Struct DetectionFinding 

pub struct DetectionFinding {

    pub class_uid: u16,
    pub category_uid: u8,
    pub type_uid: u32,
    pub activity_id: u8,
    pub activity_name: Option<String>,
    pub time: i64,
    pub severity_id: u8,
    pub severity: Option<String>,
    pub status_id: u8,
    pub status: Option<String>,
    pub action_id: u8,
    pub disposition_id: u8,
    pub disposition: Option<String>,
    pub message: Option<String>,
    pub metadata: Metadata,
    pub finding_info: FindingInfo,
    pub actor: Option<Actor>,
    pub resources: Option<Vec<ResourceDetail>>,
    pub observables: Option<Vec<Observable>>,
    pub evidence: Option<Evidence>,
    pub attacks: Option<Vec<Attack>>,
    pub unmapped: Option<Value>,
}

OCSF Detection Finding event (class_uid = 2004).

Fields

class_uid: u16

Always 2004.

category_uid: u8

Always 2 (Findings).

type_uid: u32

class_uid * 100 + activity_id.

activity_id: u8

Activity ID (1=Create, 2=Update, 3=Close).

activity_name: Option<String>

Human-readable activity name.

time: i64

Event time as epoch milliseconds.

severity_id: u8

Severity ID (0-6, 99).

severity: Option<String>

Human-readable severity label.

status_id: u8

Status ID (0=Unknown, 1=Success, 2=Failure).

status: Option<String>

Human-readable status label.

action_id: u8

Action ID (1=Allowed, 2=Denied).

disposition_id: u8

Disposition ID (1=Allowed, 2=Blocked, 17=Logged).

disposition: Option<String>

Human-readable disposition label.

message: Option<String>

Human-readable event message.

metadata: Metadata

Metadata (required).

finding_info: FindingInfo

Finding information (required for Detection Finding).

actor: Option<Actor>

Actor who triggered the finding.

resources: Option<Vec<ResourceDetail>>

Affected resources.

observables: Option<Vec<Observable>>

Observables associated with the finding.

evidence: Option<Evidence>

Evidence supporting the finding.

attacks: Option<Vec<Attack>>

MITRE ATT&CK mapping.

unmapped: Option<Value>

Vendor-specific unmapped data.

Implementations

impl DetectionFinding

pub fn new( activity: DetectionFindingActivity, time: i64, severity_id: u8, status_id: u8, action_id: u8, disposition_id: u8, metadata: Metadata, finding_info: FindingInfo, ) -> Self

Create a new Detection Finding with required fields.

pub fn with_severity_label(self, label: &str) -> Self

Set the human-readable severity label.

pub fn with_message(self, msg: impl Into<String>) -> Self

Set the event message.

pub fn with_actor(self, actor: Actor) -> Self

Set the actor.

pub fn with_resources(self, resources: Vec<ResourceDetail>) -> Self

Set resources.

pub fn with_observables(self, observables: Vec<Observable>) -> Self

Set observables.

pub fn with_evidence(self, evidence: Evidence) -> Self

Set evidence.

pub fn with_attacks(self, attacks: Vec<Attack>) -> Self

Set MITRE ATT&CK mappings.

pub fn with_unmapped(self, unmapped: Value) -> Self

Set unmapped vendor data.

Trait Implementations

impl Clone for DetectionFinding

fn clone(&self) -> DetectionFinding

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for DetectionFinding

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for DetectionFinding

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl PartialEq for DetectionFinding

fn eq(&self, other: &DetectionFinding) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for DetectionFinding

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl StructuralPartialEq for DetectionFinding