Adding various OCSF 1.1 fields to log type static mappings

[toepkerd]

Description

Adds various OCSF 1.1 field mappings to the static mappings repository in Security Analytics, allowing for more automatic field mappings during detector creation on indices ingesting OCSF 1.1 logs from Security Lake.

Check List

• New functionality includes testing.
• New functionality has been documented.
• API changes companion pull request created.
• Commits are signed per the DCO using --signoff.
• Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[sbcd90]

why do we need to change the count of these tests?

[toepkerd]

The tests check for the number of mapped and unmapped fields. Since we've added new static mappings, fields that didn't have mappings before now do, so the counts in the tests are adjusted to reflect this.

[amsiglan]

Shouldn't this match with the ocsf mapping?

[toepkerd]

If you're referring to replacing the "ocsf" field to have value "disposition" instead of "disposition_id" (and not introducing the "ocsf11" field at all), this runs the risk of creating mapping conflicts with existing customer detectors who already used the old static mappings to create that detector's mappings alias indices. Adding instead of replacing fields (despite the fact that both disposition and disposition_id exist in both OCSF1.0 and OCSF1.1) works around this.