From 682922762ff0a8c4672200bf43dac419aaa03fc4 Mon Sep 17 00:00:00 2001
From: Paul Agbabian <pagbabian@splunk.com>
Date: Fri, 27 Sep 2024 16:10:34 -0700
Subject: [PATCH 1/2] Improved descriptions for usage of is_alert.

Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
---
 events/findings/detection_finding.json | 1 +
 profiles/security_control.json         | 1 +
 2 files changed, 2 insertions(+)

diff --git a/events/findings/detection_finding.json b/events/findings/detection_finding.json
index f58911840..bd5e1f887 100644
--- a/events/findings/detection_finding.json
+++ b/events/findings/detection_finding.json
@@ -43,6 +43,7 @@
     "is_alert": {
       "profile": null,
       "group": "primary",
+      "description": "Indicates that the event is considered to be an alertable signal. For example, an <code>activity_id</code> of 'Create' could constitute an alertable signal and the value would be <code>true</code>, while 'Close' likely would not and either omit the attribute or set its value to <code>false</code>.  Note that other events with the <code>security_control</code> profile may also be deemed alertable signals and may also carry <code>is_alert = true</code> attributes.",
       "requirement": "recommended"
     },
     "remediation": {
diff --git a/profiles/security_control.json b/profiles/security_control.json
index 7ef74e7da..6aeaa9b72 100644
--- a/profiles/security_control.json
+++ b/profiles/security_control.json
@@ -60,6 +60,7 @@
       "description": "The firewall rule that pertains to the control that triggered the event, if applicable."
     },
     "is_alert": {
+      "description": "Indicates that the event is considered to be an alertable signal. Should be set to <code>true</code> if <code>disposition_id = Alert</code> among other dispositions, and/or <code>risk_level_id</code> or <code>severity_id</code> of the event is elevated. Not all control events will be alertable, for example if <code>disposition_id = Exonerated</code> or <code>disposition_id = Allowed</code>.",
       "requirement": "recommended"
     },
     "malware": {

From 7fd54b4c53234f6800101909eac541ab4c636546 Mon Sep 17 00:00:00 2001
From: Paul Agbabian <pagbabian@splunk.com>
Date: Fri, 27 Sep 2024 16:14:45 -0700
Subject: [PATCH 2/2] Improved description of is_alert to match the new
 description in detection_finding.

Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
---
 events/findings/data_security_finding.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/events/findings/data_security_finding.json b/events/findings/data_security_finding.json
index f6e9fb4cc..780dde1e0 100644
--- a/events/findings/data_security_finding.json
+++ b/events/findings/data_security_finding.json
@@ -98,6 +98,7 @@
         "is_alert": {
             "profile": null,
             "group": "primary",
+            "description": "Indicates that the event is considered to be an alertable signal. For example, an <code>activity_id</code> of 'Create' could constitute an alertable signal and the value would be <code>true</code>, while 'Close' likely would not and either omit the attribute or set its value to <code>false</code>.  Note that other events with the <code>security_control</code> profile may also be deemed alertable signals and may also carry <code>is_alert = true</code> attributes.",
             "requirement": "recommended"
         },      
         "resources": {