In the prowler ocsf.json report, the Finding_info entity is missing Analytic, and Attack field

[Mubashir-ahmed]

New feature motivation

In the OCSF schema, finding info entity can have following fields
https://schema.ocsf.io/1.4.0/objects/finding_info?extensions=

Among them, Analytic can have following fields
https://schema.ocsf.io/1.4.0/objects/analytic?extensions=

Attack which will have mitre attack descriptions, can have following field
https://schema.ocsf.io/1.4.0/objects/attack?extensions=

It would be great if you can add these details in the report.

Solution Proposed

Currently wazuh agent provide us details about analytic and attack fields. But wazuh does not follow OCSF schema, so you wont find it with analytic and attack name.

A sample wazuh alert is attached. You can follow this link to convert wazuh fields to ocsf field related to attack and analytic

https://documentation.wazuh.com/current/integrations-guide/amazon-security-lake/index.html

wazuh_alerts_2025-03-07.json

Describe alternatives you've considered

N/A

Additional context

No response

[danibarranqueroo]

Hi @Mubashir-ahmed,

Thanks for the example and suggestion. We'll take it into account as we work on improving the report. Could you please share what additional information you'd like to see in those fields or what would be most useful for you?

Your feedback is much appreciated for us! 🚀

[Mubashir-ahmed]

Hi @danibarranqueroo the attack should have mitre attack, technique and sub technique so that I can then slice my prowler findings based on types of attack. If sub technique is not possible then atleast attack and technique.

For MITRE attack matrix, you can see this link
https://attack.mitre.org/matrices/enterprise/

For analytic, atleast one identifier (name/uid) and its type and corresponding type_id