Findings category - Detection class #789
Replies: 5 comments 1 reply
-
Sample sanitized MS Defender detection hit (pulled from alerts_v2 API):
Note that this sample has 2 separate file "evidence" pieces, a process "evidence" piece, a user and device info, and could have even more/other combos of system/network activity "evidence" pieces that we should try to capture in the detection finding object |
Beta Was this translation helpful? Give feedback.
-
As per 10/12 call, should add |
Beta Was this translation helpful? Give feedback.
-
Based on 10/19 call, some of the requested changes:
Clarifications for next week (I don't recall the final verdict for these):
Next considerations:
|
Beta Was this translation helpful? Give feedback.
-
In SentinelOne extension (so far internal) we are adding the following to Security Alert:
|
Beta Was this translation helpful? Give feedback.
-
Leaving the draft of this class here for folks to refer as we build this one out - https://github.com/floydtree/ocsf-schema/tree/detections |
Beta Was this translation helpful? Give feedback.
-
Starting conversation on structure of the Detection class in Findings category.
Base Event class
https://schema.ocsf.io/1.1.0-dev/base_event?extensions=
Common attributes from Finding base class:
Remaining attributes from deprecated Security Finding class
The goal is to refine list of attributes for new Detection class to distinguish it from the Incident and other classes fro Findings category.
Beta Was this translation helpful? Give feedback.
All reactions