Refactored to remove incident class, and merge with security_incident

Clean up unused dictionary reference (recommended_action) Clean up descriptions for fields
maxhotta · Jul 28, 2023 · bf1c3bb · bf1c3bb
1 parent f876175
commit bf1c3bb
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 83 deletions.
diff --git a/dictionary.json b/dictionary.json
@@ -2481,11 +2481,6 @@
       "description": "The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record.",
       "type": "string_t"
     },
-    "recommended_action": {
-      "caption": "Recommended Action",
-      "description": "A description of recommended step(s) to take to resolve the issue(s) captured in the event.",
-      "type": "string_t"
-    },
     "references": {
       "caption": "References",
       "description": "Supporting reference URLs",

diff --git a/enums/incident_state.json b/enums/incident_state.json
@@ -0,0 +1,32 @@
+{
+  "enum": {
+    "0": {
+      "caption": "Unknown",
+      "description": "The incident state is not known."
+    },
+    "1": {
+      "caption": "New",
+      "description": "The service desk has received the incident but has not assigned it to an agent."
+    },
+    "2": {
+      "caption": "In Progress",
+      "description": "The incident has been assigned to an agent but has not been resolved. The agent is actively working with the user to diagnose and resolve the incident."
+    },
+    "3": {
+      "caption": "On Hold",
+      "description": "The incident requires some information or response from the user or from a third party."
+    },
+    "4": {
+      "caption": "Resolved",
+      "description": "The service desk has confirmed that the incident is resolved."
+    },
+    "5": {
+      "caption": "Closed",
+      "description": "The incident is resolved and no further action is necessary."
+    },
+    "99": {
+      "caption": "Other",
+      "description": "The incident state is other. See the State attribute."
+    }
+  }
+}
diff --git a/events/findings/incident.json b/events/findings/incident.json
diff --git a/events/findings/incident_associate.json b/events/findings/incident_associate.json
@@ -4,12 +4,13 @@
   "category": "findings",
   "name": "incident_associate",
   "extends": "base_event",
-  "description": "Incident Associate events report when a new event is associated with an existing incident.",
+  "description": "Incident Associate events report when additional events are associated with an existing incident.",
   "attributes": {
     "activity_id": {
       "enum": {
         "1": {
-          "caption": "Logged"
+          "caption": "Associate",
+          "description": "Associate events with existing incident."
         }
       }
     },

diff --git a/events/findings/security_incident.json b/events/findings/security_incident.json
@@ -2,7 +2,7 @@
   "caption": "Security Incident",
   "category": "findings",
   "description": "Security Incident events report the creation, update, or closure of incidents as a result of detections and/or analytics.",
-  "extends": "incident",
+  "extends": "base_event",
   "name": "security_incident",
   "uid": 2,
   "attributes": {
@@ -34,6 +34,10 @@
       "group": "primary",
       "requirement": "optional"
     },
+    "conclusions": {
+      "group": "primary",
+      "requirement": "required"
+    },
     "confidence": {
       "group": "primary",
       "requirement": "optional"
@@ -71,6 +75,16 @@
       "group": "context",
       "requirement": "optional"
     },
+    "priority": {
+      "description": "The priority name, as defined by <code>priority_id</code> enum value.",
+      "group": "primary"
+    },
+    "priority_id": {
+      "description": "The normalized priority.</p>Priority identifies the relative importance of the finding. It is a measurement of urgency.",
+      "group": "primary",
+      "requirement": "recommended",
+      "$include": "enums/priority.json"
+    },
     "resolution": {
       "group": "primary",
       "requirement": "optional"
@@ -79,9 +93,25 @@
       "group": "primary",
       "requirement": "optional"
     },
+    "src_url": {
+      "description": "A Url link used to access the original incident.",
+      "group": "primary",
+      "requirement": "optional"
+    },
     "start_time": {
       "description": "The time of the least recent event included in the incident."
     },
+    "state": {
+      "description": "The incident state.",
+      "group": "primary",
+      "requirement": "optional"
+    },
+    "state_id": {
+      "description": "The incident state identifier.",
+      "group": "primary",
+      "requirement": "required",
+      "$include": "enums/incident_state.json"
+    },
     "suspected_breach": {
       "group": "primary",
       "requirement": "optional"