From 8e00d68a23bd380eda3c07e3d2cb84dd24372284 Mon Sep 17 00:00:00 2001 From: Jason Reimer Date: Wed, 3 Jul 2024 06:16:13 -0700 Subject: [PATCH 1/8] New Discovery software inventory class (#1134) New Discovery class for software inventory data captured via a log or collection process. This new class is a companion and mirrors the Discovery class Device Inventory Info 5001. #### Description of changes: 1. This class models locally or scanned sourced software details. 2. Primary using device, software package, and product objects. 3. The Software Package object is to be used for Device specific software details. 4. The Product object (optional) can be used to capture additional software product details as part of a vendor's software catalog. --------- Signed-off-by: Jason Reimer --- CHANGELOG.md | 3 +- events/discovery/software_inventory_info.json | 31 +++++++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 events/discovery/software_inventory_info.json diff --git a/CHANGELOG.md b/CHANGELOG.md index fefdd8810..56b0b0629 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,6 +46,7 @@ Thankyou! --> 1. Added `Event Log Activity` event class. #1014 2. Added `Remediation Activity` `File Remediation Activity` `Process Remediation Activity` `Network Remediation Activity` event classes. #1066 3. Added `Windows Service Activity` event class to the Windows extension. #1103 + 4. Added `Software Inventory Info` event class to the Discovery category. #1134 * #### Profiles 1. Added `osint` Profile based on `osint` object. #992 * #### Objects @@ -301,4 +302,4 @@ Thankyou! --> ## [v1.0.0] -Initial release of OCSF. \ No newline at end of file +Initial release of OCSF. diff --git a/events/discovery/software_inventory_info.json b/events/discovery/software_inventory_info.json new file mode 100644 index 000000000..86e3f7aa2 --- /dev/null +++ b/events/discovery/software_inventory_info.json @@ -0,0 +1,31 @@ +{ + "caption": "Software Inventory Info", + "description": "Software Inventory Info events report device software inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.", + "extends": "discovery", + "name": "software_info", + "uid": 20, + "profiles": [ + "host" + ], + "attributes": { + "actor": { + "group": "context", + "requirement": "optional" + }, + "device": { + "group": "primary", + "requirement": "required", + "description": "The device that is being discovered by an inventory process." + }, + "package": { + "group": "primary", + "requirement": "required", + "description": "The device software that is being discovered by an inventory process." + }, + "product": { + "group": "context", + "requirement": "optional", + "description": "Additional product attributes that have been discovered or enriched from a catalog or other external source." + } + } +} From f83ba83e3ef609df62d7b5d647dbbd9ffa0c69ae Mon Sep 17 00:00:00 2001 From: Zachary Lammers Date: Tue, 9 Jul 2024 13:24:29 -0500 Subject: [PATCH 2/8] Add router, ids, and ips entries to type_id enum in the Endpoint object (#1121) #### Related Issue: [1120](https://github.com/ocsf/ocsf-schema/issues/1120) #### Description of changes: Adds three enum type_id values to the Endpoint object: - router - ids - ips Miscellaneous: Updates grammar on the IOT entry. I confirm that I have tested the changes, and the server run was error free. New entries shown with server run: ![image](https://github.com/ocsf/ocsf-schema/assets/173811405/01ce99f7-2451-46ef-a8ac-cea3caf1192e) Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com> --- CHANGELOG.md | 1 + objects/endpoint.json | 14 +++++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 56b0b0629..c723806fd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -82,6 +82,7 @@ Thankyou! --> 6. Added `reg_key` and `reg_value` to `Evidence Artifacts` object. #1078 7. Added `type_id` and associated entity objects to `Managed Entity`. #1094 8. Added `vendor_name`, `type`, `type_id` to object `package`. #1093 + 9. Added `router`, `ids`, and `ips` entries to `type_id` enum in the `Endpoint` object. #1121 * #### Platform Extensions ### Bugfixes diff --git a/objects/endpoint.json b/objects/endpoint.json index 15f6b5dc6..332810968 100644 --- a/objects/endpoint.json +++ b/objects/endpoint.json @@ -94,7 +94,7 @@ }, "7": { "caption": "IOT", - "description": "A IOT (Internet of Things) device." + "description": "An IOT (Internet of Things) device." }, "8": { "caption": "Browser", @@ -111,6 +111,18 @@ "11": { "caption": "Hub", "description": "A