{
"caption": "Metadata",
"description": "The Metadata object describes the metadata associated with the event.",
"extends": "object",
"name": "metadata",
"attributes": {
"$include": [
"profiles/data_classification.json"
],
"correlation_uid": {
"description": "A unique identifier used to correlate this OCSF event with other related OCSF events, distinct from the event's uid value. This enables linking multiple OCSF events that are part of the same activity, transaction, or security incident across different systems or time periods.",
"requirement": "optional"
},
"debug": {
"requirement": "optional"
},
"event_code": {
"description": "The identifier of the original event. For example the numerical Windows Event Code or Cisco syslog code.",
"requirement": "optional"
},
"extension": {
"requirement": "optional"
},
"extensions": {
"requirement": "optional"
},
"is_truncated": {
"description": "Indicates whether the OCSF event data has been truncated due to size limitations. When true, some event data may have been omitted to fit within system constraints.",
"requirement": "optional"
},
"labels": {
"description": "The list of labels attached to the event. For example: [\"sample\", \"dev\"]",
"requirement": "optional"
},
"log_format": {
"caption": "Log Source Format",
"description": "The format of data in the log where the data originated. For example CSV, XML, Windows Multiline, JSON, syslog or Cisco Log Schema.",
"requirement": "optional"
},
"log_level": {
"description": "The level at which an event was logged. This can be log provider specific. For example the audit level.",
"requirement": "optional"
},
"log_name": {
"description": "The event log name, typically for the consumer of the event. For example, the storage bucket name, SIEM repository index name, etc.",
"requirement": "recommended"
},
"log_provider": {
"description": "The logging provider or logging service that logged the event. For example AWS CloudWatch or Splunk.",
"requirement": "optional"
},
"log_source": {
"description": "The log system or component where the data originated. For example, a file path, syslog server name or a Windows hostname and logging subsystem such as Security.",
"requirement": "optional"
},
"log_version": {
"caption": "Log Version",
"description": "The event log schema version of the original event. For example the syslog version or the Cisco Log Schema version",
"requirement": "optional"
},
"logged_time": {
"description": "The ultimate logged time in the event pipeline — when the event reached its final destination (e.g., SIEM, data lake). If loggers is populated, this should match the logged_time of the last entry in the loggers array. This is distinct from time (when the activity occurred) and processed_time (when an intermediate system processed the event).",
"requirement": "optional"
},
"loggers": {
"description": "An ordered array of Logger objects describing each hop in the event pipeline between the source and its final destination. Each entry captures the logging product, device, and timestamps (logged_time, transmit_time) at that stage. The last entry's logged_time should match metadata.logged_time.",
"requirement": "optional"
},
"modified_time": {
"description": "The time when the event was last modified or enriched.",
"requirement": "optional"
},
"original_event_uid": {
"description": "The unique identifier assigned to the event in its original logging system before transformation to OCSF format. This field preserves the source system's native event identifier, enabling traceability back to the raw log entry. For example, a Windows Event Record ID, a syslog message ID, a Splunk _cd value, or a database transaction log sequence number.",
"requirement": "optional"
},
"original_time": {
"requirement": "recommended"
},
"processed_time": {
"description": "The time when the event was processed by an intermediate system (e.g., ETL pipeline, event processor) before reaching its final destination. Can be used with logged_time to calculate queuing duration via total_queued_duration.",
"requirement": "optional"
},
"product": {
"requirement": "required"
},
"profiles": {
"requirement": "optional"
},
"reporter": {
"description": "The entity from which the event or finding was first reported.",
"requirement": "recommended"
},
"sequence": {
"requirement": "optional"
},
"source": {
"description": "The source of the event or finding. This can be any distinguishing name for the logical origin of the data — for example, 'CloudTrail Events', or a use case like 'Attack Simulations' or 'Vulnerability Scans'.",
"requirement": "optional"
},
"tags": {
"description": "The list of tags; {key:value} pairs associated to the event.",
"requirement": "optional"
},
"tenant_uid": {
"requirement": "recommended"
},
"total_queued_duration": {
"description": "The amount of time an event spent in a queue awaiting processing. In this case, the value is the difference between processed_time and logged_time. This duration is inclusive of all queues between the originator of the event and the intended long-term storage destination of the event.",
"requirement": "optional"
},
"transformation_info_list": {
"requirement": "optional"
},
"transmit_time": {
"description": "The time when the event was transmitted from the logging device to it's next destination.",
"requirement": "optional"
},
"type": {
"description": "The type of the event or finding as a subset of the source of the event. This can be any distinguishing characteristic of the data. For example 'Management Events' or 'Device Penetration Test'.",
"requirement": "optional"
},
"uid": {
"caption": "Event UID",
"description": "A unique identifier assigned to the OCSF event. This ID is specific to the OCSF event itself and is distinct from the original event identifier in the source system (see original_event_uid).",
"requirement": "optional"
},
"untruncated_size": {
"description": "The original size of the OCSF event data in kilobytes before any truncation occurred. This field is typically populated when is_truncated is true to indicate the full size of the original event.",
"requirement": "optional"
},
"version": {
"description": "The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.",
"requirement": "required"
}
},
"profiles": [
"data_classification"
],
"references": [
{
"description": "D3FEND™ Ontology d3f:Metadata",
"url": "https://d3fend.mitre.org/dao/artifact/d3f:Metadata/"
}
]
}