI: ocsf:SecurityFinding
classDiagram
class SecurityFinding
click SecurityFinding href "../SecurityFinding/"
BaseEvent <|-- SecurityFinding
click BaseEvent href "../BaseEvent/"
SecurityFinding : action
SecurityFinding : action_id
SecurityFinding --> "0..1 _recommended_" ActionIdEnum : action_id
click ActionIdEnum href "../ActionIdEnum/"
SecurityFinding : activity_id
SecurityFinding --> "1" SecurityFindingActivityIdEnum : activity_id
click SecurityFindingActivityIdEnum href "../SecurityFindingActivityIdEnum/"
SecurityFinding : activity_name
SecurityFinding : actor
SecurityFinding --> "0..1" Actor : actor
click Actor href "../Actor/"
SecurityFinding : analytic
SecurityFinding --> "0..1 _recommended_" Analytic : analytic
click Analytic href "../Analytic/"
SecurityFinding : api
SecurityFinding --> "0..1" Api : api
click Api href "../Api/"
SecurityFinding : attacks
SecurityFinding --> "*" Attack : attacks
click Attack href "../Attack/"
SecurityFinding : authorizations
SecurityFinding --> "*" Authorization : authorizations
click Authorization href "../Authorization/"
SecurityFinding : category_name
SecurityFinding : category_uid
SecurityFinding --> "1" BaseEventCategoryUidEnum : category_uid
click BaseEventCategoryUidEnum href "../BaseEventCategoryUidEnum/"
SecurityFinding : cis_csc
SecurityFinding --> "*" CisCsc : cis_csc
click CisCsc href "../CisCsc/"
SecurityFinding : class_name
SecurityFinding : class_uid
SecurityFinding --> "1" BaseEventClassUidEnum : class_uid
click BaseEventClassUidEnum href "../BaseEventClassUidEnum/"
SecurityFinding : cloud
SecurityFinding --> "1" Cloud : cloud
click Cloud href "../Cloud/"
SecurityFinding : compliance
SecurityFinding --> "0..1" Compliance : compliance
click Compliance href "../Compliance/"
SecurityFinding : confidence
SecurityFinding : confidence_id
SecurityFinding --> "0..1 _recommended_" ConfidenceIdEnum : confidence_id
click ConfidenceIdEnum href "../ConfidenceIdEnum/"
SecurityFinding : confidence_score
SecurityFinding : count
SecurityFinding : data_sources
SecurityFinding : device
SecurityFinding --> "0..1 _recommended_" Device : device
click Device href "../Device/"
SecurityFinding : disposition
SecurityFinding : disposition_id
SecurityFinding --> "0..1 _recommended_" DispositionIdEnum : disposition_id
click DispositionIdEnum href "../DispositionIdEnum/"
SecurityFinding : duration
SecurityFinding : end_time
SecurityFinding : enrichments
SecurityFinding --> "*" Enrichment : enrichments
click Enrichment href "../Enrichment/"
SecurityFinding : evidence
SecurityFinding : finding
SecurityFinding --> "1" FindingObject : finding
click FindingObject href "../FindingObject/"
SecurityFinding : firewall_rule
SecurityFinding --> "0..1" FirewallRule : firewall_rule
click FirewallRule href "../FirewallRule/"
SecurityFinding : impact
SecurityFinding : impact_id
SecurityFinding --> "0..1 _recommended_" ImpactIdEnum : impact_id
click ImpactIdEnum href "../ImpactIdEnum/"
SecurityFinding : impact_score
SecurityFinding : is_alert
SecurityFinding : kill_chain
SecurityFinding --> "*" KillChainPhase : kill_chain
click KillChainPhase href "../KillChainPhase/"
SecurityFinding : malware
SecurityFinding --> "*" Malware : malware
click Malware href "../Malware/"
SecurityFinding : malware_scan_info
SecurityFinding --> "0..1" MalwareScanInfo : malware_scan_info
click MalwareScanInfo href "../MalwareScanInfo/"
SecurityFinding : message
SecurityFinding : metadata
SecurityFinding --> "1" Metadata : metadata
click Metadata href "../Metadata/"
SecurityFinding : nist
SecurityFinding : observables
SecurityFinding --> "* _recommended_" Observable : observables
click Observable href "../Observable/"
SecurityFinding : osint
SecurityFinding --> "1..*" Osint : osint
click Osint href "../Osint/"
SecurityFinding : policy
SecurityFinding --> "0..1" Policy : policy
click Policy href "../Policy/"
SecurityFinding : process
SecurityFinding --> "0..1" Process : process
click Process href "../Process/"
SecurityFinding : raw_data
SecurityFinding : raw_data_hash
SecurityFinding --> "0..1" Fingerprint : raw_data_hash
click Fingerprint href "../Fingerprint/"
SecurityFinding : raw_data_size
SecurityFinding : resources
SecurityFinding --> "* _recommended_" ResourceDetails : resources
click ResourceDetails href "../ResourceDetails/"
SecurityFinding : risk_details
SecurityFinding : risk_level
SecurityFinding : risk_level_id
SecurityFinding --> "0..1 _recommended_" RiskLevelIdEnum : risk_level_id
click RiskLevelIdEnum href "../RiskLevelIdEnum/"
SecurityFinding : risk_score
SecurityFinding : severity
SecurityFinding : severity_id
SecurityFinding --> "1" SeverityIdEnum : severity_id
click SeverityIdEnum href "../SeverityIdEnum/"
SecurityFinding : start_time
SecurityFinding : state
SecurityFinding : state_id
SecurityFinding --> "1" SecurityFindingStateIdEnum : state_id
click SecurityFindingStateIdEnum href "../SecurityFindingStateIdEnum/"
SecurityFinding : status
SecurityFinding : status_code
SecurityFinding : status_detail
SecurityFinding : status_id
SecurityFinding --> "0..1 _recommended_" StatusIdEnum : status_id
click StatusIdEnum href "../StatusIdEnum/"
SecurityFinding : time
SecurityFinding : timezone_offset
SecurityFinding : type_name
SecurityFinding : type_uid
SecurityFinding : unmapped
SecurityFinding --> "0..1" Object : unmapped
click Object href "../Object/"
SecurityFinding : vulnerabilities
SecurityFinding --> "*" Vulnerability : vulnerabilities
click Vulnerability href "../Vulnerability/"
Inheritance
- BaseEvent [ CloudProfile DatetimeProfile HostProfile OsintProfile SecurityControlProfile]
- SecurityFinding
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| activity_id | 1 SecurityFindingActivityIdEnum |
The normalized identifier of the activity that triggered the event | direct |
| analytic | 0..1 recommended Analytic |
The analytic technique used to analyze and derive insights from the data or | direct |
