Create an Incident profile (#1293)

#### Related Issue: PR 1292 and Slack discussion #### Description of changes: Adds `Incident Finding` specific attributes to a profile that can be added to other non-aggregate Findings. Added the profile to all Findings that extend `finding`. Updated the descriptions of each class. --------- Signed-off-by: Paul Agbabian <[email protected]>
ocsf · Jan 3, 2025 · 5e1c79d · 5e1c79d
1 parent d1d1dc2
commit 5e1c79d
Show file tree

Hide file tree

Showing 8 changed files with 65 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -93,6 +93,8 @@ Thankyou! -->
     1. Added `software_component` and `sbom` objects. #1262
     1. Added `drive_type` and `drive_type_id` objects. #1287
     1. Added `cpu_architecture` and `cpu_architecture_id` objects. #1278
+* ### Profiles
+    1. Added `incident` profile. #1293
 
 ### Improved
 * #### Event Classes
@@ -113,6 +115,7 @@ Thankyou! -->
     1. Add `security_control` profile to base_event.json and remove this profile elsewhere in the event hierarchy. #1281
     1. Add `policies` to `Account Change` class. #1282
     1. Add `Unlock` activity to `account_change` class. #1285
+    1. Add `incident` profile to `finding` to affect classes that extend it. #1293
 * #### Profiles
     1. Added `is_alert`, `confidence_id`, `confidence`, `confidence_score` attributes to the `security_control` profile. #1178
     1. Added `risk_level_id`, `risk_level`, `risk_score`, `risk_details` attributes to the `security_control` profile.  #1178

diff --git a/events/findings/compliance_finding.json b/events/findings/compliance_finding.json
@@ -1,7 +1,7 @@
 {
   "uid": 3,
   "caption": "Compliance Finding",
-  "description": "Compliance Finding events describe results of evaluations performed against resources, to check compliance with various Industry Frameworks or Security Standards such as <code>NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001</code> etc.",
+  "description": "Compliance Finding events describe results of evaluations performed against resources, to check compliance with various Industry Frameworks or Security Standards such as <code>NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001</code> etc. Note: if the event producer is a security control, the <code>security_control</code> profile should be applied and its <code>attacks</code> information, if present, should be duplicated into the <code>finding_info</code> object. <br><strong>Note: </strong>If the Finding is an incident, i.e. requires incident workflow, also apply the <code>incident</code> profile or aggregate this finding into an <code>Incident Finding</code>.",
   "extends": "finding",
   "name": "compliance_finding",
   "attributes": {

diff --git a/events/findings/data_security_finding.json b/events/findings/data_security_finding.json
@@ -1,7 +1,7 @@
 {
     "uid": 6,
     "caption": "Data Security Finding",
-    "description": "A Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools. These detections or alerts can be created using fingerprinting, statistical analysis, machine learning or other methodologies. The finding describes the actors and endpoints who accessed or own the sensitive data, as well as the resources which store the sensitive data.",
+    "description": "A Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools. These detections or alerts can be created using fingerprinting, statistical analysis, machine learning or other methodologies. The finding describes the actors and endpoints who accessed or own the sensitive data, as well as the resources which store the sensitive data. Note: if the event producer is a security control, the <code>security_control</code> profile should be applied and its <code>attacks</code> information, if present, should be duplicated into the <code>finding_info</code> object. <br><strong>Note: </strong>If the Finding is an incident, i.e. requires incident workflow, also apply the <code>incident</code> profile  or aggregate this finding into an <code>Incident Finding</code>.",
     "extends": "finding",
     "name": "data_security_finding",
     "attributes": {

diff --git a/events/findings/detection_finding.json b/events/findings/detection_finding.json
@@ -1,7 +1,7 @@
 {
   "uid": 4,
   "caption": "Detection Finding",
-  "description": "A Detection Finding describes detections or alerts generated by security products using correlation engines, detection engines or other methodologies. Note: if the event producer is a security control, the <code>security_control</code> profile should be applied and its <code>attacks</code> information, if present, should be duplicated into the <code>finding_info</code> object.",
+  "description": "A Detection Finding describes detections or alerts generated by security products using correlation engines, detection engines or other methodologies. Note: if the event producer is a security control, the <code>security_control</code> profile should be applied and its <code>attacks</code> information, if present, should be duplicated into the <code>finding_info</code> object. <br><strong>Note: </strong>If the Finding is an incident, i.e. requires incident workflow, also apply the <code>incident</code> profile  or aggregate this finding into an <code>Incident Finding</code>.",
   "extends": "finding",
   "name": "detection_finding",
   "attributes": {

diff --git a/events/findings/finding.json b/events/findings/finding.json
@@ -4,7 +4,13 @@
   "description": "The Finding event is a generic event that defines a set of attributes available in the Findings category.",
   "extends": "base_event",
   "name": "finding",
+  "profiles": [
+    "incident"
+  ],
   "attributes": {
+    "$include": [
+      "profiles/incident.json"
+    ],
     "activity_id": {
       "description": "The normalized identifier of the finding activity.",
       "enum": {

diff --git a/events/findings/incident_finding.json b/events/findings/incident_finding.json
@@ -2,9 +2,12 @@
   "uid": 5,
   "caption": "Incident Finding",
   "category": "findings",
-  "description": "An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics.",
+  "description": "An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics. <br><strong>Note: </strong><code>Incident Finding</code> implicitly includes the <code>incident</code> profile and it should be added to the <code>metadata.profiles[]</code> array.",
   "extends": "base_event",
   "name": "incident_finding",
+  "profiles": [
+    "incident"
+  ],
   "attributes": {
     "activity_id": {
       "description": "The normalized identifier of the Incident activity.",

diff --git a/events/findings/vulnerability_finding.json b/events/findings/vulnerability_finding.json
@@ -1,7 +1,7 @@
 {
   "uid": 2,
   "caption": "Vulnerability Finding",
-  "description": "The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.",
+  "description": "The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Note: if the event producer is a security control, the <code>security_control</code> profile should be applied and its <code>attacks</code> information, if present, should be duplicated into the <code>finding_info</code> object. <br><strong>Note: </strong>If the Finding is an incident, i.e. requires incident workflow, also apply the <code>incident</code> profile  or aggregate this finding into an <code>Incident Finding</code>.",
   "extends": "finding",
   "name": "vulnerability_finding",
   "attributes": {

diff --git a/profiles/incident.json b/profiles/incident.json
@@ -0,0 +1,48 @@
+{
+    "description": "The attributes that add incident handling semantics to a Finding.",
+    "meta": "profile",
+    "caption": "Incident",
+    "name": "incident",
+    "annotations": {
+      "group": "primary"
+    },
+    "attributes": {
+        "assignee": {
+            "group": "context",
+            "requirement": "optional"
+          },
+          "assignee_group": {
+            "group": "context",
+            "requirement": "optional"
+          },
+          "is_suspected_breach": {
+            "group": "context",
+            "requirement": "optional"
+          },
+          "priority": {
+            "group": "context",
+            "requirement": "optional"
+          },
+          "priority_id": {
+            "group": "context",
+            "requirement": "recommended"
+          },
+          "src_url": {
+            "description": "A Url link used to access the original incident.",
+            "group": "primary",
+            "requirement": "recommended"
+          },
+          "ticket": {
+            "group": "context",
+            "requirement": "optional"
+          },
+          "verdict": {
+            "group": "primary",
+            "requirement": "recommended"
+          },
+          "verdict_id": {
+            "group": "primary",
+            "requirement": "recommended"
+          }
+    }
+  }