Merge branch 'main' into load_balancer

Signed-off-by: Paul Agbabian <[email protected]>

CHANGELOG.md

@@ -46,6 +46,7 @@ Thankyou! -->
     1. Added `Event Log Activity` event class. #1014
     2. Added `Remediation Activity` `File Remediation Activity` `Process Remediation Activity` `Network Remediation Activity` event classes. #1066
     3. Added `Windows Service Activity` event class to the Windows extension. #1103
+    4. Added `Software Inventory Info` event class to the Discovery category. #1134
 * #### Profiles
     1. Added `osint` Profile based on `osint` object. #992
 * #### Objects
@@ -58,9 +59,7 @@ Thankyou! -->
     7. Added `whois` object. #992
     8. Added `domain_contact` and array-typed `domain_contacts` object for use with `whois` object. #992
     9. Added `Windows Service` object to the Windows extension. #1103
-    10. Added array-typed `compliacne_references` and array-typed `compliance_standards` objects as array of `kb_article` and used in `compliance` object. #1110    
-
-
+    10. Added array-typed `compliance_references` and array-typed `compliance_standards` objects as array of `kb_article` to `compliance` object. #1110
 * #### Platform Extensions
 
 ### Improved
@@ -69,8 +68,9 @@ Thankyou! -->
     1. Added `file_result` to File Hosting Activity. #1045
     2. Added entries to `injection_type_id` enum (`Process Activity`) and `activity_id` enum (`Memory Activity`). #1060
     3. Added a `Restart`, `Enable`, `Disable`, and `Update` `activity_id` to the `Application Lifecycle` class. #1064
-    4. Added `ja4_fingerprint_list` to base network event class. #834 
-    5. Added new activities `Enroll`, `Activate`, `Deactivate`, `Suspend`, and `Resume` to the `Entity Management` class. #1095
+    4. Added `ja4_fingerprint_list` to base network event class. #834
+    5. Added `ticket` to `Incident Finding` event class. #1068
+    6. Added new activities `Enroll`, `Activate`, `Deactivate`, `Suspend`, and `Resume` to the `Entity Management` class. #1095
 * #### Profiles
 * #### Objects
     1. Added `ext` to `File` object. #1046
@@ -87,23 +87,27 @@ Thankyou! -->
 * #### Platform Extensions
 
 ### Bugfixes
-    1. Fixed the host profile construction in `patch_state` event class. #1087
-    2. Removed the optional requirement overrides for `name` and `uid` in `_resource` as they are part of a constraint. #1087
-    3. Fixed declarations of `data_lifecycle_state_id`, `integrity`, `opcode_id`, `risk_level`, and `analytic.type_id`. #1111
+1. Fixed the host profile construction in `patch_state` event class. #1087
+2. Removed the optional requirement overrides for `name` and `uid` in `_resource` as they are part of a constraint. #1087
+3. Fixed declarations of `data_lifecycle_state_id`, `integrity`, `opcode_id`, `risk_level`, and `analytic.type_id`. #1111
 
 ### Deprecated
 
 ### Breaking changes
 
 ### Misc
-    1. Colorized validator output #1048
-        * Updated the GitHub workflow for the `ocsf-validator` to print colorized output.
-    2. Clarify how to reference profiles in metadata #1056
-        * Updated the description of `metadata.profiles` to clarify the correct way to reference a profile in that list.
-    3. Added a `gitignore` file. #1071
-    4. New Extension registration for Cisco #1074
-    5. Cleaned up MITRE trademarks and registrations for captions and descriptions.
-    6. Declared enums in dictionary.json have sane "0" (Unknown) and "99" (Other) declarations and descriptions where appropriate #1111
+1. Colorized validator output #1048
+    * Updated the GitHub workflow for the `ocsf-validator` to print colorized output.
+2. Clarify how to reference profiles in metadata #1056
+    * Updated the description of `metadata.profiles` to clarify the correct way to reference a profile in that list.
+3. Added a `gitignore` file. #1071
+4. New Extension registration for Cisco #1074
+5. Cleaned up MITRE trademarks and registrations for captions and descriptions.
+6. Declared enums in dictionary.json have sane "0" (Unknown) and "99" (Other) declarations and descriptions where appropriate #1111
+7. Adds support for `suppress_checks` controls in attributes to allow tools to automatically validate conventions #1063
+    * Updated several attributes that do not follow conventions to disable linting for them
+8. Added `credential_uid` as an Observable type - type_id: 19. #1137
+9. New Extension registration for US Gov #1140
 
