Skip to content

2001 - Security Finding

OCSF Reference

CIM Data Models: Alerts

OCSF Version: 1.0.0

CIM Field Mapping
app metadata.product.name
vendor_account cloud.account_uid
vendor_region cloud.region
description coalesce(message,'finding.desc','finding.title')
dest resources{}.name
id finding.uid
vendor_severity severity
severity case(severity_id==5, "critical", severity_id==4, "high", severity_id==3, "medium", severity_id==2, "low", severity_id==1, "informational", 1==1, "unknown")
signature finding.title
signature_id finding.uid
type event

OCSF Version: 1.1.0

CIM Field Mapping
app metadata.product.name
vendor_account cloud.account_uid
vendor_region cloud.region
description coalesce(message,'finding.desc','finding.title')
dest resources{}.name
id finding.uid
vendor_severity severity
severity case(severity_id==5, "critical", severity_id==4, "high", severity_id==3, "medium", severity_id==2, "low", severity_id==1, "informational", 1==1, "unknown")
signature finding.title
signature_id finding.uid
type event

OCSF Version: 1.2.0

CIM Field Mapping
app metadata.product.name
vendor_account cloud.account_uid
vendor_region cloud.region
description coalesce(message,'finding.desc','finding.title')
dest resources{}.name
id finding.uid
vendor_severity severity
severity case(severity_id==5, "critical", severity_id==4, "high", severity_id==3, "medium", severity_id==2, "low", severity_id==1, "informational", 1==1, "unknown")
signature finding.title
signature_id finding.uid
type event

OCSF Version: 1.0.0*

CIM Field Mapping
app metadata.product.name
vendor_account cloud.account_uid
vendor_region cloud.region
description coalesce(message,'finding.desc','finding.title')
dest resources{}.name
id finding.uid
vendor_severity severity
severity case(severity_id==5, "critical", severity_id==4, "high", severity_id==3, "medium", severity_id==2, "low", severity_id==1, "informational", 1==1, "unknown")
signature finding.title
signature_id finding.uid
type event