networking hub." + }, + "12": { + "caption": "Router", + "description": "A networking router." + }, + "13": { + "caption": "IDS", + "description": "An intrusion detection system." + }, + "14": { + "caption": "IPS", + "description": "An intrusion prevention system." } }, "requirement": "recommended" From df2e130b86ca16ff4f1a3b7afba15446ba72bed4 Mon Sep 17 00:00:00 2001 From: Donovan Kolbly Date: Tue, 9 Jul 2024 12:50:54 -0600 Subject: [PATCH 3/8] Linting controls (#1063) #### Related Issue: #1061 _Support linting of enum and sibling conventions_ #### Description of changes: * Adds a `suppress_checks` option to the metaschema to configure turning off certain linting rules * Turns off those linting checks for places where we have violated the conventions (there are about 3) * Fixes `data_lifecycle_state_id` to follow the enum convention by adding a 99 (Other) enumerand and articulating that _it_ should be used for "other" --------- Signed-off-by: Donovan Kolbly Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com> --- CHANGELOG.md | 3 +++ dictionary.json | 3 +++ metaschema/attribute.schema.json | 2 +- metaschema/dictionary-attribute.schema.json | 18 +++++++++++++++++- 4 files changed, 24 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c723806fd..27a95bfe3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -103,6 +103,9 @@ Thankyou! --> 4. New Extension registration for Cisco #1074 5. Cleaned up MITRE trademarks and registrations for captions and descriptions. 6. Declared enums in dictionary.json have sane "0" (Unknown) and "99" (Other) declarations and descriptions where appropriate #1111 + 7. Adds support for `suppress_checks` controls in attributes to allow tools to automatically validate conventions #1063 + * Updated several attributes that do not follow conventions to disable linting for them + ## [v1.2.0] - April 23rd, 2024 diff --git a/dictionary.json b/dictionary.json index aa7728cee..24320366d 100644 --- a/dictionary.json +++ b/dictionary.json @@ -76,6 +76,7 @@ "activity_id": { "caption": "Activity ID", "description": "The normalized identifier of the activity that triggered the event.", + "suppress_checks": ["sibling_convention"], "sibling": "activity_name", "type": "integer_t", "enum": { @@ -2919,6 +2920,7 @@ "opcode_id": { "caption": "DNS Opcode ID", "description": "The DNS opcode ID specifies the normalized query message type as defined in RFC-5395.", + "suppress_checks": ["enum_convention"], "type": "integer_t", "enum": { "0": { @@ -3628,6 +3630,7 @@ "risk_level_id": { "caption": "Risk Level ID", "description": "The normalized risk level id.", + "suppress_checks": ["enum_convention"], "sibling": "risk_level", "type": "integer_t", "enum": { diff --git a/metaschema/attribute.schema.json b/metaschema/attribute.schema.json index 43e58d287..68c10ff8d 100644 --- a/metaschema/attribute.schema.json +++ b/metaschema/attribute.schema.json @@ -73,4 +73,4 @@ } } } -} \ No newline at end of file +} diff --git a/metaschema/dictionary-attribute.schema.json b/metaschema/dictionary-attribute.schema.json index d41017033..e2cf310d0 100644 --- a/metaschema/dictionary-attribute.schema.json +++ b/metaschema/dictionary-attribute.schema.json @@ -53,9 +53,25 @@ "type": "boolean", "description": "A flag used when the attribute represents an array of values rather than a single value." }, + "suppress_checks": { + "type": "array", + "items": { + "type": "string", + "anyOf": [ + { + "const": "enum_convention", + "description": "Suppresses the convention that every Enum type has two common values with integer value 0 for Unknown and 99 for Other." + }, + { + "const": "sibling_convention", + "description": "Suppresses the convention that a sibling field for a field that has an _id suffix should be the name with the _id suffix stripped." + } + ] + } + }, "observable": { "$ref": "observable.schema.json" } }, "additionalProperties": false -} \ No newline at end of file +} From 079ef53bb0d2f160415c5a59deccc06d55217bcc Mon Sep 17 00:00:00 2001 From: Rajas <89877409+floydtree@users.noreply.github.com> Date: Wed, 10 Jul 2024 11:54:52 -0400 Subject: [PATCH 4/8] Adding credential_uid as an observable type, misc Changelog fixes (#1137) #### Related Issue: n/a #### Description of changes: 1. Adding `credential_uid` as an observable type, type_id 19. 