ocsf-schema icon indicating copy to clipboard operation
ocsf-schema copied to clipboard

Published 20 hours ago verified publisher icon ocsf

Additional fields to Detection Finding

Open ggacusan-at-duo opened this issue 1 year ago • 1 comments

Tagged Events if Raised There might be some cases where an IT configures their threat detection platform to highlight specific events that are of interest to them. For example, the IT configures their platform to highlight / tag if a Finding originates from a known anomalous network. If the Product surfaces an event from this known anomalous network, then we need some way to highlight or tag the event to the IT with associated reasons. This might make sense in the Metadata field

New User It might be of interest to note if a user has been newly added or has not authenticated in a while. Attackers can create new users or authenticate into a dormant user. This might make sense in the User field

Additional Network Connection fields To help an incident responder, it might be helpful to highlight benign characteristics of certain network details, such as if it is a frequent network / netblock for an organization or if the IP is allow-listed. This might make sense in the Network Connection Information field

Example of this use case from Duo Trust Monitor https://duo.com/docs/adminapi#trust-monitor

ggacusan-at-duo avatar Feb 14 '24 19:02 ggacusan-at-duo