| attacks | * Attack |
An array of <a target='_blank' href='https://attack | direct |
| cis_csc | * CisCsc |
The CIS Critical Security Controls is a list of top 20 actions and practices ... | direct |
| compliance | 0..1 Compliance |
The compliance object provides context to compliance findings (e | direct |
| confidence | 0..1 recommended String |
The confidence, normalized to the caption of the confidence_id value | direct |
| confidence_id | 0..1 recommended ConfidenceIdEnum |
The normalized confidence refers to the accuracy of the rule that created the | direct |
| confidence_score | 0..1 recommended Integer |
The confidence score as reported by the event source | direct |
| data_sources | * String |
A list of data sources utilized in generation of the finding | direct |
| evidence | 0..1 String |
The data the finding exposes to the analyst | direct |
| finding | 1 FindingObject |
The Finding object provides details about a finding/detection generated by a | direct |
| impact | 0..1 recommended String |
The impact , normalized to the caption of the impact_id value | direct |
| impact_id | 0..1 recommended ImpactIdEnum |
The normalized impact of the incident or finding | direct |
| impact_score | 0..1 recommended Integer |
The impact as an integer value of the finding, valid range 0-100 | direct |
| kill_chain | * KillChainPhase |
The <a target='_blank' | direct |
| malware | * Malware |
A list of Malware objects, describing details about the identified malware | direct |
| nist | * String |
The NIST Cybersecurity Framework recommendations for managing the cybersecuri... | direct |
| process | 0..1 Process |
The process object | direct |
| resources | * recommended ResourceDetails |
Describes details about resources that were affected by the activity/event | direct |
| risk_level | 0..1 recommended String |
The risk level, normalized to the caption of the risk_level_id value | direct |
| risk_level_id | 0..1 recommended RiskLevelIdEnum |
The normalized risk level id | direct |
| risk_score | 0..1 recommended Integer |
The risk score as reported by the event source | direct |
| state | 0..1 String |
The normalized state of a security finding | direct |
| state_id | 1 SecurityFindingStateIdEnum |
The normalized state identifier of a security finding | direct |
| vulnerabilities | * Vulnerability |
This object describes vulnerabilities reported in a security finding | direct |
| activity_name | 0..1 String |
The event activity name, as defined by the activity_id | BaseEvent |
| category_name | 0..1 String |
The event category name, as defined by category_uid value | BaseEvent |
| category_uid | 1 BaseEventCategoryUidEnum |
The category unique identifier of the event | BaseEvent |
| class_name | 0..1 String |
The event class name, as defined by class_uid value | BaseEvent |
| class_uid | 1 BaseEventClassUidEnum |
The unique identifier of a class | BaseEvent |
| count | 0..1 Integer |
The number of times that events in the same logical group occurred during the | BaseEvent |
| duration | 0..1 Integer |
The event duration or aggregate time, the amount of time the event covers fro... | BaseEvent |
| end_time | 0..1 TimestampT |
The end time of a time period, or the time of the most recent event included ... | BaseEvent |
| enrichments | * Enrichment |
The additional information from an external data source, which is associated | BaseEvent |
| message | 0..1 recommended String |
The description of the event/finding, as defined by the source | BaseEvent |
| metadata | 1 Metadata |
The metadata associated with the event or a finding | BaseEvent |
| observables | * recommended Observable |
The observables associated with the event or a finding | BaseEvent |
| raw_data | 0..1 String |
The raw event/finding data as received from the source | BaseEvent |
| raw_data_hash | 0..1 Fingerprint |
The hash, which describes the content of the raw_data field | BaseEvent |
| raw_data_size | 0..1 Integer |
The size of the raw data which was transformed into an OCSF event, in bytes | BaseEvent |
| severity | 0..1 String |
The event/finding severity, normalized to the caption of the | BaseEvent |
| severity_id | 1 SeverityIdEnum |
The normalized identifier of the event/finding severity |
BaseEvent |
| start_time | 0..1 TimestampT |
The start time of a time period, or the time of the least recent event includ... | BaseEvent |
| status | 0..1 recommended String |
The event status, normalized to the caption of the status_id value | BaseEvent |
| status_code | 0..1 recommended String |
The event status code, as reported by the event source | BaseEvent |
| status_detail | 0..1 recommended String |
The status detail contains additional information about the event/finding | BaseEvent |
| status_id | 0..1 recommended StatusIdEnum |
The normalized identifier of the event status | BaseEvent |
| time | 1 TimestampT |
The normalized event occurrence time or the finding creation time | BaseEvent |
| timezone_offset | 0..1 recommended Integer |
The number of minutes that the reported event time is ahead or |
BaseEvent |
| type_name | 0..1 String |
The event/finding type name, as defined by the type_uid | BaseEvent |
| type_uid | 1 Integer |
The event/finding type ID | BaseEvent |
| unmapped | 0..1 Object |
The attributes that are not mapped to the event schema | BaseEvent |
| api | 0..1 Api |
Describes details about a typical API (Application Programming Interface) cal... | CloudProfile |
| cloud | 1 Cloud |
Describes details about the Cloud environment where the event or finding was | CloudProfile |
| actor | 0..1 Actor |
The actor object describes details about the user/role/process that was the | HostProfile |
| device | 0..1 recommended Device |
An addressable device, computer system or host | HostProfile |
| osint | 1..* Osint |
The OSINT (Open Source Intelligence) object contains details related to an | OsintProfile |