2. Misc Changelog fixes --------- Signed-off-by: Rajas Panat Signed-off-by: Rajas <89877409+floydtree@users.noreply.github.com> --- CHANGELOG.md | 88 ++++++++++++++++++++++++------------------------- dictionary.json | 3 +- 2 files changed, 45 insertions(+), 46 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 27a95bfe3..9d113d820 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -59,9 +59,7 @@ Thankyou! --> 7. Added `whois` object. #992 8. Added `domain_contact` and array-typed `domain_contacts` object for use with `whois` object. #992 9. Added `Windows Service` object to the Windows extension. #1103 - 10. Added array-typed `compliacne_references` and array-typed `compliance_standards` objects as array of `kb_article` and used in `compliance` object. #1110 - - + 10. Added array-typed `compliance_references` and array-typed `compliance_standards` objects as array of `kb_article` to `compliance` object. #1110 * #### Platform Extensions ### Improved @@ -70,42 +68,42 @@ Thankyou! --> 1. Added `file_result` to File Hosting Activity. #1045 2. Added entries to `injection_type_id` enum (`Process Activity`) and `activity_id` enum (`Memory Activity`). #1060 3. Added a `Restart`, `Enable`, `Disable`, and `Update` `activity_id` to the `Application Lifecycle` class. #1064 - 4. Added `ja4_fingerprint_list` to base network event class. #834 - 5. Added new activities `Enroll`, `Activate`, `Deactivate`, `Suspend`, and `Resume` to the `Entity Management` class. #1095 + 4. Added `ja4_fingerprint_list` to base network event class. #834 + 5. Added `ticket` to `Incident Finding` event class. #1068 + 6. Added new activities `Enroll`, `Activate`, `Deactivate`, `Suspend`, and `Resume` to the `Entity Management` class. #1095 * #### Profiles * #### Objects 1. Added `ext` to `File` object. #1046 2. Added `account`, `device`, `email`, `url`, `user` to `evidences` in detection finding. #1000 3. Added `state_id`, `state` to `Digital Signature` object. #1069 - 4. Added `ticket` to `Incident Finding` object. ticket. #1068 - 5. Added `domain` to `Uniform Resource Locator` object. #1096 - 6. Added `reg_key` and `reg_value` to `Evidence Artifacts` object. #1078 - 7. Added `type_id` and associated entity objects to `Managed Entity`. #1094 - 8. Added `vendor_name`, `type`, `type_id` to object `package`. #1093 - 9. Added `router`, `ids`, and `ips` entries to `type_id` enum in the `Endpoint` object. #1121 + 4. Added `domain` to `Uniform Resource Locator` object. #1096 + 5. Added `reg_key` and `reg_value` to `Evidence Artifacts` object. #1078 + 6. Added `type_id` and associated entity objects to `Managed Entity`. #1094 + 7. Added `vendor_name`, `type`, `type_id` to object `package`. #1093 + 8. Added `router`, `ids`, and `ips` entries to `type_id` enum in the `Endpoint` object. #1121 * #### Platform Extensions ### Bugfixes - 1. Fixed the host profile construction in `patch_state` event class. #1087 - 2. Removed the optional requirement overrides for `name` and `uid` in `_resource` as they are part of a constraint. #1087 - 3. Fixed declarations of `data_lifecycle_state_id`, `integrity`, `opcode_id`, `risk_level`, and `analytic.type_id`. #1111 +1. Fixed the host profile construction in `patch_state` event class. #1087 +2. Removed the optional requirement overrides for `name` and `uid` in `_resource` as they are part of a constraint. #1087 +3. Fixed declarations of `data_lifecycle_state_id`, `integrity`, `opcode_id`, `risk_level`, and `analytic.type_id`. #1111 ### Deprecated ### Breaking changes ### Misc - 1. Colorized validator output #1048 - * Updated the GitHub workflow for the `ocsf-validator` to print colorized output. - 2. Clarify how to reference profiles in metadata #1056 - * Updated the description of `metadata.profiles` to clarify the correct way to reference a profile in that list. - 3. Added a `gitignore` file. #1071 - 4. New Extension registration for Cisco #1074 - 5. Cleaned up MITRE trademarks and registrations for captions and descriptions. - 6. Declared enums in dictionary.json have sane "0" (Unknown) and "99" (Other) declarations and descriptions where appropriate #1111 - 7. Adds support for `suppress_checks` controls in attributes to allow tools to automatically validate conventions #1063 - * Updated several attributes that do not follow conventions to disable linting for them - +1. Colorized validator output #1048 + * Updated the GitHub workflow for the `ocsf-validator` to print colorized output. +2. Clarify how to reference profiles in metadata #1056 + * Updated the description of `metadata.profiles` to clarify the correct way to reference a profile in that list. +3. Added