guy9001
commented
7 months ago @ggacusan-at-duo do you have examples of how you would like to embed this in the objects? This sounds to me like general enrichments and not necessarily a new attribute. Something we just wanted to suggest as well is to have Array[Enrichment] for OCSF objects as well, and not just for event classes like today. I think this could help your use case, so for User you could have an enrichment called "is_new" with a boolean value ,etc. WDYT?
Tagged Events if Raised There might be some cases where an IT configures their threat detection platform to highlight specific events that are of interest to them. For example, the IT configures their platform to highlight / tag if a
Findingoriginates from a known anomalous network. If theProductsurfaces an event from this known anomalous network, then we need some way to highlight or tag the event to the IT with associated reasons. This might make sense in the Metadata fieldNew User It might be of interest to note if a user has been newly added or has not authenticated in a while. Attackers can create new users or authenticate into a dormant user. This might make sense in the User field
Additional Network Connection fields To help an incident responder, it might be helpful to highlight benign characteristics of certain network details, such as if it is a frequent network / netblock for an organization or if the IP is allow-listed. This might make sense in the Network Connection Information field
Example of this use case from Duo Trust Monitor https://duo.com/docs/adminapi#trust-monitor