In the prowler ocsf.json report, the Finding_info entity is missing Analytic, and Attack field
#7.176 aberto em 11 de mar. de 2025
Métricas do repositório
- Stars
- (8.957 stars)
- Métricas de merge de PR
- (Mesclagem média 9d 17h) (314 fundiu PRs em 30d)
Description
New feature motivation
In the OCSF schema, finding info entity can have following fields https://schema.ocsf.io/1.4.0/objects/finding_info?extensions=
Among them, Analytic can have following fields https://schema.ocsf.io/1.4.0/objects/analytic?extensions=
Attack which will have mitre attack descriptions, can have following field https://schema.ocsf.io/1.4.0/objects/attack?extensions=
It would be great if you can add these details in the report.
Solution Proposed
Currently wazuh agent provide us details about analytic and attack fields. But wazuh does not follow OCSF schema, so you wont find it with analytic and attack name.
A sample wazuh alert is attached. You can follow this link to convert wazuh fields to ocsf field related to attack and analytic
https://documentation.wazuh.com/current/integrations-guide/amazon-security-lake/index.html
Describe alternatives you've considered
N/A
Additional context
No response