Add evidences to Compliance Finding (#1157)

When reporting Compliance Finding, we want to specify which File, API or Device caused us to trigger the finding. For example, if we have a terraform file which creates an AWS ec2 instance with public 22 port, we want to point to the file where we found the issue. #### Description of changes: * Add evidences to Compliance Finding Signed-off-by: Rajas <89877409+floydtree@users.noreply.github.com> Co-authored-by: Lukáš Křečan <lukas.krecan@sentinelone.com> Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com>
ocsf · Aug 29, 2024 · 2322992 · 2322992
1 parent 4b84170
commit 2322992
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -49,6 +49,8 @@ Thankyou! -->
     1. Added `has_mfa` as a `boolean_t`. #1155
 
 ### Improved
+* #### Event Classes
+    1. Added `evidences` to `compliance_finding` class. #1157
 * #### Objects
     1. Added `phone_number` to `user` and `ldap_person` objects. #1155
     2. Added `has_mfa` to `user` object. #1155

diff --git a/dictionary.json b/dictionary.json
@@ -1858,7 +1858,7 @@
     },
     "evidences": {
       "caption": "Evidence Artifacts",
-      "description": "Describes various evidence artifacts associated to the activity/activities that triggered a security detection.",
+      "description": "A collection of evidence artifacts associated to the activity/activities that triggered a finding. See specific usage.",
       "type": "evidences",
       "is_array": true
     },

diff --git a/events/findings/compliance_finding.json b/events/findings/compliance_finding.json
@@ -9,6 +9,11 @@
       "group": "primary",
       "requirement": "required"
     },
+    "evidences": {
+      "group": "context",
+      "description": "Describes various evidence artifacts associated with the compliance finding.",
+      "requirement": "optional"
+    },
     "remediation": {
       "group": "context",
       "requirement": "recommended"

diff --git a/events/findings/detection_finding.json b/events/findings/detection_finding.json
@@ -10,6 +10,7 @@
     ],
     "evidences": {
       "group": "primary",
+      "description": "Describes various evidence artifacts associated to the activity/activities that triggered a security detection.",
       "requirement": "recommended"
     },
     "impact": {