Add evidences to Compliance Finding

ocsf / ocsf-schema

OCSF Schema

Apache License 2.0

617 stars 130 forks source link

Add evidences to Compliance Finding #1157

Closed lukas-krecan closed 1 month ago

lukas-krecan commented 1 month ago

When reporting Compliance Finding, we want to specify which File, API or Device caused us to trigger the finding. For example, if we have a terraform file which creates an AWS ec2 instance with public 22 port, we want to point to the file where we found the issue.

Description of changes:

Add evidences to Compliance Finding

lukas-krecan commented 1 month ago

Sorry, added

mikeradka commented 1 month ago

For this one, we should probably change the dictionary definition of evidences from:

A collection of evidence artifacts associated to the activity/activities that triggered a ~~security detection~~ . to
A collection of evidence artifacts associated to the activity/activities that triggered a finding. See specific usage.

jonrau-at-queryai commented 1 month ago

I feel as if evidences should just be a Profile instead to give flexibility across the entirety of the schema, similar to how OSINT is now - since any type of event could be implicated in a greater detection or case management context.