 ## [v1.2.0] - April 23rd, 2024
 
@@ -158,6 +162,8 @@ Thankyou! -->
     7. Added a `Preauth` `activity_id` to the `Authentication` class. #1018
     8. Added the `Security Control` profile to the `Datastore Activity` class. #1030
     9. Added `risk_details` to Detection Finding. #1032
+   10. Added `access_mask` to Entity Management class. #1090
+   11. Added `access_list` to Entity Management class. #1090
 
 * #### Profiles
     n/a
@@ -186,32 +192,32 @@ Thankyou! -->
     n/a
 
 ### Bugfixes
-    1. Changed datatype of `priority` attribute, from `integer_t` to `string_t` #959
-    2. Extended `email_t` regexp to allow characters from RFC5322 before @.
-    3. Updated `logon_type_id` enum to include `0` as `Unknown`. Added enum item `1` as `System`. #1055
+1. Changed datatype of `priority` attribute, from `integer_t` to `string_t` #959
+2. Extended `email_t` regexp to allow characters from RFC5322 before @.
+3. Updated `logon_type_id` enum to include `0` as `Unknown`. Added enum item `1` as `System`. #1055
 
 ### Deprecated
-    1. Deprecated `coordinates` attribute in favor of specific `lat`, `long` attributes. #971
-    2. Deprecated `invoked_by` attribute in the `Actor` object in favor of `app_name`. #979.
+1. Deprecated `coordinates` attribute in favor of specific `lat`, `long` attributes. #971
+2. Deprecated `invoked_by` attribute in the `Actor` object in favor of `app_name`. #979.
 
 ### Breaking changes
-    n/a
+n/a
 
 ### Misc
-    1. New Extension registration for Sedara. #951
-    2. Corrected punctuation for the `transmit_time` attribute. #1001
-    3. New ways to define observables in the metaschema. #982 and #993
-        * (Current) Dictionary types using `observable` property in dictionary types. This allows defining all occurrences of attributes of this type as an observable.
-        * (Current) Objects using top-level `observable` property. This allows defining all occurrences attributes whose type is this object as an observable.
-        * _**(New)**_ Dictionary attributes using `observable` property in attribute. This allows defining all occurrences of this attribute as an observable.
-        * _**(New)**_ Object-specific attributes using `observable` property class's attributes. This allows defining object attributes as observables _only_ within instances of this specific object.
-        * _**(New)**_ Event class-specific attributes using `observable` property class's attributes. This allows defining class attributes as observables _only_ within instances of this specific class.
-        * _**(New)**_ Event class-specific attribute _paths_ using top-level `observables` property. The `observables` property holds an object mapping from an dotted attribute path to an observable `type_id`. This allows defining an observables _only_ within instances of this specific class, and only for the attributes at these paths, even for attributes that are within nested objects and arrays. This can also be used for top-level class attributes, which can be more convenient that defining a class attribute observable for classes that extend another, but don't otherwise change a attribute definition.
-    4. Metaschema improvements. #993 
-        * Detect unexpected top-level properties in object and event class definitions. This was added at this point to detect invalid observable definitions: invalid `observable` property in event classes, and invalid `observables` property in objects.
-        * Remove hard-coded list of categories from `metaschema/categories.schema.json`, leaving this to the `ocsf-validator`. This change makes testing with alternate schemas that may add extra categories easier, as well as making it possible to validate private extensions that contain new categories.
-    5. Metaschema error reporting #1027
-        * Updated the definition of `object` and `event` so that metaschema errors reported by the validator with nested properties correctly attribute the error to the property with the error, rather than the top-level class.
+1. New Extension registration for Sedara. #951
+2. Corrected punctuation for the `transmit_time` attribute. #1001
+3. New ways to define observables in the metaschema. #982 and #993
+    * (Current) Dictionary types using `observable` property in dictionary types. This allows defining all occurrences of attributes of this type as an observable.
+    * (Current) Objects using top-level `observable` property. This allows defining all occurrences attributes whose type is this object as an observable.
+    * _**(New)**_ Dictionary attributes using `observable` property in attribute. This allows defining all occurrences of this attribute as an observable.
+    * _**(New)**_ Object-specific attributes using `observable` property class's attributes. This allows defining object attributes as observables _only_ within instances of this specific object.
+    * _**(New)**_ Event class-specific attributes using `observable` property class's attributes. This allows defining class attributes as observables _only_ within instances of this specific class.
+    * _**(New)**_ Event class-specific attribute _paths_ using top-level `observables` property. The `observables` property holds an object mapping from an dotted attribute path to an observable `type_id`. This allows defining an observables _only_ within instances of this specific class, and only for the attributes at these paths, even for attributes that are within nested objects and arrays. This can also be used for top-level class attributes, which can be more convenient that defining a class attribute observable for classes that extend another, but don't otherwise change a attribute definition.
+4. Metaschema improvements. #993 
+    * Detect unexpected top-level properties in object and event class definitions. This was added at this point to detect invalid observable definitions: invalid `observable` property in event classes, and invalid `observables` property in objects.
+    * Remove hard-coded list of categories from `metaschema/categories.schema.json`, leaving this to the `ocsf-validator`. This change makes testing with alternate schemas that may add extra categories easier, as well as making it possible to validate private extensions that contain new categories.
+5. Metaschema error reporting #1027
+    * Updated the definition of `object` and `event` so that metaschema errors reported by the validator with nested properties correctly attribute the error to the property with the error, rather than the top-level class.
 
