In the prowler ocsf.json report, the Finding_info entity is missing Analytic, and Attack field · prowler-cloud/prowler#7176

(2 comments) (1 reaction) (0 assignees)Python (8,957 stars) (1,322 forks)batch import

feature-requesthelp wantedoutput/ocsf

Description

New feature motivation

In the OCSF schema, finding info entity can have following fields https://schema.ocsf.io/1.4.0/objects/finding_info?extensions=

Among them, Analytic can have following fields https://schema.ocsf.io/1.4.0/objects/analytic?extensions=

Attack which will have mitre attack descriptions, can have following field https://schema.ocsf.io/1.4.0/objects/attack?extensions=

It would be great if you can add these details in the report.

Solution Proposed

Currently wazuh agent provide us details about analytic and attack fields. But wazuh does not follow OCSF schema, so you wont find it with analytic and attack name.

A sample wazuh alert is attached. You can follow this link to convert wazuh fields to ocsf field related to attack and analytic

https://documentation.wazuh.com/current/integrations-guide/amazon-security-lake/index.html

wazuh_alerts_2025-03-07.json

Describe alternatives you've considered

N/A

Additional context

No response

Contributor guide

Tech stack: python
Domain: securitybackend
Issue type: feature
Difficulty: 3
Estimated time: 1-2 days
Activity status: fresh
Clarity: mostly clear
Prerequisites: Basic understanding of OCSF schemaPython developmentJSON manipulationWazuh alert structure
Newbie friendliness: 60
Research direction: The issue requests adding Analytic and Attack fields to the OCSF JSON report. The OCSF schema definition for finding info (including Analytic and Attack) can be found at https://schema.ocsf.io/1.4.0/objects/finding info. The Wazuh alert structure is provided in the attached JSON. See https://documentation.wazuh.com/current/integrations guide/amazon security lake/index.html for field mapping. Implementation likely in prowler's output generation code.