| action | 0..1 String |
The normalized caption of action_id |
SecurityControlProfile |
| action_id | 0..1 recommended ActionIdEnum |
The action taken by a control or other policy-based system leading to an | SecurityControlProfile |
| authorizations | * Authorization |
Provides details about an authorization, such as authorization outcome, and a... | SecurityControlProfile |
| disposition | 0..1 String |
The disposition name, normalized to the caption of the disposition_id value | SecurityControlProfile |
| disposition_id | 0..1 recommended DispositionIdEnum |
Describes the outcome or action taken by a security control, such as access | SecurityControlProfile |
| firewall_rule | 0..1 FirewallRule |
The firewall rule that pertains to the control that triggered the event, if | SecurityControlProfile |
| is_alert | 0..1 recommended Boolean |
Indicates that the event is considered to be an alertable signal | SecurityControlProfile |
| malware_scan_info | 0..1 MalwareScanInfo |
Describes details about the scan job that identified malware on the target | SecurityControlProfile |
| policy | 0..1 Policy |
The policy that pertains to the control that triggered the event, if | SecurityControlProfile |
| risk_details | 0..1 String |
Describes the risk associated with the finding | SecurityControlProfile |
In Subsets
Aliases
- Security Finding
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_event_uid | 1 |
| category | findings |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:SecurityFinding |
| native | ocsf:SecurityFinding |
LinkML Source
Direct
name: SecurityFinding
annotations:
ocsf_event_uid:
tag: ocsf_event_uid
value: 1
category:
tag: category
value: findings
description: 'Security Finding events describe findings, detections, anomalies, alerts
and/or
actions performed by security products'
deprecated: 'Use the new specific classes according to the use-case: <code>Vulnerability
Finding, Compliance Finding, Detection Finding, Incident Finding, Data Security
Finding.</code> (since 1.1.0)'
in_subset:
- findings_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Security Finding
is_a: BaseEvent
slots:
- activity_id
- analytic
- attacks
- cis_csc
- compliance
- confidence
- confidence_id
- confidence_score
- data_sources
- evidence
- finding
- impact
- impact_id
- impact_score
- kill_chain
- malware
- nist
- process
- resources
- risk_level
- risk_level_id
- risk_score
- state
- state_id
- vulnerabilities
slot_usage:
activity_id:
name: activity_id
range: SecurityFindingActivityIdEnum
analytic:
name: analytic
annotations:
group:
tag: group
value: primary
recommended: true
attacks:
name: attacks
annotations:
group:
tag: group
value: context
description: 'An array of <a target=''_blank'' href=''https://attack.mitre.org''>MITRE
ATT&CKĀ®</a> objects describing the tactics, techniques & sub-techniques
associated to the Finding.'
cis_csc:
name: cis_csc
annotations:
group:
tag: group
value: context
compliance:
name: compliance
annotations:
group:
tag: group
value: context
confidence:
name: confidence
annotations:
group:
tag: group
value: primary
recommended: true
confidence_id:
name: confidence_id
annotations:
group:
tag: group
value: primary
recommended: true
confidence_score:
name: confidence_score
annotations:
group:
tag: group
value: primary
recommended: true
data_sources:
name: data_sources
annotations:
group:
tag: group
value: context
evidence:
name: evidence
annotations:
group:
tag: group
value: context
finding:
name: finding
annotations:
group:
tag: group
value: primary
required: true
impact:
name: impact
annotations:
group:
tag: group
value: primary
recommended: true
impact_id:
name: impact_id
annotations:
group:
tag: group
value: primary
recommended: true
impact_score:
name: impact_score
annotations:
group:
tag: group
value: primary
recommended: true
kill_chain:
name: kill_chain
annotations:
group:
tag: group
value: context
malware:
name: malware
annotations:
group:
tag: group
value: context
nist:
name: nist
annotations:
group:
tag: group
value: context
process:
name: process
annotations:
group:
tag: group
value: context
resources:
name: resources
annotations:
group:
tag: group
value: primary
recommended: true
risk_level:
name: risk_level
annotations:
group:
tag: group
value: primary
recommended: true
risk_level_id:
name: risk_level_id
annotations:
group:
tag: group
value: primary
recommended: true
risk_score:
name: risk_score
annotations:
group:
tag: group
value: primary
recommended: true
state:
name: state
annotations:
group:
tag: group
value: context
description: The normalized state of a security finding.
state_id:
name: state_id
annotations:
group:
tag: group
value: context
description: The normalized state identifier of a security finding.
range: SecurityFindingStateIdEnum
required: true
vulnerabilities:
name: vulnerabilities
annotations:
group:
tag: group
value: context
Induced
name: SecurityFinding
annotations:
ocsf_event_uid:
tag: ocsf_event_uid
value: 1
category:
tag: category
value: findings
description: 'Security Finding events describe findings, detections, anomalies, alerts
and/or
actions performed by security products'
deprecated: 'Use the new specific classes according to the use-case: <code>Vulnerability
Finding, Compliance Finding, Detection Finding, Incident Finding, Data Security
Finding.</code> (since 1.1.0)'
in_subset:
- findings_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Security Finding
is_a: BaseEvent
slot_usage:
activity_id:
name: activity_id
range: SecurityFindingActivityIdEnum
analytic:
name: analytic
annotations:
group:
tag: group
value: primary
recommended: true
attacks:
name: attacks
annotations:
group:
tag: group
value: context
description: 'An array of <a target=''_blank'' href=''https://attack.mitre.org''>MITRE
ATT&CKĀ®</a> objects describing the tactics, techniques & sub-techniques
associated to the Finding.'