 ## [v1.1.0] - January 25th, 2024
 
@@ -304,4 +310,4 @@ Thankyou! -->
 
 ## [v1.0.0]
 
-Initial release of OCSF.
+Initial release of OCSF.

dictionary.json

@@ -76,6 +76,7 @@
     "activity_id": {
       "caption": "Activity ID",
       "description": "The normalized identifier of the activity that triggered the event.",
+      "suppress_checks": ["sibling_convention"],
       "sibling": "activity_name",
       "type": "integer_t",
       "enum": {
@@ -1164,7 +1165,8 @@
     "credential_uid": {
       "caption": "User Credential ID",
       "description": "The unique identifier of the user's credential. For example, AWS Access Key ID.",
-      "type": "string_t"
+      "type": "string_t",
+      "observable": 19
     },
     "criticality": {
       "caption": "Criticality",
@@ -2919,6 +2921,7 @@
     "opcode_id": {
       "caption": "DNS Opcode ID",
       "description": "The DNS opcode ID specifies the normalized query message type as defined in <a target='_blank' href='https://www.rfc-editor.org/rfc/rfc5395.html'>RFC-5395</a>.",
+      "suppress_checks": ["enum_convention"],
       "type": "integer_t",
       "enum": {
         "0": {
@@ -3628,6 +3631,7 @@
     "risk_level_id": {
       "caption": "Risk Level ID",
       "description": "The normalized risk level id.",
+      "suppress_checks": ["enum_convention"],
       "sibling": "risk_level",
       "type": "integer_t",
       "enum": {

events/discovery/software_inventory_info.json

@@ -0,0 +1,31 @@
+{
+  "caption": "Software Inventory Info",
+  "description": "Software Inventory Info events report device software inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.",
+  "extends": "discovery",
+  "name": "software_info",
+  "uid": 20,
+  "profiles": [
+    "host"
+  ],
+  "attributes": {
+    "actor": {
+      "group": "context",
+      "requirement": "optional"
+    },
+    "device": {
+      "group": "primary",
+      "requirement": "required",
+      "description": "The device that is being discovered by an inventory process."
+    },
+      "package": {
+      "group": "primary",
+      "requirement": "required",
+      "description": "The device software that is being discovered by an inventory process."
+    },
+      "product": {
+      "group": "context",
+      "requirement": "optional",
+      "description": "Additional product attributes that have been discovered or enriched from a catalog or other external source."
+    }  
+  }
+}

events/iam/entity_management.json

@@ -77,6 +77,14 @@
     "entity_result": {
       "group": "primary",
       "requirement": "recommended"
+    },
+    "access_mask": {
+      "group": "context",
+      "requirement": "optional"
+    },
+    "access_list": {
+      "group": "context",
+      "requirement": "optional"
     }
   }
 }

events/remediation/file_remediation.json → events/remediation/file_remediation_activity.json

