prowler-cloud/prowler

In the prowler ocsf.json report, the Finding_info entity is missing Analytic, and Attack field

Open

#7.176 geöffnet am 11. März 2025

Auf GitHub ansehen
 (3 Kommentare) (1 Reaktion) (0 zugewiesene Personen)Python (1.322 Forks)batch import
feature-requesthelp wantedoutput/ocsf

Repository-Metriken

Stars
 (8.957 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 9T 17h) (314 gemergte PRs in 30 T)

Beschreibung

New feature motivation

In the OCSF schema, finding info entity can have following fields https://schema.ocsf.io/1.4.0/objects/finding_info?extensions=

Among them, Analytic can have following fields https://schema.ocsf.io/1.4.0/objects/analytic?extensions=

Attack which will have mitre attack descriptions, can have following field https://schema.ocsf.io/1.4.0/objects/attack?extensions=

It would be great if you can add these details in the report.

Solution Proposed

Currently wazuh agent provide us details about analytic and attack fields. But wazuh does not follow OCSF schema, so you wont find it with analytic and attack name.

A sample wazuh alert is attached. You can follow this link to convert wazuh fields to ocsf field related to attack and analytic

https://documentation.wazuh.com/current/integrations-guide/amazon-security-lake/index.html

wazuh_alerts_2025-03-07.json

Describe alternatives you've considered

N/A

Additional context

No response

Contributor Guide