Possibly wrong type category assigned to D1171 "Implement Web Application Firewall"

[ventos]

I noticed that for the detection D1171 the type is set to Mitigation instead of Detection.

https://github.com/pbom-dev/OSCAR/blob/6a8fb5369a33af736da2225c5fffb113dde6e48e/content/oscar/detections/D1171%20-%20Implement%20Web%20Application%20Firewall.yaml#L2

I guess this could be reasoned by a copy&paste error, from the corresponing M1883.

https://github.com/pbom-dev/OSCAR/blob/6a8fb5369a33af736da2225c5fffb113dde6e48e/content/oscar/mitigations/M1883%20-%20Implement%20Web%20Application%20Firewall.yaml#L1-L8

Since I'm currently reading up on this subject, I'm not sure if there's some systematic behind that, I didn't grasp yet. But it looked like an error to me.

[rubtoa]

I tend to agree @ventos - it's more a mitigation than a detection item. However, we could argue that it can also be used for detection - as many organizations usually leave it in "alert only" mode. wdyt?