VERIS schema documentation

This documentation is intended to supplement the VERIS schema by providing additional guidance to users and developers. For each variable included in the schema, a repeating set of information is given here including suggested text questions, user and developer notes, why we think it's important, etc.

We organize this documentation in five major sections, each designed to capture a different aspect of the incident narrative. When viewed in aggregate, they give the business a tangible idea of cause and severity. The five sections are:

Each section contains items that align with those described in the schema. Those included do not represent everything one might collect regarding a security incident. Instead, VERIS attempts to strike a balance between usefulness and completeness. If something is interesting from a research standpoint but does not directly provide security management with actionable information, it is likely not included. In certain sections, we identify additional metrics that, while not formally included, might be of interest should users desire to collect them. Done properly, VERIS can create not only a view of what happened in a specific incident, but allow the incident to be viewed in context with a broader body of knowledge.

Explanation of format

Within the schema documentation on this site, the following information is given for each VERIS element:

Question text: Suggested wording for questions within a VERIS-based application.

User notes: Offers helpful information or tips for users of a VERIS-based application.

Question type: Identifies the type of question/answer (e.g., text field vs enumerated list).

Variable name: Identifies the name of the schema variable(s).

Enumerations: Identifies the name of the enumerated list associated with this variable. Enumerations can be found in the verisc.lib.xml or veris-enum.json documents.

Purpose: Explains why we think the element is worth having in VERIS.

Developer notes: Offers helpful information or tips to developers of VERIS-based applications.

Miscellaneous: Like it sounds; a catch-all for anything else.