cis_csc:
name: cis_csc
annotations:
group:
tag: group
value: context
compliance:
name: compliance
annotations:
group:
tag: group
value: context
confidence:
name: confidence
annotations:
group:
tag: group
value: primary
recommended: true
confidence_id:
name: confidence_id
annotations:
group:
tag: group
value: primary
recommended: true
confidence_score:
name: confidence_score
annotations:
group:
tag: group
value: primary
recommended: true
data_sources:
name: data_sources
annotations:
group:
tag: group
value: context
evidence:
name: evidence
annotations:
group:
tag: group
value: context
finding:
name: finding
annotations:
group:
tag: group
value: primary
required: true
impact:
name: impact
annotations:
group:
tag: group
value: primary
recommended: true
impact_id:
name: impact_id
annotations:
group:
tag: group
value: primary
recommended: true
impact_score:
name: impact_score
annotations:
group:
tag: group
value: primary
recommended: true
kill_chain:
name: kill_chain
annotations:
group:
tag: group
value: context
malware:
name: malware
annotations:
group:
tag: group
value: context
nist:
name: nist
annotations:
group:
tag: group
value: context
process:
name: process
annotations:
group:
tag: group
value: context
resources:
name: resources
annotations:
group:
tag: group
value: primary
recommended: true
risk_level:
name: risk_level
annotations:
group:
tag: group
value: primary
recommended: true
risk_level_id:
name: risk_level_id
annotations:
group:
tag: group
value: primary
recommended: true
risk_score:
name: risk_score
annotations:
group:
tag: group
value: primary
recommended: true
state:
name: state
annotations:
group:
tag: group
value: context
description: The normalized state of a security finding.
state_id:
name: state_id
annotations:
group:
tag: group
value: context
description: The normalized state identifier of a security finding.
range: SecurityFindingStateIdEnum
required: true
vulnerabilities:
name: vulnerabilities
annotations:
group:
tag: group
value: context
attributes:
activity_id:
name: activity_id
annotations:
group:
tag: group
value: classification
description: The normalized identifier of the activity that triggered the event.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Activity ID
rank: 1000
alias: activity_id
owner: SecurityFinding
domain_of:
- BaseEvent
- ApiActivity
- ApplicationError
- ApplicationLifecycle
- DatastoreActivity
- FileHosting
- ScanActivity
- WebResourceAccessActivity
- WebResourcesActivity
- DiscoveryEvent
- DiscoveryResult
- DataSecurityFinding
- Finding
- IncidentFinding
- SecurityFinding
- AccountChange
- Authentication
- AuthorizeSession
- EntityManagement
- GroupManagement
- UserAccess
- DhcpActivity
- DnsActivity
- EmailActivity
- EmailFileActivity
- EmailUrlActivity
- FtpActivity
- HttpActivity
- NetworkActivity
- NetworkFileActivity
- NtpActivity
- RdpActivity
- SmbActivity
- SshActivity
- TunnelActivity
- RemediationActivity
- EventLogActvity
- FileActivity
- KernelActivity
- KernelExtensionActivity
- MemoryActivity
- ModuleActivity
- PeripheralActivity
- ProcessActivity
- ScheduledJobActivity
- ScriptActivity
- AirborneBroadcastActivity
- DroneFlightsActivity
- RegistryKeyActivity
- RegistryValueActivity
- WindowsResourceActivity
- WindowsServiceActivity
range: SecurityFindingActivityIdEnum
required: true
analytic:
name: analytic
annotations:
group:
tag: group
value: primary
description: 'The analytic technique used to analyze and derive insights from
the data or
information that led to the finding or conclusion.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Analytic
rank: 1000
alias: analytic
owner: SecurityFinding
domain_of:
- FindingInfo
- SecurityFinding
range: Analytic
recommended: true
attacks:
name: attacks
annotations:
group:
tag: group
value: context
description: 'An array of <a target=''_blank'' href=''https://attack.mitre.org''>MITRE
ATT&CKĀ®</a> objects describing the tactics, techniques & sub-techniques
associated to the Finding.'
notes:
- MITRE ATT&CKĀ® ā https://attack.mitre.org
- MITRE ATLAS ā https://atlas.mitre.org/matrices/ATLAS
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://attack.mitre.org
- https://atlas.mitre.org/matrices/ATLAS
aliases:
- MITRE ATT&CKĀ® and ATLASā¢ Details
rank: 1000
alias: attacks
owner: SecurityFinding
domain_of:
- Osint
- RelatedEvent
- FindingInfo
- SecurityControlProfile
- IncidentFinding
- SecurityFinding
range: Attack
multivalued: true
cis_csc:
name: cis_csc
annotations:
group:
tag: group
value: context
description: 'The CIS Critical Security Controls is a list of top 20 actions and
practices an
organizationās security team can take on such that cyber attacks or malware,
are minimized and prevented.'
deprecated: Use CIS Controls for standard benchmark controls. (since 1.5.0)
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- CIS CSC
rank: 1000
alias: cis_csc
owner: SecurityFinding
domain_of:
- SecurityFinding
range: CisCsc
multivalued: true
compliance:
name: compliance
annotations:
group:
tag: group
value: context
description: 'The compliance object provides context to compliance findings (e.g.,
a check
against a specific regulatory or best practice framework such as CIS, NIST
etc.) and contains compliance related details.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Compliance
rank: 1000
alias: compliance
owner: SecurityFinding
domain_of:
- ApplicationSecurityPostureFinding
- ComplianceFinding
- SecurityFinding
range: Compliance
confidence:
name: confidence
annotations:
group:
tag: group
value: primary
description: 'The confidence, normalized to the caption of the confidence_id value.
