From b9cbd2726817ce5754512480d7233ee4ed8f375f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20K=C5=99e=C4=8Dan?=
 <lukas.krecan@sentinelone.com>
Date: Tue, 27 Aug 2024 19:42:58 +0200
Subject: [PATCH] Add evidences to Compliance Finding

When reporting Compliance Finding, we want to specify which File, API or
Device caused us to trigger the finding.
---
 CHANGELOG.md                            | 1 +
 dictionary.json                         | 2 +-
 events/findings/compliance_finding.json | 5 +++++
 events/findings/detection_finding.json  | 1 +
 4 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b7e427fa4..5874a152d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -42,6 +42,7 @@ Thankyou! -->
 ### Added
 * #### Event Classes
     1. Added `OSINT Inventory Info` event class to the Discovery category. #1154
+    2. Added `evidences` to `compliance_finding` class. #1157
 
 ### Improved
 * #### Objects
diff --git a/dictionary.json b/dictionary.json
index 2ced1b5ed..71c7a3b87 100644
--- a/dictionary.json
+++ b/dictionary.json
@@ -1858,7 +1858,7 @@
     },
     "evidences": {
       "caption": "Evidence Artifacts",
-      "description": "Describes various evidence artifacts associated to the activity/activities that triggered a security detection.",
+      "description": "A collection of evidence artifacts associated to the activity/activities that triggered a finding. See specific usage.",
       "type": "evidences",
       "is_array": true
     },
diff --git a/events/findings/compliance_finding.json b/events/findings/compliance_finding.json
index e46e7602c..96586b387 100644
--- a/events/findings/compliance_finding.json
+++ b/events/findings/compliance_finding.json
@@ -10,6 +10,11 @@
       "group": "primary",
       "requirement": "required"
     },
+    "evidences": {
+      "group": "context",
+      "description": "Describes various evidence artifacts associated with the compliance finding.",
+      "requirement": "optional"
+    },
     "remediation": {
       "group": "context",
       "requirement": "recommended"
diff --git a/events/findings/detection_finding.json b/events/findings/detection_finding.json
index 78f89af3a..cca7dbde3 100644
--- a/events/findings/detection_finding.json
+++ b/events/findings/detection_finding.json
@@ -14,6 +14,7 @@
     ],
     "evidences": {
       "group": "primary",
+      "description": "Describes various evidence artifacts associated to the activity/activities that triggered a security detection.",
       "requirement": "recommended"
     },
     "impact": {