{ "caption": "Base Event", "category": "other", "description": "The base event is a generic and concrete event. It also defines a set of attributes available in most event classes. As a generic event that does not belong to any event category, it could be used to log events that are not otherwise defined by the schema.", "name": "base_event", "attributes": { "$include": [ "profiles/cloud.json", "profiles/datetime.json", "profiles/host.json", "profiles/osint.json", "profiles/security_control.json" ], "activity_id": { "group": "classification", "requirement": "required", "enum": { "0": { "caption": "Unknown" }, "99": { "caption": "Other" } } }, "activity_name": { "group": "classification", "requirement": "optional" }, "category_name": { "group": "classification", "requirement": "optional" }, "category_uid": { "group": "classification", "requirement": "required", "enum": { "0": { "caption": "Uncategorized" } } }, "class_name": { "group": "classification", "requirement": "optional" }, "class_uid": { "group": "classification", "requirement": "required", "enum": { "0": { "caption": "Base Event" } } }, "count": { "description": "The number of events aggregated into this single record. Only populate for aggregate events. When set, start_time and end_time should also be provided to define the aggregation window.", "group": "occurrence", "requirement": "optional" }, "duration": { "description": "The elapsed time of the aggregation window in milliseconds, from start_time to end_time. Only populate for aggregate events (count > 1). The value should equal end_time - start_time.", "group": "occurrence", "requirement": "optional" }, "end_time": { "description": "The time of the most recent event in an aggregate (count > 1). Do not populate for discrete, point-in-time events — use time alone. Subclasses such as findings may redefine this for their own time-range semantics.", "group": "occurrence", "requirement": "optional" }, "enrichments": { "group": "context", "requirement": "optional" }, "message": { "description": "A human-readable description of the event, as defined by the source. This should be a concise, meaningful summary suitable for display in a UI or alert notification — not a raw log line. For example: \"User john_doe logged in from 10.0.0.1.\" rather than a raw syslog string.", "group": "primary", "requirement": "recommended" }, "metadata": { "group": "context", "requirement": "required" }, "observables": { "group": "primary", "requirement": "recommended" }, "raw_data": { "group": "context", "requirement": "optional" }, "raw_data_hash": { "group": "context", "requirement": "optional" }, "raw_data_size": { "group": "context", "requirement": "optional" }, "severity": { "group": "classification", "requirement": "optional" }, "severity_id": { "group": "classification", "requirement": "required" }, "start_time": { "description": "The time of the earliest event in an aggregate (count > 1). Do not populate for discrete, point-in-time events — use time alone. Subclasses such as findings may redefine this for their own time-range semantics.", "group": "occurrence", "requirement": "optional" }, "status": { "description": "The event status label, normalized to the caption of the status_id value. When status_id is 99 (Other), this attribute must contain the source-specific status label. For all other values, this must match the caption defined for that status_id enum value (e.g., \"Success\" for status_id: 1).", "group": "primary", "requirement": "recommended" }, "status_code": { "description": "The source-specific status or error code as reported by the event source. For example, a Windows logon failure code (0x18), an HTTP response code (403), or an AWS API error code. This preserves the original code for detailed troubleshooting beyond what status_id conveys.", "group": "primary", "requirement": "recommended" }, "status_detail": { "description": "A human-readable description providing additional context about the event outcome. Use this to convey details that go beyond the normalized status_id and source-specific status_code, such as a failure reason or error message. For example: \"Account locked after 5 failed attempts.\".", "group": "primary", "requirement": "recommended" }, "status_id": { "description": "The normalized status of the event outcome. Use this family of attributes to convey the outcome of the activity described by the event. Producers should map their source outcome to 1 (Success) or 2 (Failure). Use 0 (Unknown) when the outcome cannot be determined, and 99 (Other) with a populated status string when the source value does not map cleanly.", "group": "primary", "requirement": "recommended", "enum": { "1": { "caption": "Success", "description": "The activity completed successfully." }, "2": { "caption": "Failure", "description": "The activity failed." } } }, "time": { "description": "The primary timestamp of the event — when the activity actually occurred at the source. This does not capture when the event record was created or serialized by the source system; for event lifecycle timestamps such as ingestion and processing, use metadata.logged_time and metadata.processed_time respectively, or the equivalent attributes in the metadata.loggers array when recording pipeline stages. For aggregate events (count > 1), set this to start_time (the earliest OCSF time in the aggregate) to preserve causal ordering and consistent timeline alignment. Note: finding classes redefine time as the finding creation time rather than the activity occurrence time. This must be a UTC epoch value in milliseconds (e.g., 1776881335332). Mappers should use the most precise and authoritative timestamp available from the source.", "group": "occurrence", "requirement": "required" }, "timezone_offset": { "group": "occurrence", "requirement": "recommended" }, "type_name": { "group": "classification", "requirement": "optional" }, "type_uid": { "group": "classification", "requirement": "required" }, "unmapped": { "group": "context", "requirement": "optional" } }, "profiles": [ "cloud", "datetime", "host", "osint", "security_control" ] }