In the
case of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Confidence
rank: 1000
alias: confidence
owner: SecurityFinding
domain_of:
- Osint
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- Finding
- IncidentFinding
- SecurityFinding
range: string
recommended: true
confidence_id:
name: confidence_id
annotations:
group:
tag: group
value: primary
description: 'The normalized confidence refers to the accuracy of the rule that
created the
finding. A rule with a low confidence means that the finding scope is wide and
may create finding reports that may not be malicious in nature.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Confidence ID
rank: 1000
alias: confidence_id
owner: SecurityFinding
domain_of:
- Osint
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- Finding
- IncidentFinding
- SecurityFinding
range: ConfidenceIdEnum
recommended: true
confidence_score:
name: confidence_score
annotations:
group:
tag: group
value: primary
description: The confidence score as reported by the event source.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Confidence Score
rank: 1000
alias: confidence_score
owner: SecurityFinding
domain_of:
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- Finding
- IncidentFinding
- SecurityFinding
range: integer
recommended: true
data_sources:
name: data_sources
annotations:
group:
tag: group
value: context
description: A list of data sources utilized in generation of the finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Data Sources
rank: 1000
alias: data_sources
owner: SecurityFinding
domain_of:
- FindingInfo
- SecurityFinding
range: string
multivalued: true
evidence:
name: evidence
annotations:
group:
tag: group
value: context
description: The data the finding exposes to the analyst.
deprecated: Use the <code>evidences</code> attribute instead. (since 1.1.0)
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Evidence
rank: 1000
alias: evidence
owner: SecurityFinding
domain_of:
- SecurityFinding
range: string
finding:
name: finding
annotations:
group:
tag: group
value: primary
description: 'The Finding object provides details about a finding/detection generated
by a
security tool.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Finding
rank: 1000
alias: finding
owner: SecurityFinding
domain_of:
- SecurityFinding
range: FindingObject
required: true
impact:
name: impact
annotations:
group:
tag: group
value: primary
description: 'The impact , normalized to the caption of the impact_id value. In
the case of
''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Impact
rank: 1000
alias: impact
owner: SecurityFinding
domain_of:
- IncidentProfile
- DataSecurityFinding
- DetectionFinding
- IncidentFinding
- SecurityFinding
range: string
recommended: true
impact_id:
name: impact_id
annotations:
group:
tag: group
value: primary
description: 'The normalized impact of the incident or finding. Per NIST, this
is the
magnitude of harm that can be expected to result from the consequences of
unauthorized disclosure, modification, destruction, or loss of information or
information system availability.'
notes:
- NIST SP 800-172 from FIPS 199 ā https://doi.org/10.6028/NIST.FIPS.199
- NIST Computer Security Resource Center ā https://doi.org/10.6028/NIST.FIPS.199
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://doi.org/10.6028/NIST.FIPS.199
- https://doi.org/10.6028/NIST.FIPS.199
aliases:
- Impact ID
rank: 1000
alias: impact_id
owner: SecurityFinding
domain_of:
- IncidentProfile
- DataSecurityFinding
- DetectionFinding
- IncidentFinding
- SecurityFinding
range: ImpactIdEnum
recommended: true
impact_score:
name: impact_score
annotations:
group:
tag: group
value: primary
description: The impact as an integer value of the finding, valid range 0-100.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Impact Score
rank: 1000
alias: impact_score
owner: SecurityFinding
domain_of:
- IncidentProfile
- DataSecurityFinding
- DetectionFinding
- IncidentFinding
- SecurityFinding
range: integer
recommended: true
kill_chain:
name: kill_chain
annotations:
group:
tag: group
value: context
description: 'The <a target=''_blank''
href=''https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html''>Cyber
Kill ChainĀ®</a> provides a detailed description of each phase and its
associated activities within the broader context of a cyber attack.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Kill Chain
rank: 1000
alias: kill_chain
owner: SecurityFinding
domain_of:
- Osint
- RelatedEvent
- FindingInfo
- SecurityFinding
range: KillChainPhase
multivalued: true
malware:
name: malware
annotations:
group:
tag: group
value: context
description: A list of Malware objects, describing details about the identified
malware.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Malware
rank: 1000
alias: malware
owner: SecurityFinding
domain_of:
- Osint
- SecurityControlProfile
- DetectionFinding
- SecurityFinding
range: Malware
multivalued: true
nist:
name: nist
annotations:
group:
tag: group
value: context
description: 'The NIST Cybersecurity Framework recommendations for managing the
cybersecurity
risk.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- NIST List
rank: 1000
alias: nist
owner: SecurityFinding
domain_of:
- SecurityFinding
range: string
multivalued: true
process:
name: process
annotations:
group:
tag: group
value: context
description: The process object.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process
rank: 1000
alias: process
owner: SecurityFinding
domain_of:
- QueryEvidence
- StartupItem
- Actor
- Evidences
- ModuleQuery
- NetworkConnectionQuery
- ProcessQuery
- SecurityFinding
- ProcessRemediationActivity
- MemoryActivity
- ProcessActivity
range: Process
resources:
name: resources
annotations:
group:
tag: group
value: primary
description: Describes details about resources that were affected by the activity/event.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Resources Array
rank: 1000
alias: resources
owner: SecurityFinding
domain_of:
- Evidences
- ApiActivity
- CloudResourcesInventoryInfo
- ApplicationSecurityPostureFinding
- ComplianceFinding
- DataSecurityFinding
- DetectionFinding
- IamAnalysisFinding
- SecurityFinding
- VulnerabilityFinding
- UserAccess
range: ResourceDetails
recommended: true
multivalued: true
risk_level:
name: risk_level
annotations:
group:
tag: group
value: primary
description: The risk level, normalized to the caption of the risk_level_id value.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Level
rank: 1000
alias: risk_level
owner: SecurityFinding
domain_of:
