From 56e7aaa953cd874528c23e723afe14bf87dd4d62 Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Wed, 18 Dec 2024 17:48:17 -0500
Subject: [PATCH] add `evidences` to incident finding

---
 CHANGELOG.md                          | 1 +
 events/findings/incident_finding.json | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 77da2d332..6edd45122 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -109,6 +109,7 @@ Thankyou! -->
     1. Relaxed requirements on the `http_request` and `http_response` attributes in the `http_activity` event class and added an `at_least_one` constraint with these attributes. #1274
     1. Add `host` profile to base_event.json and remove this profile elsewhere in the event hierarchy. #1280
     1. Add the `actor` attribute to the IAM base event. #1280
+    1. Add the `evidences` object to the `Incident Finding` class.
 * #### Profiles
     1. Added `is_alert`, `confidence_id`, `confidence`, `confidence_score` attributes to the `security_control` profile. #1178
     1. Added `risk_level_id`, `risk_level`, `risk_score`, `risk_details` attributes to the `security_control` profile.  #1178
diff --git a/events/findings/incident_finding.json b/events/findings/incident_finding.json
index fbeba2ec6..d1ade2460 100644
--- a/events/findings/incident_finding.json
+++ b/events/findings/incident_finding.json
@@ -67,6 +67,11 @@
       "description": "The time of the most recent event included in the incident.",
       "requirement": "optional"
     },
+    "evidences": {
+      "group": "context",
+      "description": "Describes various evidence artifacts associated to the activity/activities that encompass a security incident.",
+      "requirement": "recommended"
+    },
     "finding_info_list": {
       "group": "primary",
       "requirement": "required"