Incident update (ocsf#1320)

#### Related Issue: 1319 #### Description of changes: Updated descriptions for the `impact` related attributes, in particular `impact_id` and added the references and source to NIST. Added the `impact` related attributes to the `incident` profile (they should have been added at the outset). --------- Signed-off-by: Paul Agbabian <[email protected]> Co-authored-by: Jonathan Rau <[email protected]>
davemcatcisco · Jan 17, 2025 · 71b0c14 · 71b0c14
1 parent f5399f2
commit 71b0c14
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 14 deletions.
diff --git a/dictionary.json b/dictionary.json
@@ -2499,25 +2499,32 @@
     },
     "impact_id": {
       "caption": "Impact ID",
-      "description": "The normalized impact of the finding.",
+      "description": "The normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.",
       "sibling": "impact",
       "type": "integer_t",
+      "source": "impact value; impact level",
+      "references": [{"description": "NIST SP 800-172 from FIPS 199", "url": "https://doi.org/10.6028/NIST.FIPS.199"}, 
+                     {"description": "NIST Computer Security Resource Center", "url": "https://doi.org/10.6028/NIST.FIPS.199"}],
       "enum": {
         "0": {
           "caption": "Unknown",
           "description": "The normalized impact is unknown."
         },
         "1": {
-          "caption": "Low"
+          "caption": "Low",
+          "description": "The magnitude of harm is low."
         },
         "2": {
-          "caption": "Medium"
+          "caption": "Medium",
+          "description": "The magnitude of harm is moderate."
         },
         "3": {
-          "caption": "High"
+          "caption": "High",
+          "description": "The magnitude of harm is high."
         },
         "4": {
-          "caption": "Critical"
+          "caption": "Critical",
+          "description": "The magnitude of harm is high and the scope is widespread."
         },
         "99": {
           "caption": "Other",
@@ -2526,8 +2533,8 @@
       }
     },
     "impact_score": {
-      "caption": "Impact",
-      "description": "The impact of the finding, valid range 0-100.",
+      "caption": "Impact Score",
+      "description": "The impact as an integer value of the finding, valid range 0-100.",
       "type": "integer_t"
     },
     "injection_type": {
@@ -3768,7 +3775,7 @@
     },
     "priority_id": {
       "caption": "Priority ID",
-      "description": "The normalized priority. Priority identifies the relative importance of the finding. It is a measurement of urgency.",
+      "description": "The normalized priority. Priority identifies the relative importance of the incident or finding. It is a measurement of urgency.",
       "sibling": "priority",
       "type": "integer_t",
       "enum": {

diff --git a/events/findings/data_security_finding.json b/events/findings/data_security_finding.json
@@ -88,15 +88,18 @@
         },
         "impact": {
             "group": "context",
-            "requirement": "optional"
+            "requirement": "optional",
+            "profile": null
         },
         "impact_id": {
             "group": "context",
-            "requirement": "optional"
+            "requirement": "optional",
+            "profile": null
         },
         "impact_score": {
             "group": "context",
-            "requirement": "optional"
+            "requirement": "optional",
+            "profile": null
         },
         "is_alert": {
             "profile": null,

diff --git a/events/findings/detection_finding.json b/events/findings/detection_finding.json
@@ -27,15 +27,18 @@
     },
     "impact": {
       "group": "context",
-      "requirement": "optional"
+      "requirement": "optional",
+      "profile": null
     },
     "impact_id": {
       "group": "context",
-      "requirement": "optional"
+      "requirement": "optional",
+      "profile": null
     },
     "impact_score": {
       "group": "context",
-      "requirement": "optional"
+      "requirement": "optional",
+      "profile": null
     },
     "is_alert": {
       "profile": null,

diff --git a/profiles/incident.json b/profiles/incident.json
@@ -15,6 +15,18 @@
             "group": "context",
             "requirement": "optional"
           },
+          "impact": {
+            "group": "primary",
+            "requirement": "recommended"
+          },
+          "impact_id": {
+            "group": "primary",
+            "requirement": "recommended"
+          },
+          "impact_score": {
+            "group": "primary",
+            "requirement": "recommended"
+          },      
           "is_suspected_breach": {
             "group": "context",
             "requirement": "optional"