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: string
recommended: true
risk_level_id:
name: risk_level_id
annotations:
group:
tag: group
value: primary
description: The normalized risk level id.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Level ID
rank: 1000
alias: risk_level_id
owner: SecurityFinding
domain_of:
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: RiskLevelIdEnum
recommended: true
risk_score:
name: risk_score
annotations:
group:
tag: group
value: primary
description: The risk score as reported by the event source.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Score
rank: 1000
alias: risk_score
owner: SecurityFinding
domain_of:
- Osint
- ApplicationObject
- User
- Device
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
- SecurityFinding
range: integer
recommended: true
state:
name: state
annotations:
group:
tag: group
value: context
description: The normalized state of a security finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- State
rank: 1000
alias: state
owner: SecurityFinding
domain_of:
- QueryEvidence
- Scim
- SecurityState
- Analytic
- DigitalSignature
- Idp
- DeviceConfigStateChange
- NetworkConnectionQuery
- SecurityFinding
range: string
state_id:
name: state_id
annotations:
group:
tag: group
value: context
description: The normalized state identifier of a security finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- State ID
rank: 1000
alias: state_id
owner: SecurityFinding
domain_of:
- Scim
- SecurityState
- Analytic
- DigitalSignature
- Idp
- DeviceConfigStateChange
- NetworkConnectionQuery
- SecurityFinding
range: SecurityFindingStateIdEnum
required: true
vulnerabilities:
name: vulnerabilities
annotations:
group:
tag: group
value: context
description: This object describes vulnerabilities reported in a security finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Vulnerabilities
rank: 1000
alias: vulnerabilities
owner: SecurityFinding
domain_of:
- Osint
- ApplicationSecurityPostureFinding
- DetectionFinding
- SecurityFinding
- VulnerabilityFinding
range: Vulnerability
multivalued: true
activity_name:
name: activity_name
annotations:
group:
tag: group
value: classification
description: The event activity name, as defined by the activity_id.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Activity
rank: 1000
alias: activity_name
owner: SecurityFinding
domain_of:
- BaseEvent
- DataSecurityFinding
- Finding
- IncidentFinding
range: string
category_name:
name: category_name
annotations:
group:
tag: group
value: classification
description: The event category name, as defined by category_uid value.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Category
rank: 1000
alias: category_name
owner: SecurityFinding
domain_of:
- BaseEvent
range: string
category_uid:
name: category_uid
annotations:
group:
tag: group
value: classification
description: The category unique identifier of the event.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Category ID
rank: 1000
alias: category_uid
owner: SecurityFinding
domain_of:
- BaseEvent
range: BaseEventCategoryUidEnum
required: true
class_name:
name: class_name
annotations:
group:
tag: group
value: classification
description: The event class name, as defined by class_uid value.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Class
rank: 1000
alias: class_name
owner: SecurityFinding
domain_of:
- BaseEvent
range: string
class_uid:
name: class_uid
annotations:
group:
tag: group
value: classification
description: 'The unique identifier of a class. A class describes the attributes
available in
an event.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Class ID
rank: 1000
alias: class_uid
owner: SecurityFinding
domain_of:
- BaseEvent
range: BaseEventClassUidEnum
required: true
count:
name: count
annotations:
group:
tag: group
value: occurrence
description: 'The number of times that events in the same logical group occurred
during the
event <strong>Start Time</strong> to <strong>End Time</strong> period.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Count
rank: 1000
alias: count
owner: SecurityFinding
domain_of:
- Observation
- RelatedEvent
- Session
- DiscoveryDetails
- UnmannedSystemOperatingArea
- BaseEvent
range: integer
duration:
name: duration
annotations:
group:
tag: group
value: occurrence
description: 'The event duration or aggregate time, the amount of time the event
covers from
<code>start_time</code> to <code>end_time</code> in milliseconds.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Duration Milliseconds
rank: 1000
alias: duration
owner: SecurityFinding
domain_of:
- Span
- Timespan
- Trace
- FirewallRule
- BaseEvent
- ScanActivity
range: integer
end_time:
name: end_time
annotations:
group:
tag: group
value: occurrence
description: 'The end time of a time period, or the time of the most recent event
included in
the aggregate event.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- End Time
rank: 1000
alias: end_time
owner: SecurityFinding
domain_of:
- Span
- Timespan
- Trace
- NetworkTraffic
- UnmannedSystemOperatingArea
- MalwareScanInfo
- BaseEvent
- ScanActivity
- Finding
- IncidentFinding
range: TimestampT
enrichments:
name: enrichments
annotations:
group:
tag: group
value: context
description: 'The additional information from an external data source, which is
associated
with the event or a finding. For example add location information for the IP
address in the DNS answers:</p><code>[{"name": "answers.ip", "value":
"92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent":
"Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc":
"Yemen"}}]</code>'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Enrichments
rank: 1000
alias: enrichments
owner: SecurityFinding
domain_of:
- BaseEvent
range: Enrichment
multivalued: true
message:
name: message
annotations:
group:
tag: group
value: primary
description: The description of the event/finding, as defined by the source.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Message
rank: 1000
alias: message
owner: SecurityFinding
domain_of:
- Response
- Span
- HttpResponse
- LoadBalancer
- BaseEvent
- ApplicationError
range: string
recommended: true
metadata:
name: metadata
annotations:
group:
tag: group
value: context
description: The metadata associated with the event or a finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Metadata
rank: 1000
alias: metadata
owner: SecurityFinding
domain_of:
- BaseEvent
range: Metadata
required: true
observables:
name: observables
annotations:
group:
tag: group
value: primary
description: The observables associated with the event or a finding.
