Expand evidences

[jonrau-at-queryai]

Related Issue:

Description of changes:

• Adds resource_details to evidences. This allows producers/mappers to account for cloud-based resources and other generic resources that does not fit well within device or network_endpoint. For instance, the amazonResourceEvidence evidence type in the Microsoft Graph Security List Alerts V2 API.
• Adds name to evidences. In various upstream platforms such as Microsoft Graph and CrowdStrike, there are either naming conventions for the type of evidence (e.g., amazonResourceEvidence) or an actual display name or direct name such as the display_name value within Behaviors associated with Incidents in CrowdStrike Falcon. Microsoft Defender also has an array of evidence associated with their alerts that each contain the entityType key which identities the name of the evidence.
• Adds uid to evidences much for the same reason as name. Platforms often have a GUID of some sort identifying the specific evidence associated with an alert such as activity_id associated with Crowdstrike Falcon Alerts which is the smallest "unit" of alerting/detection data. Likewise, the Behaviors associated with CrowdStrike Falcon Incidents each have their own behavior_id which ties them to the Incident ID itself.
• Adds verdict and verdict_id to evidences to normalize similar values in other systems. In every single Evidence type within Microsoft Graph Security Alerts, there is a verdict enumeration. Likewise, Microsoft Defender for Graph Alerts have evidence arrays with each one containing a DetectionStatus to denotes if something was a FP, TP, or otherwise.

stale