| Field Name | Type | Description |
|---|---|---|
| First_Malicious_Action0..1 | DateTimeWithPrecisionType |
The First_Malicious_Action field specifies the time that the first malicious action related to this Incident occured. In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known. |
| Initial_Compromise0..1 | DateTimeWithPrecisionType |
The Initial_Compromise field specifies the time that the initial compromise occured for this Incident. In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known. |
| First_Data_Exfiltration0..1 | DateTimeWithPrecisionType |
The First_Data_Exfiltration field specifies the first time at which non-public data was taken from the victim environment In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known. |
| Incident_Discovery0..1 | DateTimeWithPrecisionType |
The Incident_Discovery field specifies the first time at which the organization learned the incident had occurred. In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known. |
| Incident_Opened0..1 | DateTimeWithPrecisionType |
The Incident_Opened field specifies the time at which the Incident was officially opened. In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known. |
| Containment_Achieved0..1 | DateTimeWithPrecisionType |
The Containment_Achieved field specifies the first time at which the incident is contained (e.g., the “bleeding is stopped”). In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known. |
| Restoration_Achieved0..1 | DateTimeWithPrecisionType |
The Restoration_Achieved field specifies the first time at which the incident's assets are restored (e.g., fully functional)”. In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known. |
| Incident_Reported0..1 | DateTimeWithPrecisionType |
The Incident_Reported field specifies the time at which the Incident was reported. In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known. |
| Incident_Closed0..1 | DateTimeWithPrecisionType |
The Incident_Closed field specifies the time at which the Incident was officially closed. In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known. |