notes:
- 'OCSF Observables FAQ ā
https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/ocsf-docs/blob/main/articles/defining-and-using-observables.md
aliases:
- Observables
rank: 1000
alias: observables
owner: SecurityFinding
domain_of:
- RelatedEvent
- BaseEvent
range: Observable
recommended: true
multivalued: true
raw_data:
name: raw_data
annotations:
group:
tag: group
value: context
description: The raw event/finding data as received from the source.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Raw Data
rank: 1000
alias: raw_data
owner: SecurityFinding
domain_of:
- BaseEvent
range: string
raw_data_hash:
name: raw_data_hash
annotations:
group:
tag: group
value: context
description: The hash, which describes the content of the raw_data field.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Raw Data Hash
rank: 1000
alias: raw_data_hash
owner: SecurityFinding
domain_of:
- BaseEvent
range: Fingerprint
raw_data_size:
name: raw_data_size
annotations:
group:
tag: group
value: context
description: The size of the raw data which was transformed into an OCSF event,
in bytes.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Raw Data Size
rank: 1000
alias: raw_data_size
owner: SecurityFinding
domain_of:
- BaseEvent
range: integer
severity:
name: severity
annotations:
group:
tag: group
value: classification
description: 'The event/finding severity, normalized to the caption of the
<code>severity_id</code> value. In the case of ''Other'', it is defined by the
source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Severity
rank: 1000
alias: severity
owner: SecurityFinding
domain_of:
- Osint
- RelatedEvent
- VendorAttributes
- Vulnerability
- Check
- Cvss
- KbArticle
- Malware
- BaseEvent
range: string
severity_id:
name: severity_id
annotations:
group:
tag: group
value: classification
description: '<p>The normalized identifier of the event/finding severity.</p>The
normalized
severity is a measurement the effort and expense required to manage and resolve
an event or incident. Smaller numerical values represent lower impact events,
and larger numerical values represent higher impact events.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Severity ID
rank: 1000
alias: severity_id
owner: SecurityFinding
domain_of:
- Osint
- RelatedEvent
- VendorAttributes
- Check
- Malware
- BaseEvent
range: SeverityIdEnum
required: true
start_time:
name: start_time
annotations:
group:
tag: group
value: occurrence
description: 'The start time of a time period, or the time of the least recent
event included
in the aggregate event.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Start Time
rank: 1000
alias: start_time
owner: SecurityFinding
domain_of:
- Span
- Timespan
- Trace
- NetworkTraffic
- UnmannedSystemOperatingArea
- MalwareScanInfo
- BaseEvent
- ScanActivity
- Finding
- IncidentFinding
range: TimestampT
status:
name: status
annotations:
group:
tag: group
value: primary
description: 'The event status, normalized to the caption of the status_id value.
In the case
of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Status
rank: 1000
alias: status
owner: SecurityFinding
domain_of:
- RelatedEvent
- Ticket
- Whois
- AdditionalRestriction
- Check
- Compliance
- DataClassification
- HttpResponse
- BaseEvent
- Finding
- IncidentFinding
- DroneFlightsActivity
range: string
recommended: true
status_code:
name: status_code
annotations:
group:
tag: group
value: primary
description: 'The event status code, as reported by the event source.<br /><br
/>For example,
in a Windows Failed Authentication event, this would be the value of ''Failure
Code'', e.g. 0x18.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Status Code
rank: 1000
alias: status_code
owner: SecurityFinding
domain_of:
- Span
- Compliance
- BaseEvent
- EventLogActvity
range: string
recommended: true
status_detail:
name: status_detail
annotations:
group:
tag: group
value: primary
description: 'The status detail contains additional information about the event/finding
outcome.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Status Detail
rank: 1000
alias: status_detail
owner: SecurityFinding
domain_of:
- Compliance
- LoadBalancer
- BaseEvent
- Authentication
- EventLogActvity
range: string
recommended: true
status_id:
name: status_id
annotations:
group:
tag: group
value: primary
description: The normalized identifier of the event status.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Status ID
rank: 1000
alias: status_id
owner: SecurityFinding
domain_of:
- Ticket
- AdditionalRestriction
- Check
- Compliance
- DataClassification
- BaseEvent
- Finding
- IncidentFinding
- RemediationActivity
- DroneFlightsActivity
range: StatusIdEnum
recommended: true
time:
name: time
annotations:
group:
tag: group
value: occurrence
description: The normalized event occurrence time or the finding creation time.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Event Time
rank: 1000
alias: time
owner: SecurityFinding
domain_of:
- TransformationInfo
- BaseEvent
range: TimestampT
required: true
timezone_offset:
name: timezone_offset
annotations:
group:
tag: group
value: occurrence
description: 'The number of minutes that the reported event <code>time</code>
is ahead or
behind UTC, in the range -1,080 to +1,080.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Timezone Offset
rank: 1000
alias: timezone_offset
owner: SecurityFinding
domain_of:
- BaseEvent
range: integer
recommended: true
type_name:
name: type_name
annotations:
group:
tag: group
value: classification
description: The event/finding type name, as defined by the type_uid.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type Name
rank: 1000
alias: type_name
owner: SecurityFinding
domain_of:
- RelatedEvent
- BaseEvent
range: string
type_uid:
name: type_uid
annotations:
group:
tag: group
value: classification
description: 'The event/finding type ID. It identifies the event''s semantics
and structure.
