Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expand evidences #1337

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Expand evidences #1337

wants to merge 10 commits into from
+78 −6

Conversation

jonrau-at-queryai
Copy link
Contributor

Related Issue:

Description of changes:

  • Adds resource_details to evidences. This allows producers/mappers to account for cloud-based resources and other generic resources that does not fit well within device or network_endpoint. For instance, the amazonResourceEvidence evidence type in the Microsoft Graph Security List Alerts V2 API.
  • Adds name to evidences. In various upstream platforms such as Microsoft Graph and CrowdStrike, there are either naming conventions for the type of evidence (e.g., amazonResourceEvidence) or an actual display name or direct name such as the display_name value within Behaviors associated with Incidents in CrowdStrike Falcon. Microsoft Defender also has an array of evidence associated with their alerts that each contain the entityType key which identities the name of the evidence.
  • Adds uid to evidences much for the same reason as name. Platforms often have a GUID of some sort identifying the specific evidence associated with an alert such as activity_id associated with Crowdstrike Falcon Alerts which is the smallest "unit" of alerting/detection data. Likewise, the Behaviors associated with CrowdStrike Falcon Incidents each have their own behavior_id which ties them to the Incident ID itself.
  • Adds verdict and verdict_id to evidences to normalize similar values in other systems. In every single Evidence type within Microsoft Graph Security Alerts, there is a verdict enumeration. Likewise, Microsoft Defender for Graph Alerts have evidence arrays with each one containing a DetectionStatus to denotes if something was a FP, TP, or otherwise.

@jonrau-at-queryai jonrau-at-queryai changed the title Expand evidences Expand evidences Feb 5, 2025
floydtree
floydtree previously requested changes Feb 6, 2025
View reviewed changes
objects/evidences.json
@@ -72,6 +76,10 @@
"description": "Describes details about the DNS query associated to the activity that triggered the detection.",
"requirement": "recommended"
},
"resources": {
Copy link
Contributor

@floydtree floydtree Feb 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should distinguish between this and the top level resources array that we have in this class

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm assuming you mean to make it more specific to its description as a Cloud Resource.

If so, I suggest we override the caption within the object, so that resources doesn't say Resource Details Array which threw me at first: I thought it was details about some specific resource that was already present, which would have been ambiguous within the list of other resources.

If we override the caption to reflect what the intent is, Cloud Resources, or even Other Cloud Resources, we aren't detailing something specific but rather using the object for "other" resources in the cloud that we don't/can't have specific objects for.

@jonrau-at-queryai jonrau-at-queryai added enhancement New feature or request findings Issues related to Findings Category non_breaking Non Breaking, backwards compatible changes v1.5.0 Items to be considered for OCSF v1.5.0 labels Feb 20, 2025
@query-jeremy query-jeremy mentioned this pull request Feb 26, 2025
Open
@pagbabian-splunk
Copy link
Contributor

Very minor - since you are adding name and uid (even though they are specific to the object), should we consider that evidences extends _entity rather than object? Practically it won't matter, but your description above on how it is mapped to Sentinel or any log that identifies a specific piece of evidence with a name and ID, would make it an entity by our taxonomy, although that may not be your intent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pagbabian-splunk pagbabian-splunk Awaiting requested review from pagbabian-splunk pagbabian-splunk is a code owner

@Aniak5 Aniak5 Awaiting requested review from Aniak5 Aniak5 is a code owner

@mikeradka mikeradka Awaiting requested review from mikeradka mikeradka is a code owner

@zschmerber zschmerber Awaiting requested review from zschmerber zschmerber is a code owner

@davemcatcisco davemcatcisco Awaiting requested review from davemcatcisco davemcatcisco is a code owner

@floydtree floydtree Awaiting requested review from floydtree floydtree is a code owner

At least 3 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
enhancement New feature or request findings Issues related to Findings Category non_breaking Non Breaking, backwards compatible changes v1.5.0 Items to be considered for OCSF v1.5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jonrau-at-queryai @pagbabian-splunk @floydtree