Metadata

metadata

The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.

Contents

Attributes

Caption Name Type Is Array Default Description
Correlation UID correlation_uid String The unique identifier used to correlate events.
Data Classification data_classification Data Classification The Data Classification object includes information about data classification levels and data category types.
Event Code event_code String The Event ID or Code that the product uses to describe the event.
Schema Extension extension Schema Extension The schema extension used to create the event.

Deprecated since 1.1.0: Use the extensions attribute instead.

Schema Extensions extensions Schema Extension The schema extensions used to create the event.
Labels labels String

The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.

For example: ["network", "connection.ip:destination", "device.ip:source"]
Log Level log_level String The audit level at which an event was generated.
Log Name log_name String The event log name. For example, syslog file name or Windows logging subsystem: Security.
Log Provider log_provider String The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
Log Version log_version String The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
Logged Time logged_time Timestamp

The time when the logging system collected and logged the event.

This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
Loggers loggers Logger An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
Modified Time modified_time Timestamp The time when the event was last modified or enriched.
Original Time original_time String The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
Processed Time processed_time Timestamp The event processed time, such as an ETL operation.
Product product Product The product that reported the event.
Profiles profiles String The list of profiles used to create the event.
Raw Data raw_data JSON The event data as received from the event source.
Record ID record_id String Unique identifier for the object
Sequence Number sequence Integer Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
Tenant UID tenant_uid String The unique tenant identifier.
Event UID uid String The logging system-assigned unique identifier of an event instance.
Unmapped Data unmapped Unmapped The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.
Version version String 1.0.0 The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.

Context

Metadata

JSON

            
{
  "caption": "Metadata",
  "description": "The Metadata object describes the metadata associated with the event. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Metadata/'>d3f:Metadata</a>.",
  "extends": "object",
  "name": "metadata",
  "profiles": [
    "data_classification"
  ],
  "attributes": {
    "$include": [
      "profiles/data_classification.json"
    ],
    "correlation_uid": {
      "requirement": "optional",
      "caption": "Correlation UID",
      "description": "The unique identifier used to correlate events.",
      "type": "string_t"
    },
    "event_code": {
      "requirement": "optional",
      "caption": "Event Code",
      "description": "The Event ID or Code that the product uses to describe the event.",
      "type": "string_t"
    },
    "extension": {
      "requirement": "optional",
      "@deprecated": {
        "message": "Use the <code> extensions </code> attribute instead.",
        "since": "1.1.0"
      },
      "caption": "Schema Extension",
      "description": "The schema extension used to create the event.",
      "type": "extension"
    },
    "extensions": {
      "requirement": "optional",
      "caption": "Schema Extensions",
      "description": "The schema extensions used to create the event.",
      "is_array": true,
      "type": "extension"
    },
    "labels": {
      "description": "<p>The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.</p>For example: <code>[\"network\", \"connection.ip:destination\", \"device.ip:source\"]</code>",
      "requirement": "optional",
      "caption": "Labels",
      "is_array": true,
      "type": "string_t"
    },
    "log_level": {
      "requirement": "optional",
      "caption": "Log Level",
      "description": "The audit level at which an event was generated.",
      "type": "string_t"
    },
    "log_name": {
      "requirement": "recommended",
      "caption": "Log Name",
      "description": "The event log name. For example, syslog file name or Windows logging subsystem: Security.",
      "type": "string_t"
    },
    "log_provider": {
      "requirement": "recommended",
      "caption": "Log Provider",
      "description": "The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.",
      "type": "string_t"
    },
    "log_version": {
      "requirement": "optional",
      "caption": "Log Version",
      "description": "The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.",
      "type": "string_t"
    },
    "logged_time": {
      "requirement": "optional",
      "caption": "Logged Time",
      "description": "<p>The time when the logging system collected and logged the event.</p>This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.",
      "type": "timestamp_t"
    },
    "modified_time": {
      "description": "The time when the event was last modified or enriched.",
      "requirement": "optional",
      "caption": "Modified Time",
      "type": "timestamp_t"
    },
    "loggers": {
      "caption": "Loggers",
      "description": "An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.",
      "is_array": true,
      "type": "logger"
    },
    "original_time": {
      "requirement": "recommended",
      "caption": "Original Time",
      "description": "The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.",
      "type": "string_t"
    },
    "processed_time": {
      "requirement": "optional",
      "caption": "Processed Time",
      "description": "The event processed time, such as an ETL operation.",
      "type": "timestamp_t"
    },
    "product": {
      "requirement": "required",
      "caption": "Product",
      "description": "The product that reported the event.",
      "type": "product"
    },
    "profiles": {
      "requirement": "optional",
      "caption": "Profiles",
      "description": "The list of profiles used to create the event.",
      "is_array": true,
      "type": "string_t"
    },
    "sequence": {
      "requirement": "optional",
      "caption": "Sequence Number",
      "description": "Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.",
      "type": "integer_t"
    },
    "tenant_uid": {
      "requirement": "recommended",
      "caption": "Tenant UID",
      "description": "The unique tenant identifier.",
      "type": "string_t"
    },
    "uid": {
      "caption": "Event UID",
      "description": "The logging system-assigned unique identifier of an event instance.",
      "requirement": "optional",
      "type": "string_t"
    },
    "version": {
      "description": "The version of the OCSF schema, using Semantic Versioning Specification (<a target='_blank' href='https://semver.org'>SemVer</a>). For example: 1.0.0. Event consumers use the version to determine the available event attributes.",
      "requirement": "required",
      "caption": "Version",
      "type": "string_t",
      "default": "1.0.0"
    },
    "data_classification": {
      "group": "context",
      "requirement": "recommended",
      "caption": "Data Classification",
      "description": "The Data Classification object includes information about data classification levels and data category types.",
      "type": "data_classification"
    },
    "raw_data": {
      "group": "context",
      "caption": "Raw Data",
      "description": "The event data as received from the event source.",
      "type": "json_t"
    },
    "record_id": {
      "description": "Unique identifier for the object",
      "group": "primary",
      "requirement": "required",
      "caption": "Record ID",
      "type": "string_t"
    },
    "unmapped": {
      "caption": "Unmapped Data",
      "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
      "type": "unmapped",
      "is_array": true
    }
  }
}