Additional fields to Detection Finding

[ggacusan-at-duo]

Tagged Events if Raised
There might be some cases where an IT configures their threat detection platform to highlight specific events that are of interest to them. For example, the IT configures their platform to highlight / tag if a Finding originates from a known anomalous network. If the Product surfaces an event from this known anomalous network, then we need some way to highlight or tag the event to the IT with associated reasons. This might make sense in the Metadata field

New User
It might be of interest to note if a user has been newly added or has not authenticated in a while. Attackers can create new users or authenticate into a dormant user. This might make sense in the User field

Additional Network Connection fields
To help an incident responder, it might be helpful to highlight benign characteristics of certain network details, such as if it is a frequent network / netblock for an organization or if the IP is allow-listed. This might make sense in the Network Connection Information field

---

Example of this use case from Duo Trust Monitor
https://duo.com/docs/adminapi#trust-monitor

[guy9001]

@ggacusan-at-duo do you have examples of how you would like to embed this in the objects?
This sounds to me like general enrichments and not necessarily a new attribute.
Something we just wanted to suggest as well is to have Array[Enrichment] for OCSF objects as well, and not just for event classes like today. I think this could help your use case, so for User you could have an enrichment called "is_new" with a boolean value ,etc.
WDYT?