ocsf-schema icon indicating copy to clipboard operation
ocsf-schema copied to clipboard

Published 20 hours ago verified publisher icon ocsf

Adding additional objects to Evidence Artifacts in Detection Findings

Open a-fishman opened this issue 10 months ago • 0 comments

Detection Finding's Evidence Artifacts represent collection of Evidences associated to the activity, that's why it should contain all possible objects that can be a part of detections or activity. Now this list contains only this objects:

  1. api
  2. actor
  3. connection_info
  4. query
  5. dst_endpoint
  6. file
  7. process
  8. src_endpoint

We have additional objects that can be added to this list:

  1. account
  2. device
  3. email
  4. url
  5. user

I'd suggest also to move Cloud and Resources to be a part of Evidence Artifact's as well, to make it with straight logic.

a-fishman avatar Mar 31 '24 15:03 a-fishman