#[non_exhaustive]pub struct Metadata {Show 38 fields
pub correlation_uid: Option<String>,
pub data_classification: Option<Box<DataClassification>>,
pub data_classifications: Option<Vec<DataClassification>>,
pub debug: Option<Vec<String>>,
pub event_code: Option<String>,
pub extension: Option<Box<Extension>>,
pub extensions: Option<Vec<Extension>>,
pub is_truncated: Option<bool>,
pub labels: Option<Vec<String>>,
pub log_format: Option<String>,
pub log_level: Option<String>,
pub log_name: Option<String>,
pub log_provider: Option<String>,
pub log_source: Option<String>,
pub log_version: Option<String>,
pub logged_time: Option<i64>,
pub logged_time_dt: Option<String>,
pub loggers: Option<Vec<Logger>>,
pub modified_time: Option<i64>,
pub modified_time_dt: Option<String>,
pub original_event_uid: Option<String>,
pub original_time: Option<String>,
pub processed_time: Option<i64>,
pub processed_time_dt: Option<String>,
pub product: Option<Box<Product>>,
pub profiles: Option<Vec<String>>,
pub reporter: Option<Box<Reporter>>,
pub sequence: Option<i64>,
pub source: Option<String>,
pub tags: Option<Vec<KeyValueObject>>,
pub tenant_uid: Option<String>,
pub transformation_info_list: Option<Vec<TransformationInfo>>,
pub transmit_time: Option<i64>,
pub transmit_time_dt: Option<String>,
pub type: Option<String>,
pub uid: Option<String>,
pub untruncated_size: Option<i64>,
pub version: Option<String>,
}Expand description
Metadata
The Metadata object describes the metadata associated with the event.
[] Category: | Name: metadata
Fields (Non-exhaustive)§
This struct is marked as non-exhaustive
Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.correlation_uid: Option<String>Correlation UID
A unique identifier used to correlate this OCSF event with other related OCSF events, distinct from the event’s uid value. This enables linking multiple OCSF events that are part of the same activity, transaction, or security incident across different systems or time periods.
optional
data_classification: Option<Box<DataClassification>>Data Classification
The Data Classification object includes information about data classification levels and data category types.
recommended
data_classifications: Option<Vec<DataClassification>>Data Classification
A list of Data Classification objects, that include information about data classification levels and data category types, identified by a classifier.
recommended
debug: Option<Vec<String>>Debug Information
Debug information about non-fatal issues with this OCSF event. Each issue is a line in this string array.
optional
event_code: Option<String>Event Code
The identifier of the original event. For example the numerical Windows Event Code or Cisco syslog code.
optional
extension: Option<Box<Extension>>Schema Extension
The schema extension used to create the event.
optional
extensions: Option<Vec<Extension>>Schema Extensions
The schema extensions used to create the event.
optional
is_truncated: Option<bool>Is Truncated
Indicates whether the OCSF event data has been truncated due to size limitations. When true, some event data may have been omitted to fit within system constraints.
optional
labels: Option<Vec<String>>Labels
The list of labels attached to the event. For example: [“sample”, “dev”]
optional
log_format: Option<String>Log Source Format
The format of data in the log where the data originated. For example CSV, XML, Windows Multiline, JSON, syslog or Cisco Log Schema.
optional
log_level: Option<String>Log Level
The level at which an event was logged. This can be log provider specific. For example the audit level.
optional
log_name: Option<String>Log Name
The event log name, typically for the consumer of the event. For example, the storage bucket name, SIEM repository index name, etc.
recommended
log_provider: Option<String>Log Provider
The logging provider or logging service that logged the event. For example AWS CloudWatch or Splunk.
optional
log_source: Option<String>Log Source
The log system or component where the data originated. For example, a file path, syslog server name or a Windows hostname and logging subsystem such as Security.
optional
log_version: Option<String>Log Version
The event log schema version of the original event. For example the syslog version or the Cisco Log Schema version
optional
logged_time: Option<i64>Logged Time
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.optional
logged_time_dt: Option<String>Logged Time
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.optional
loggers: Option<Vec<Logger>>Loggers
An array of Logger objects that describe the pipeline of devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow and/or to track the chain of custody of the data.
optional
modified_time: Option<i64>Modified Time
The time when the event was last modified or enriched.
optional
modified_time_dt: Option<String>Modified Time
The time when the event was last modified or enriched.
optional
original_event_uid: Option<String>Original Event ID
The unique identifier assigned to the event in its original logging system before transformation to OCSF format. This field preserves the source system’s native event identifier, enabling traceability back to the raw log entry. For example, a Windows Event Record ID, a syslog message ID, a Splunk _cd value, or a database transaction log sequence number.
optional
original_time: Option<String>Original Time
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
recommended
processed_time: Option<i64>Processed Time
The event processed time, such as an ETL operation.
optional
processed_time_dt: Option<String>Processed Time
The event processed time, such as an ETL operation.
optional
product: Option<Box<Product>>Product
The product that reported the event.
required
profiles: Option<Vec<String>>Profiles
The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.
optional
reporter: Option<Box<Reporter>>Reporter
The entity from which the event or finding was first reported.
recommended
sequence: Option<i64>Sequence Number
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
optional
source: Option<String>Source
The source of the event or finding. This can be any distinguishing name for the logical origin of the data — for example, ‘CloudTrail Events’, or a use case like ‘Attack Simulations’ or ‘Vulnerability Scans’.
optional
Tags
The list of tags; {key:value} pairs associated to the event.
optional
tenant_uid: Option<String>Tenant UID
The unique tenant identifier.
recommended
transformation_info_list: Option<Vec<TransformationInfo>>Transformation Info
An array of transformation info that describes the mappings or transforms applied to the data.
optional
transmit_time: Option<i64>Transmission Time
The time when the event was transmitted from the logging device to it’s next destination.
optional
transmit_time_dt: Option<String>Transmission Time
The time when the event was transmitted from the logging device to it’s next destination.
optional
type: Option<String>Type
The type of the event or finding as a subset of the source of the event. This can be any distinguishing characteristic of the data. For example ‘Management Events’ or ‘Device Penetration Test’.
optional
uid: Option<String>Event UID
A unique identifier assigned to the OCSF event. This ID is specific to the OCSF event itself and is distinct from the original event identifier in the source system (see original_event_uid).
optional
untruncated_size: Option<i64>Untruncated Size
The original size of the OCSF event data in kilobytes before any truncation occurred. This field is typically populated when is_truncated is true to indicate the full size of the original event.
optional
version: Option<String>Version
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
required