{
"caption": "Base Event",
"category": "other",
"description": "The base event is a generic and concrete event. It also defines a set of attributes available in most event classes. As a generic event that does not belong to any event category, it could be used to log events that are not otherwise defined by the schema.",
"name": "base_event",
"attributes": {
"$include": [
"profiles/cloud.json",
"profiles/datetime.json",
"profiles/host.json",
"profiles/osint.json",
"profiles/security_control.json"
],
"activity_id": {
"group": "classification",
"requirement": "required",
"enum": {
"0": {
"caption": "Unknown"
},
"99": {
"caption": "Other"
}
}
},
"activity_name": {
"group": "classification",
"requirement": "optional"
},
"category_name": {
"group": "classification",
"requirement": "optional"
},
"category_uid": {
"group": "classification",
"requirement": "required",
"enum": {
"0": {
"caption": "Uncategorized"
}
}
},
"class_name": {
"group": "classification",
"requirement": "optional"
},
"class_uid": {
"group": "classification",
"requirement": "required",
"enum": {
"0": {
"caption": "Base Event"
}
}
},
"count": {
"description": "The number of events aggregated into this single record. Only populate for aggregate events. When set, start_time and end_time should also be provided to define the aggregation window.",
"group": "occurrence",
"requirement": "optional"
},
"duration": {
"description": "The elapsed time of the aggregation window in milliseconds, from start_time to end_time. Only populate for aggregate events (count > 1). The value should equal end_time - start_time.",
"group": "occurrence",
"requirement": "optional"
},
"end_time": {
"description": "The time of the most recent event in an aggregate (count > 1). Do not populate for discrete, point-in-time events — use time alone. Subclasses such as findings may redefine this for their own time-range semantics.",
"group": "occurrence",
"requirement": "optional"
},
"enrichments": {
"group": "context",
"requirement": "optional"
},
"message": {
"description": "A human-readable description of the event, as defined by the source. This should be a concise, meaningful summary suitable for display in a UI or alert notification — not a raw log line. For example: \"User john_doe logged in from 10.0.0.1.\" rather than a raw syslog string.",
"group": "primary",
"requirement": "recommended"
},
"metadata": {
"group": "context",
"requirement": "required"
},
"observables": {
"group": "primary",
"requirement": "recommended"
},
"raw_data": {
"group": "context",
"requirement": "optional"
},
"raw_data_hash": {
"group": "context",
"requirement": "optional"
},
"raw_data_size": {
"group": "context",
"requirement": "optional"
},
"severity": {
"group": "classification",
"requirement": "optional"
},
"severity_id": {
"group": "classification",
"requirement": "required"
},
"start_time": {
"description": "The time of the earliest event in an aggregate (count > 1). Do not populate for discrete, point-in-time events — use time alone. Subclasses such as findings may redefine this for their own time-range semantics.",
"group": "occurrence",
"requirement": "optional"
},
"status": {
"description": "The event status label, normalized to the caption of the status_id value. When status_id is 99 (Other), this attribute must contain the source-specific status label. For all other values, this must match the caption defined for that status_id enum value (e.g., \"Success\" for status_id: 1).",
"group": "primary",
"requirement": "recommended"
},
"status_code": {
"description": "The source-specific status or error code as reported by the event source. For example, a Windows logon failure code (0x18), an HTTP response code (403), or an AWS API error code. This preserves the original code for detailed troubleshooting beyond what status_id conveys.",
"group": "primary",
"requirement": "recommended"
},
"status_detail": {
"description": "A human-readable description providing additional context about the event outcome. Use this to convey details that go beyond the normalized status_id and source-specific status_code, such as a failure reason or error message. For example: \"Account locked after 5 failed attempts.\".",
"group": "primary",
"requirement": "recommended"
},
"status_id": {
"description": "The normalized status of the event outcome. Use this family of attributes to convey the outcome of the activity described by the event. Producers should map their source outcome to 1 (Success) or 2 (Failure). Use 0 (Unknown) when the outcome cannot be determined, and 99 (Other) with a populated status string when the source value does not map cleanly.",
"group": "primary",
"requirement": "recommended",
"enum": {
"1": {
"caption": "Success",
"description": "The activity completed successfully."
},
"2": {
"caption": "Failure",
"description": "The activity failed."
}
}
},
"time": {
"description": "The primary timestamp of the event — when the activity actually occurred at the source. This does not capture when the event record was created or serialized by the source system; for event lifecycle timestamps such as ingestion and processing, use metadata.logged_time and metadata.processed_time respectively, or the equivalent attributes in the metadata.loggers array when recording pipeline stages. For aggregate events (count > 1), set this to start_time (the earliest OCSF time in the aggregate) to preserve causal ordering and consistent timeline alignment. Note: finding classes redefine time as the finding creation time rather than the activity occurrence time. This must be a UTC epoch value in milliseconds (e.g., 1776881335332). Mappers should use the most precise and authoritative timestamp available from the source.",
"group": "occurrence",
"requirement": "required"
},
"timezone_offset": {
"group": "occurrence",
"requirement": "recommended"
},
"type_name": {
"group": "classification",
"requirement": "optional"
},
"type_uid": {
"group": "classification",
"requirement": "required"
},
"unmapped": {
"group": "context",
"requirement": "optional"
}
},
"profiles": [
"cloud",
"datetime",
"host",
"osint",
"security_control"
]
}