Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add verdict, verdict_id to Incident Findings class #930

Merged
merged 10 commits into from
Jan 16, 2024
Merged

Add verdict, verdict_id to Incident Findings class #930

merged 10 commits into from
Jan 16, 2024

Conversation

zschmerber
Copy link
Contributor

@zschmerber zschmerber commented Jan 11, 2024
edited
Loading

Related Issue:

#902

Description of changes:

In this PR I am adding verdict, verdict_id, vedict_type, and verdict_type_id. the new fields will all be used in the incident finding and should be the last PR entered in V1.1

image

@zschmerber zschmerber added enhancement New feature or request findings Issues related to Findings Category v1.1.0 Changes marked for v1.1.0 of OCSF labels Jan 11, 2024
@zschmerber zschmerber self-assigned this Jan 11, 2024
@zschmerber zschmerber changed the title adding verdict, verdict_id, verdict_type, and verdict_type_id to Incident_findings class. Add verdict, verdict_id, verdict_type, and verdict_type_id to Incident_findings class Jan 11, 2024
@zschmerber zschmerber marked this pull request as ready for review January 11, 2024 01:02
@zschmerber
Copy link
Contributor Author

Thoughts on adding Duplicate to the verdict_id?

@pagbabian-splunk
Copy link
Contributor

pagbabian-splunk commented Jan 11, 2024
edited
Loading

Thoughts on adding Duplicate to the verdict_id?

Good idea.

I just looked at the merged PR for Incident Finding, and there is a resolution_id which seems to overlap a bit with our proposed verdict_id - but it doesn't have a True Positive.

I'm not sure I like the term resolution as much as verdict since we also have a status that includes resolved but separately has a closed. Which would always mean two distinct events in order to have a verdict/resolution and then close the incident. If every attribute state change equates to a separate incident_finding event, that would make sense, but it seems like incident_finding is one of the more stateful classes we have, and multiple attribute changes could be committed together.

@zschmerber
Copy link
Contributor Author

Thoughts on adding Duplicate to the verdict_id?

Good idea. I just looked at the merged PR for Incident, and there is a resolution_id which seems to overlap a bit with verdict_id - but it doesn't have a True Positive.

That is a pretty big overlap. I think we need to choose one or the other to add that values too.

@pagbabian-splunk
Copy link
Contributor

pagbabian-splunk commented Jan 11, 2024
edited
Loading

Yes it is - I would just add to the resolution_id True Positive and Duplicate. I'm not so sure about having a Resolved for status_id though, see my comment above. Does Resolved also imply Closed? Also, would Duplicate be for a Detection Finding or other Finding, but not Incident Finding?

@zschmerber
Copy link
Contributor Author

Yes it is - I would just add to the resolution_id True Positive and Duplicate. I'm not so sure about having a Resolved for status_id though, see my comment above. Does Resolved also imply Closed? Also, would Duplicate be for a Detection Finding or other Finding, but not Incident Finding?

Ok I can do that, do we want to have a resolution_type_id field that works in parallel that contains analyst , provider ect...?

floydtree
floydtree requested changes Jan 11, 2024
View reviewed changes
events/findings/incident_finding.json Outdated Show resolved Hide resolved
events/findings/incident_finding.json Outdated Show resolved Hide resolved
events/findings/incident_finding.json Outdated Show resolved Hide resolved
@floydtree
Copy link
Contributor

@zschmerber @pagbabian-splunk let's chat on slack for resolution vs verdict, easier and quicker to arrive at a consensus.

@zschmerber
Copy link
Contributor Author

zschmerber commented Jan 11, 2024
edited
Loading

image Removed resolution_id and resolution and added the fields into verdict_id and verdict

@pagbabian-splunk
Copy link
Contributor

Looks good. A few nits on the verdict_id labels in the dictionary.

The language isn't quite right for: 'The incident verdict can be disregarded' and related. i.e. it's the incident that can be disregarded, not the incident verdict. Similar to others in the list: the incident is a True Positive, or the incident verdict is True Positive (not incident verdict is a True Positive). I know these things are small.

Also, although we haven't been perfectly consistent, and it won't matter in the browser, we usually have 0 - Unknown at the top of the list, and 99 - Other at the bottom, but if not in that order, we have 99 - Other and then 0 - Unknown as the first two in the list followed by the actual values.

floydtree
floydtree requested changes Jan 12, 2024
View reviewed changes
events/findings/incident_finding.json Outdated Show resolved Hide resolved
events/findings/incident_finding.json Outdated Show resolved Hide resolved
dictionary.json Outdated Show resolved Hide resolved
@zschmerber
Copy link
Contributor Author

Looks good. A few nits on the verdict_id labels in the dictionary.

The language isn't quite right for: 'The incident verdict can be disregarded' and related. i.e. it's the incident that can be disregarded, not the incident verdict. Similar to others in the list: the incident is a True Positive, or the incident verdict is True Positive (not incident verdict is a True Positive). I know these things are small.

Also, although we haven't been perfectly consistent, and it won't matter in the browser, we usually have 0 - Unknown at the top of the list, and 99 - Other at the bottom, but if not in that order, we have 99 - Other and then 0 - Unknown as the first two in the list followed by the actual values.

fixed this, also thoughts on verdict_type_id fields:
internal and external vs analyst verdict and provider?

@pagbabian-splunk
Copy link
Contributor

Not that I want to copy, but UDM says 'Analyst Verdict' and 'Provider Verdict' - if we were to map those events, it would be straightforward. Hard to say how I would decide whether Analyst Verdict was internal or external.

floydtree
floydtree approved these changes Jan 16, 2024
View reviewed changes
Copy link
Contributor

@floydtree floydtree left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

Aniak5
Aniak5 approved these changes Jan 16, 2024
View reviewed changes
Copy link
Contributor

@Aniak5 Aniak5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mikeradka mikeradka merged commit e4162c5 into ocsf:main Jan 16, 2024
2 checks passed
@floydtree floydtree changed the title Add verdict, verdict_id, verdict_type, and verdict_type_id to Incident_findings class Add verdict, verdict_id to Incident Findings class Jan 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikeradka mikeradka mikeradka approved these changes

@floydtree floydtree floydtree approved these changes

@Aniak5 Aniak5 Aniak5 approved these changes

@pagbabian-splunk pagbabian-splunk Awaiting requested review from pagbabian-splunk pagbabian-splunk is a code owner

@maxhotta maxhotta Awaiting requested review from maxhotta

Assignees

@zschmerber zschmerber

Labels
enhancement New feature or request findings Issues related to Findings Category v1.1.0 Changes marked for v1.1.0 of OCSF
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@zschmerber @pagbabian-splunk @floydtree @Aniak5 @mikeradka @zschmerber-atlassian