@@ -1,8 +1,8 @@
 {
     "caption": "File Remediation Activity",
     "description": "File Remediation Activity events report on attempts at remediating files. It follows the MITRE countermeasures defined by the D3FEND™ <a target='_blank' href='https://d3fend.mitre.org/'>Matrix</a>. Sub-techniques will include File, such as File Removal or Restore File.",
-    "extends": "remediation",
-    "name": "file_remediation",
+    "extends": "remediation_activity",
+    "name": "file_remediation_activity",
     "uid": 2,
     "attributes": {
       "file": {

events/remediation/network_remediation.json → events/remediation/network_remediation_activity.json

@@ -1,8 +1,8 @@
 {
     "caption": "Network Remediation Activity",
     "description": "Network Remediation Activity events report on attempts at remediating computer networks. It follows the MITRE countermeasures defined by the D3FEND™ <a target='_blank' href='https://d3fend.mitre.org/'>Matrix</a>. Techniques and Sub-techniques will include Network, such as Network Isolation or Network Traffic Filtering.",
-    "extends": "remediation",
-    "name": "network_remediation",
+    "extends": "remediation_activity",
+    "name": "network_remediation_activity",
     "uid": 4,
     "attributes": {
       "connection_info": {

events/remediation/process_remediation.json → events/remediation/process_remediation_activity.json

@@ -1,8 +1,8 @@
 {
     "caption": "Process Remediation Activity",
     "description": "Process Remediation Activity events report on attempts at remediating processes. It follows the MITRE countermeasures defined by the D3FEND™ <a target='_blank' href='https://d3fend.mitre.org/'>Matrix</a>. Sub-techniques will include Process, such as Process Termination or Kernel-based Process Isolation.",
-    "extends": "remediation",
-    "name": "process_remediation",
+    "extends": "remediation_activity",
+    "name": "process_remediation_activity",
     "uid": 3,
     "attributes": {
       "process": {

events/remediation/remediation.json → events/remediation/remediation_activity.json

@@ -1,7 +1,7 @@
 {
     "caption": "Remediation Activity",
     "description": "Remediation Activity events report on attempts at remediating a compromised device or computer network. It follows the MITRE countermeasures defined by the D3FEND™ <a target='_blank' href='https://d3fend.mitre.org/'>Matrix</a>.",
-    "name": "remediation",
+    "name": "remediation_activity",
     "category": "remediation",
     "extends": "base_event",
     "uid": 1,

extensions.md

@@ -3,6 +3,7 @@ The purpose of this file is to keep track of and avoid collisions in Extension `
 
 | Caption     | Name     | UID | Notes |
 |-------------|----------|-----|-------|
+| US GOV      | usg1     | **990** | The USG-1 schema extension |
 | Cisco       | cisco    | **991** | The Cisco schema extension |
 | Sedara      | sedara   | **992** | The Sedara schema extension |
 | Sciber      | sciber   | **993** | The Sciber schema extension |

extensions/windows/objects/evidences.json

@@ -33,6 +33,7 @@
       "src_endpoint",
       "url",
       "user",
+      "job",
       "reg_key",
       "reg_value",
       "win_service"

metaschema/attribute.schema.json

@@ -73,4 +73,4 @@
             }
         }
     }
-}
+}

metaschema/dictionary-attribute.schema.json

@@ -53,9 +53,25 @@
             "type": "boolean",
             "description": "A flag used when the attribute represents an array of values rather than a single value."
         },
+        "suppress_checks": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "anyOf": [
+              {
+                "const": "enum_convention",
+                "description": "Suppresses the convention that every Enum type has two common values with integer value 0 for Unknown and 99 for Other."
+              },
+              {
+                "const": "sibling_convention",
+                "description": "Suppresses the convention that a sibling field for a field that has an _id suffix should be the name with the _id suffix stripped."
+              }
+            ]
+          }
+        },
         "observable": {
             "$ref": "observable.schema.json"
         }
     },
     "additionalProperties": false
-}
+}

objects/evidences.json

@@ -67,6 +67,10 @@
     "user": {
       "description": "Describes details about the user that was the target or somehow else associated with the activity that triggered the detection.",
       "requirement": "recommended"
+    },
+    "job": {
+      "description": "Describes details about the scheduled job that was associated with the activity that triggered the detection.",
+      "requirement": "recommended"
     }
   },
   "constraints": {
@@ -85,7 +89,8 @@
       "query",
       "src_endpoint",
       "url",
-      "user"
+      "user",
+      "job"
     ]
   }
 }