Refactor the finding object and base class

dictionary.json

@@ -107,7 +107,7 @@
     },
     "analytic": {
       "caption": "Analytic",
-      "description": "The analytic technique used to create the finding or detection",
+      "description": "The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.",
       "type": "analytic"
     },
     "answers": {
@@ -1385,6 +1385,11 @@
       "description": "The Finding object provides details about a finding/detection generated by a security tool.",
       "type": "finding"
     },
+    "finding_info": {
+      "caption": "Finding Information",
+      "description": "The information about a finding or detection generated by a security tool.",
+      "type": "finding_info"
+    },
     "fingerprint": {
       "caption": "Fingerprint",
       "description": "The digital fingerprint associated with an object.",
@@ -1803,9 +1808,9 @@
     },
     "kill_chain": {
       "caption": "Kill Chain",
-      "description": "The <a target='_blank' href='https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html'>Cyber Kill Chain®</a>.",
+      "description": "The <a target='_blank' href='https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html'>Cyber Kill Chain®</a> provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.",
       "is_array": true,
-      "type": "kill_chain"
+      "type": "kill_chain_phase"
     },
     "labels": {
       "caption": "Labels",

events/findings/finding.json

@@ -1,20 +1,12 @@
 {
   "caption": "Finding",
   "category": "findings",
-  "description": "The Finding event is a generic event that defines a set of attributes available in the Findings category. These attributes will be inherited by all the classes defined in the Findings category.",
+  "description": "The Finding event is a generic event that defines a set of attributes available in the Findings category.",
   "extends": "base_event",
   "name": "finding",
   "attributes": {
     "activity_id": {
       "enum": {
-        "99": {
-          "caption": "Other",
-          "description": "The activity is not mapped."
-        },
-        "0": {
-          "caption": "Unknown",
-          "description": "The activity is unknown."
-        }, 
         "1": {
           "caption": "Create",
           "description": "A finding was created."
@@ -49,7 +41,7 @@
     "end_time": {
       "description": "The time of the most recent event included in the finding."
     },
-    "finding": {
+    "finding_info": {
       "group": "primary",
       "requirement": "required"
     },

events/findings/security_finding.json

@@ -2,10 +2,26 @@
   "caption": "Security Finding",
   "category": "findings",
   "description": "Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products",
-  "extends": "finding",
+  "extends": "base_event",
   "name": "security_finding",
   "uid": 1,
   "attributes": {
+    "activity_id": {
+      "enum": {
+        "1": {
+          "caption": "Create",
+          "description": "A security finding was created."
+        },
+        "2": {
+          "caption": "Update",
+          "description": "A security finding was updated."
+        },
+        "3": {
+          "caption": "Close",
+          "description": "A security finding was closed."
+        }
+      }
+    },
     "analytic": {
       "group": "primary",
       "requirement": "recommended"
@@ -23,6 +39,19 @@
       "group": "context",
       "requirement": "optional"
     },
+    "confidence": {
+      "group": "primary",
+      "requirement":"optional"
+    },
+    "confidence_id": {
+      "group": "primary",
+      "requirement": "recommended",
+      "sibling": "confidence"
+    },
+     "confidence_score": {
+      "group": "primary",
+      "requirement":"optional"
+    },
     "data_sources": {
       "group": "context",
       "requirement": "optional"
@@ -31,6 +60,10 @@
       "group": "context",
       "requirement": "optional"
     },
+    "finding": {
+      "group": "primary",
+      "requirement": "required"
+    },
     "impact": {
       "group": "primary",
       "requirement":"optional"

events/findings/vulnerability_finding.json

@@ -1,17 +1,12 @@
 {
   "caption": "Vulnerability Finding",
-  "category": "findings",
-  "description": "Vulnerability Finding events describe findings generated by vulnerability scanning tools.",
+  "description": "The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.",
   "extends": "finding",
   "name": "vulnerability_finding",
   "uid": 2,
   "attributes": {
-    "analytic": {
-      "group": "primary",
-      "requirement": "recommended"
-    },
     "device": {
-      "description": "Describes details about the device that is affected by the vulnerability/vulnerabilities.",
+      "description": "The device where the vulnerabilities were discovered.",
       "group": "primary",
       "requirement": "recommended"
     },

