Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incident Finding event class definition #903

Merged
merged 8 commits into from
Jan 10, 2024
Merged

Incident Finding event class definition #903

merged 8 commits into from
Jan 10, 2024

Conversation

floydtree
Copy link
Contributor

@floydtree floydtree commented Dec 26, 2023
edited
Loading

Related Issue: #902

Related PR: #786

Description of changes:

  1. Refactoring, @maxhotta 's PR to account for the new finding_info object, removing duplicates, adding descriptions.
  2. Removing separate enum definitions, since that concept has been deprecated in OCSF.

A few topics to discuss based on #786 -

  1. findings_info vs finding_info_list - I am okay with either of the two, however finding_info_list makes it easier to distinguish it from finding_info. - based on weekly call - finding_info_list
  2. user vs assignee - are both necessary in the class? - keeping assignee, adding assignee_group
  3. incident_uid - haven't added it, metadata_uid should be used instead.

@floydtree floydtree added findings Issues related to Findings Category non_breaking Non Breaking, backwards compatible changes v1.1.0 Changes marked for v1.1.0 of OCSF labels Dec 26, 2023
@pagbabian-splunk
Copy link
Contributor

Generally looks good and needed for complettion.

Main comment so far: assignee could also be a group of users; typically in a SOC with shifts, incidents could be passed across shifts to users in a group.

mikeradka
mikeradka previously approved these changes Jan 2, 2024
View reviewed changes
@maxhotta
Copy link
Contributor

maxhotta commented Jan 2, 2024

Looks good to me as well. The only attribute that I noticed missing was the consolidated attacks array. I suspect it was removed for duplication as it's already a part of each of the findings?

@pagbabian-splunk
Copy link
Contributor

pagbabian-splunk commented Jan 3, 2024
edited
Loading

Looks good to me as well. The only attribute that I noticed missing was the consolidated attacks array. I suspect it was removed for duplication as it's already a part of each of the findings?

That's what I would assume as well - the finding_info_list has finding_info.attacks for each Finding in the Incident.

However, there is an argument that the overall Incident could have its own attacks array, e.g. as a summary of what the Incident implies.

@floydtree
Copy link
Contributor Author

Looks good to me as well. The only attribute that I noticed missing was the consolidated attacks array. I suspect it was removed for duplication as it's already a part of each of the findings?

That's what I would assume as well - the finding_info_list has finding_info.attacks for each Finding in the Incident.

Yep, that was the thought, but we can add a top level attacks as Paul suggested for an incident's summary of ttps.

@floydtree floydtree changed the title Incident finding event class Incident Finding event class definition Jan 3, 2024
@floydtree floydtree marked this pull request as ready for review January 3, 2024 18:23
@floydtree floydtree mentioned this pull request Jan 8, 2024
Closed
zschmerber
zschmerber previously approved these changes Jan 9, 2024
View reviewed changes
Copy link
Contributor

@zschmerber zschmerber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

mikeradka
mikeradka previously approved these changes Jan 9, 2024
View reviewed changes
@floydtree floydtree requested a review from Aniak5 January 9, 2024 21:43
Aniak5
Aniak5 reviewed Jan 9, 2024
View reviewed changes
dictionary.json Outdated Show resolved Hide resolved
Aniak5
Aniak5 reviewed Jan 9, 2024
View reviewed changes
dictionary.json Outdated Show resolved Hide resolved
Aniak5
Aniak5 reviewed Jan 9, 2024
View reviewed changes
dictionary.json Outdated Show resolved Hide resolved
Aniak5
Aniak5 reviewed Jan 9, 2024
View reviewed changes
dictionary.json Outdated Show resolved Hide resolved
@floydtree floydtree requested a review from Aniak5 January 10, 2024 15:21
Aniak5
Aniak5 approved these changes Jan 10, 2024
View reviewed changes
Copy link
Contributor

@Aniak5 Aniak5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@floydtree floydtree merged commit 4122b41 into ocsf:main Jan 10, 2024
2 checks passed
@floydtree floydtree deleted the incident_finding branch January 10, 2024 18:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxhotta maxhotta maxhotta approved these changes

@zschmerber zschmerber zschmerber approved these changes

@Aniak5 Aniak5 Aniak5 approved these changes

@pagbabian-splunk pagbabian-splunk Awaiting requested review from pagbabian-splunk pagbabian-splunk is a code owner

@mikeradka mikeradka Awaiting requested review from mikeradka mikeradka is a code owner

Assignees

@floydtree floydtree

@maxhotta maxhotta

Labels
findings Issues related to Findings Category non_breaking Non Breaking, backwards compatible changes v1.1.0 Changes marked for v1.1.0 of OCSF
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@floydtree @pagbabian-splunk @maxhotta @Aniak5 @zschmerber @mikeradka