The value is calculated by the logging system as: <code>class_uid * 100 +
activity_id</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_uid
owner: SecurityFinding
domain_of:
- Observable
- RelatedEvent
- BaseEvent
range: integer
required: true
unmapped:
name: unmapped
annotations:
group:
tag: group
value: context
description: 'The attributes that are not mapped to the event schema. The names
and values of
those attributes are specific to the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unmapped Data
rank: 1000
alias: unmapped
owner: SecurityFinding
domain_of:
- BaseEvent
range: Object
api:
name: api
annotations:
group:
tag: group
value: context
description: Describes details about a typical API (Application Programming Interface)
call.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- API Details
rank: 1000
alias: api
owner: SecurityFinding
domain_of:
- Evidences
- CloudProfile
- ApiActivity
range: Api
cloud:
name: cloud
annotations:
group:
tag: group
value: primary
description: 'Describes details about the Cloud environment where the event or
finding was
created.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Cloud
rank: 1000
alias: cloud
owner: SecurityFinding
domain_of:
- CloudProfile
- CloudResourcesInventoryInfo
range: Cloud
required: true
actor:
name: actor
description: 'The actor object describes details about the user/role/process that
was the
source of the activity. Note that this is not the threat actor of a campaign
but may be part of a campaign.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Actor
rank: 1000
alias: actor
owner: SecurityFinding
domain_of:
- Evidences
- HostProfile
- ApiActivity
- DatastoreActivity
- FileHosting
- ConfigState
- DeviceConfigStateChange
- InventoryInfo
- OsintInventoryInfo
- SoftwareInfo
- UserInventory
- DataSecurityFinding
- IamEvent
- NetworkFileActivity
- SystemEvent
- EventLogActvity
- FileActivity
- KernelExtensionActivity
- ModuleActivity
- ProcessActivity
- ScheduledJobActivity
- RegistryKeyActivity
- RegistryValueActivity
range: Actor
device:
name: device
description: An addressable device, computer system or host.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Device
rank: 1000
alias: device
owner: SecurityFinding
domain_of:
- AuthFactor
- Evidences
- Logger
- ManagedEntity
- HostProfile
- ConfigState
- DeviceConfigStateChange
- EvidenceInfo
- InventoryInfo
- PatchState
- SoftwareInfo
- DataSecurityFinding
- Finding
- RdpActivity
- TunnelActivity
- SystemEvent
- EventLogActvity
range: Device
recommended: true
osint:
name: osint
annotations:
group:
tag: group
value: primary
description: 'The OSINT (Open Source Intelligence) object contains details related
to an
indicator such as the indicator itself, related indicators, geolocation,
registrar information, subdomains, analyst commentary, and other contextual
information. This information can be used to further enrich a detection or
finding by providing decisioning support to other analysts and engineers.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- OSINT
rank: 1000
alias: osint
owner: SecurityFinding
domain_of:
- OsintProfile
- OsintInventoryInfo
range: Osint
required: true
multivalued: true
action:
name: action
description: The normalized caption of <code>action_id</code>.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Action
rank: 1000
alias: action
owner: SecurityFinding
domain_of:
- SecurityControlProfile
range: string
action_id:
name: action_id
annotations:
sibling:
tag: sibling
value: action
description: 'The action taken by a control or other policy-based system leading
to an
outcome or disposition. An unknown action may still correspond to a known
disposition. Refer to <code>disposition_id</code> for the outcome of the
action.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Action ID
rank: 1000
alias: action_id
owner: SecurityFinding
domain_of:
- SecurityControlProfile
range: ActionIdEnum
recommended: true
authorizations:
name: authorizations
description: 'Provides details about an authorization, such as authorization outcome,
and any
associated policies related to the activity/event.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Authorization Information
rank: 1000
alias: authorizations
owner: SecurityFinding
domain_of:
- Actor
- SecurityControlProfile
range: Authorization
multivalued: true
disposition:
name: disposition
description: 'The disposition name, normalized to the caption of the disposition_id
value. In
the case of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Disposition
rank: 1000
alias: disposition
owner: SecurityFinding
domain_of:
- SecurityControlProfile
range: string
disposition_id:
name: disposition_id
annotations:
sibling:
tag: sibling
value: disposition
description: 'Describes the outcome or action taken by a security control, such
as access
control checks, malware detections or various types of policy violations.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Disposition ID
rank: 1000
alias: disposition_id
owner: SecurityFinding
domain_of:
- SecurityControlProfile
range: DispositionIdEnum
recommended: true
firewall_rule:
name: firewall_rule
description: 'The firewall rule that pertains to the control that triggered the
event, if
applicable.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Firewall Rule
rank: 1000
alias: firewall_rule
owner: SecurityFinding
domain_of:
- SecurityControlProfile
range: FirewallRule
is_alert:
name: is_alert
description: 'Indicates that the event is considered to be an alertable signal.
Should be set
to <code>true</code> if <code>disposition_id = Alert</code> among other
dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code>
of
the event is elevated. Not all control events will be alertable, for example
if
<code>disposition_id = Exonerated</code> or <code>disposition_id =
Allowed</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Alert
rank: 1000
alias: is_alert
owner: SecurityFinding
domain_of:
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
range: boolean
recommended: true
malware_scan_info:
name: malware_scan_info
description: 'Describes details about the scan job that identified malware on
the target
system.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Malware Scan Info
rank: 1000
alias: malware_scan_info
owner: SecurityFinding
domain_of:
- SecurityControlProfile
- DetectionFinding
range: MalwareScanInfo
policy:
name: policy
description: 'The policy that pertains to the control that triggered the event,
if
applicable. For example the name of an anti-malware policy or an access control
policy.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Policy
rank: 1000
alias: policy
owner: SecurityFinding
domain_of:
- PermissionAnalysisResult
- AdditionalRestriction
- Assessment
- Authorization
- DataClassification
- DataSecurity
- ManagedEntity
- SecurityControlProfile
- ScanActivity
- AccountChange
range: Policy
risk_details:
name: risk_details
annotations:
group:
tag: group
value: context
description: Describes the risk associated with the finding.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Risk Details
rank: 1000
alias: risk_details
owner: SecurityFinding
domain_of:
- SecurityControlProfile
- DataSecurityFinding
- DetectionFinding
range: string