objects/analytic.json

@@ -1,7 +1,7 @@
 {
   "caption": "Analytic",
   "name": "analytic",
-  "description": "The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.",
+  "description": "The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.",
   "extends": "_entity",
   "attributes": {
     "category": {
@@ -16,7 +16,11 @@
       "description": "The name of the analytic that generated the finding."
     },
     "related_analytics": {
-      "description:": "Other analytics related to this analytic ",
+      "@deprecated": {
+        "message": "Related Analytics has been decoupled from this object, instead use <code>finding_info.related_analytics</code>.",
+        "since": "v1.0.0"
+      },
+      "description": "Other analytics related to this analytic.",
       "requirement": "optional"
     },
     "type": {

objects/finding.json

@@ -3,6 +3,10 @@
   "description": "The Finding object describes metadata related to a security finding generated by a security tool or system.",
   "extends": "object",
   "name": "finding",
+  "@deprecated": {
+    "message": "Use the new <code>finding_info</code> object.",
+    "since": "v1.0.0"
+  },
   "attributes": {
     "created_time": {
       "description": "The time when the finding was created.",

objects/finding_info.json

@@ -0,0 +1,65 @@
+{
+  "caption": "Finding Information",
+  "description": "The Finding Information object describes metadata related to a security finding generated by a security tool or system.",
+  "extends": "object",
+  "name": "finding_info",
+  "attributes": {
+    "analytic": {
+      "requirement": "recommended"
+    },
+    "attacks":{
+      "description": "The <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> technique and associated tactics related to the finding.",
+      "requirement": "optional"
+    },
+    "created_time": {
+      "description": "The time when the finding was created.",
+      "requirement": "optional"
+    },
+    "desc": {
+      "description": "The description of the reported finding.",
+      "requirement": "optional"
+    },
+    "first_seen_time": {
+      "description": "The time when the finding was first observed.",
+      "requirement": "optional"
+    },
+    "kill_chain": {
+      "requirement": "optional"
+    },
+    "last_seen_time": {
+      "description": "The time when the finding was most recently observed.",
+      "requirement": "optional"
+    },
+    "modified_time": {
+      "description": "The time when the finding was last modified.",
+      "requirement": "optional"
+    },
+    "product_uid": {
+      "description": "The unique identifier of the product that reported the finding.",
+      "requirement": "optional"
+    },
+    "related_events": {
+      "requirement": "optional"
+    },
+    "related_analytics": {
+      "description:": "Other analytics related to this finding.",
+      "requirement": "optional"
+    },
+    "src_url": {
+      "description": "The URL pointing to the source of the finding.",
+      "requirement": "optional"
+    },
+    "title": {
+      "description": "A title or a brief phrase summarizing the reported finding.",
+      "requirement": "required"
+    },
+    "types": {
+      "description": "One or more types of the reported finding.",
+      "requirement": "optional"
+    },
+    "uid": {
+      "description": "The unique identifier of the reported finding.",
+      "requirement": "required"
+    }
+  }
+}

objects/kill_chain_phase.json

@@ -0,0 +1,15 @@
+{
+  "caption": "Kill Chain Phase",
+  "description": "The Kill Chain Phase object represents a single phase of a cyber attack, including the initial reconnaissance and planning stages up to the final objective of the attacker. It provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. See <a target='_blank' href='https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html'>Cyber Kill Chain®</a>.",
+  "extends": "object",
+  "name": "kill_chain_phase",
+  "attributes": {
+    "phase": {
+      "requirement": "recommended"
+    },
+    "phase_id": {
+      "requirement": "required",
+      "sibling": "phase"
+    }
+  }
+}

objects/related_event.json

@@ -4,6 +4,15 @@
   "extends": "object",
   "name": "related_event",
   "attributes": {
+    "attacks": {
+      "requirement": "optional"
+    },
+    "kill_chain": {
+      "requirement": "optional"
+    },
+    "observables": {
+      "requirement": "optional"
+    },
     "product_uid": {
       "description": "The unique identifier of the product that reported the related event.",
       "requirement": "optional"

objects/vulnerability.json

@@ -1,6 +1,6 @@
 {
   "caption": "Vulnerability Details",
-  "description": "The Vulnerability Details object describes characteristics of an observed vulnerability.",
+  "description": "The vulnerability is an unintended characteristic of a computing component or system configuration that multiplies the risk of an adverse event or a loss occurring either due to accidental exposure, deliberate attack, or conflict with new system components.",
   "extends": "object",
   "name": "vulnerability",
   "attributes": {