| Field Name | Type | Description |
|---|---|---|
| First_Malicious_Action0..1 | dateTime |
The First_Malicious_Action field specifies the time that the first malicious action related to this Incident occured. |
| Initial_Compromise0..1 | dateTime |
The Initial_Compromise field specifies the time that the initial compromise occured for this Incident. |
| First_Data_Exfiltration0..1 | dateTime |
The First_Data_Exfiltration field specifies the first time at which non-public data was taken from the victim environment |
| Incident_Discovery0..1 | dateTime |
The Incident_Discovery field specifies the first time at which the organization learned the incident had occurred. |
| Incident_Opened0..1 | dateTime |
The Incident_Opened field specifies the time at which the Incident was officially opened. |
| Containment_Achieved0..1 | dateTime |
The Containment_Achieved field specifies the first time at which the incident is contained (e.g., the “bleeding is stopped”). |
| Restoration_Achieved0..1 | dateTime |
The Restoration_Achieved field specifies the first time at which the incident's assets are restored (e.g., fully functional)”. |
| Incident_Reported0..1 | dateTime |
The Incident_Reported field specifies the time at which the Incident was reported. |
| Incident_Closed0..1 | dateTime |
The Incident_Closed field specifies the time at which the Incident was officially closed. |