Related Event
related_event
The Related Event object describes an OCSF event related to a finding.
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| MITRE ATT&CK® Details | attacks | MITRE ATT&CK® | An array of MITRE ATT&CK® objects describing the tactics, techniques & sub-techniques identified by a security control or finding. | ||
| Kill Chain | kill_chain | Kill Chain Phase | The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. | ||
| Observables | observables | Observable | The observables associated with the event or a finding. | ||
| Product Identifier | product_uid | String | The unique identifier of the product that reported the related event. | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Record ID | record_id | String | Unique identifier for the object | ||
| Type | type | String |
The type of the related event, as defined by type_uid. For example: Deprecated since 1.2.0: Use |
||
| Type Name | type_name | String |
The type of the related OCSF event, as defined by type_uid. For example: |
||
| Type ID | type_uid | Long |
The unique identifier of the related OCSF event type. For example: |
||
| Unique ID | uid | String |
The unique identifier of the related OCSF event. This value must be equal to metadata.uid in the corresponding related event.
|
||
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. |
References
Referenced By
Context
JSON
{
"caption": "Related Event",
"description": "The Related Event object describes an OCSF event related to a finding.",
"extends": "object",
"name": "related_event",
"attributes": {
"attacks": {
"requirement": "optional",
"caption": "MITRE ATT&CK\u00ae Details",
"description": "An array of <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK\u00ae</a> objects describing the tactics, techniques & sub-techniques identified by a security control or finding.",
"type": "attack",
"is_array": true
},
"kill_chain": {
"requirement": "optional",
"caption": "Kill Chain",
"description": "The <a target='_blank' href='https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html'>Cyber Kill Chain\u00ae</a> provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.",
"type": "kill_chain_phase",
"is_array": true
},
"observables": {
"requirement": "optional",
"caption": "Observables",
"description": "The observables associated with the event or a finding.",
"type": "observable",
"is_array": true
},
"product_uid": {
"description": "The unique identifier of the product that reported the related event.",
"requirement": "optional",
"caption": "Product Identifier",
"type": "string_t"
},
"type": {
"@deprecated": {
"message": "Use <code>type_name</code> attribute instead.",
"since": "1.2.0"
},
"description": "The type of the related event, as defined by <code>type_uid</code>. <p>For example: <code>Process Activity: Launch.</code></p>",
"requirement": "optional",
"caption": "Type",
"type": "string_t"
},
"type_name": {
"description": "The type of the related OCSF event, as defined by <code>type_uid</code>. <p>For example: <code>Process Activity: Launch.</code></p>",
"requirement": "optional",
"caption": "Type Name",
"type": "string_t"
},
"type_uid": {
"description": "The unique identifier of the related OCSF event type. <p>For example: <code>100701.</code></p>",
"requirement": "recommended",
"caption": "Type ID",
"sibling": "type_name",
"type": "long_t"
},
"uid": {
"description": "The unique identifier of the related OCSF event. This value must be equal to <code>metadata.uid</code> in the corresponding related event.",
"requirement": "required",
"caption": "Unique ID",
"type": "string_t"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
}
}
}