Add new object Analytic and attribute analytic

[pagbabian-splunk]

The existing Rule object and rule attribute can be better generalized with an Analytic object and associated analytic attribute that allows for other analytic detection techniques. The object is similar to Rule for consistency but adds a required type_id enum that indicates the type of analytic: [Unknown, Rule, Behavioral, Statistical, Learning].

The attribute analytic will be added to the dictionary along with the Analytic object, for use with Security Finding (i.e. it will be added to the Security Finding class as Recommended, so as to be non-breaking).

The object:

{
    "caption": "Analytic",
    "name": "analytic",
    "description": "The analytic technique associated with a finding.",
    "extends": "object",
    "attributes": {
      "desc": {
        "description": "The description of the analytic that generated the finding.",
        "requirement": "optional"
      },
      "name": {
        "description": "The name of the analytic that generated the finding.",
        "requirement": "required"
      },
      "type": {
        "description": "The analytic type.",
        "requirement": "optional"
      },
      "type_id": {
        "description": "The analytic type ID.",
        "requirement": "required",
        "enum": {
          "0": {
            "caption": "Unknown"
          },
          "1": {
            "caption": "Rule"
          },
          "2": {
            "caption": "Behavioral"
          },
          "3": {
            "caption": "Statistical"
          },
          "4": {
            "caption": "Learning (ML/DL)"
          },
          "99": {
            "caption": "Other"
          }
        }
      },
      "uid": {
        "description": "The unique identifier of the analytic that generated the finding.",
        "requirement": "recommended"
      },
      "version": {
        "description": "The analytic version. For example: <code>1.1</code>.",
        "requirement": "optional"
      }
    }
  }

[irakledibm]

I would like to propose adding related_analytics array attribute to this object. It would cover cases when particular analytic consists of group of other analytics like a building blocks, contributing to a logic/decision.

[pagbabian-splunk]

Good suggestion. I'll add it. It may be best to add it to the Security Findings, as we did with related_events, otherwise we would be recursive, or it would need to just be a string (like in vulnerabilities - really should be touched up too).

E.g. with related_vulnerabilities are they related to the finding or are they related to the CVE of the vuln in the finding? Different question for `related_analytic - you mean they are related to the analytic, not the finding (i.e. building blocks).

[irakledibm]

related_vulnerabilities would be related to CVE of the vuln in the finding