a `gitignore` file. #1071 +4. New Extension registration for Cisco #1074 +5. Cleaned up MITRE trademarks and registrations for captions and descriptions. +6. Declared enums in dictionary.json have sane "0" (Unknown) and "99" (Other) declarations and descriptions where appropriate #1111 +7. Adds support for `suppress_checks` controls in attributes to allow tools to automatically validate conventions #1063 + * Updated several attributes that do not follow conventions to disable linting for them +8. Added `credential_uid` as an Observable type - type_id: 19. #1137 ## [v1.2.0] - April 23rd, 2024 @@ -188,32 +186,32 @@ Thankyou! --> n/a ### Bugfixes - 1. Changed datatype of `priority` attribute, from `integer_t` to `string_t` #959 - 2. Extended `email_t` regexp to allow characters from RFC5322 before @. - 3. Updated `logon_type_id` enum to include `0` as `Unknown`. Added enum item `1` as `System`. #1055 +1. Changed datatype of `priority` attribute, from `integer_t` to `string_t` #959 +2. Extended `email_t` regexp to allow characters from RFC5322 before @. +3. Updated `logon_type_id` enum to include `0` as `Unknown`. Added enum item `1` as `System`. #1055 ### Deprecated - 1. Deprecated `coordinates` attribute in favor of specific `lat`, `long` attributes. #971 - 2. Deprecated `invoked_by` attribute in the `Actor` object in favor of `app_name`. #979. +1. Deprecated `coordinates` attribute in favor of specific `lat`, `long` attributes. #971 +2. Deprecated `invoked_by` attribute in the `Actor` object in favor of `app_name`. #979. ### Breaking changes - n/a +n/a ### Misc - 1. New Extension registration for Sedara. #951 - 2. Corrected punctuation for the `transmit_time` attribute. #1001 - 3. New ways to define observables in the metaschema. #982 and #993 - * (Current) Dictionary types using `observable` property in dictionary types. This allows defining all occurrences of attributes of this type as an observable. - * (Current) Objects using top-level `observable` property. This allows defining all occurrences attributes whose type is this object as an observable. - * _**(New)**_ Dictionary attributes using `observable` property in attribute. This allows defining all occurrences of this attribute as an observable. - * _**(New)**_ Object-specific attributes using `observable` property class's attributes. This allows defining object attributes as observables _only_ within instances of this specific object. - * _**(New)**_ Event class-specific attributes using `observable` property class's attributes. This allows defining class attributes as observables _only_ within instances of this specific class. - * _**(New)**_ Event class-specific attribute _paths_ using top-level `observables` property. The `observables` property holds an object mapping from an dotted attribute path to an observable `type_id`. This allows defining an observables _only_ within instances of this specific class, and only for the attributes at these paths, even for attributes that are within nested objects and arrays. This can also be used for top-level class attributes, which can be more convenient that defining a class attribute observable for classes that extend another, but don't otherwise change a attribute definition. - 4. Metaschema improvements. #993 - * Detect unexpected top-level properties in object and event class definitions. This was added at this point to detect invalid observable definitions: invalid `observable` property in event classes, and invalid `observables` property in objects. - * Remove hard-coded list of categories from `metaschema/categories.schema.json`, leaving this to the `ocsf-validator`. This change makes testing with alternate schemas that may add extra categories easier, as well as making it possible to validate private extensions that contain new categories. - 5. Metaschema error reporting #1027 - * Updated the definition of `object` and `event` so that metaschema errors reported by the validator with nested properties correctly attribute the error to the property with the error, rather than the top-level class. +1. New Extension registration for Sedara. #951 +2. Corrected punctuation for the `transmit_time` attribute. #1001 +3. New ways to define observables in the metaschema. #982 and #993 + * (Current) Dictionary types using `observable` property in dictionary types. This allows defining all occurrences of attributes of this type as an observable. + * (Current) Objects using top-level `observable` property. This allows defining all occurrences attributes whose type is this object as an observable. + * _**(New)**_ Dictionary attributes using `observable` property in attribute. This allows defining all occurrences of this attribute as an observable. + * _**(New)**_ Object-specific attributes using `observable` property class's attributes. This allows defining object attributes as observables _only_ within instances of this specific object. + * _**(New)**_ Event class-specific attributes using `observable` property class's attributes. This allows defining class attributes as observables _only_ within instances of this specific class. + * _**(New)**_ Event class-specific attribute _paths_ using top-level `observables` property. The `observables` property holds an object mapping from an dotted attribute path to an observable `type_id`. This allows defining an observables _only_ within instances of this specific class, and only for the attributes at these paths, even for attributes that are within nested objects and arrays. This can also be used for top-level class attributes, which can be more convenient that defining a class attribute observable for classes that extend another, but don't otherwise change a attribute definition. +4. Metaschema improvements. #993 + * Detect unexpected top-level properties in object and event class definitions. This was added at this point to detect invalid observable definitions: invalid `observable` property in event classes, and invalid `observables` property in objects. + * Remove hard-coded list of categories from `metaschema/categories.schema.json`, leaving this to the `ocsf-validator`. This change makes testing with alternate schemas that may add extra categories easier, as well as making it possible to validate private extensions that contain new categories. +5. Metaschema error reporting #1027 + * Updated the definition of `object` and `event` so that metaschema errors reported by the validator with nested properties correctly attribute the error to the property with the error, rather than the top-level class. ## [v1.1.0] - January 25th, 2024 diff --git a/dictionary.json b/dictionary.json index 24320366d..ac9b6d976 100644 --- a/dictionary.json +++ b/dictionary.json @@ -1165,7 +1165,8 @@ "credential_uid": { "caption": "User Credential ID", "description": "The unique identifier of the user's credential. For example, AWS Access Key ID.", - "type": "string_t" + "type": "string_t", + "observable": 19 }, "criticality": { "caption": "Criticality", From 969e9f096f6943457ff362abc605221ac75e2e3b Mon Sep 17 00:00:00 2001 From: k2niner <120660286+k2niner@users.noreply.github.com> Date: Fri, 12 Jul 2024 12:45:47 -0400 Subject: [PATCH 5/8] Update extensions.md to include US Gov (#1140) Add USG-1 extension reservation @ 990. --------- Signed-off-by: k2niner <120660286+k2niner@users.noreply.github.com> --- CHANGELOG.md | 1 + extensions.md | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9d113d820..8f4728cf9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -104,6 +104,7 @@ Thankyou! --> 7. Adds support for `suppress_checks` controls in attributes to allow tools to automatically validate conventions #1063 * Updated several attributes that do not follow conventions to disable linting for them 8. Added `credential_uid` as an Observable type - type_id: 19. #1137 +9. New Extension registration for US Gov #1140 ## [v1.2.0] - April 23rd, 2024 diff --git a/extensions.md b/extensions.md index ef3838d9d..44d2573cb 100644 --- a/extensions.md +++ b/extensions.md @@ -3,6 +3,7 @@ The purpose of this file is to keep track of and avoid collisions in Extension ` | Caption | Name | UID | Notes | |-------------|----------|-----|-------| +| US GOV | usg1 | **990** | The USG-1 schema extension | | Cisco | cisco | **991** | The Cisco schema extension | | Sedara | sedara | **992** | The Sedara schema extension | | Sciber | sciber | **993** | The Sciber schema extension | From 144c7904e7aeaa4cd241b472bf221fee1f644f2b Mon Sep 17 00:00:00 2001 From: Dave McCormack Date: Thu, 18 Jul 2024 15:25:38 +0100 Subject: [PATCH 6/8] Added job attribute to Evidence Artifacts object. (#1130) #### Related Issue: [#1124](https://github.com/ocsf/ocsf-schema/issues/1124) #### Description of changes: - Added the pre-existing `job` attribute to the `Evidence Artifacts` object. - Adjusted the `at_least_one` constraint in the object to include `job`. Note that this approach is the same as that taken to fix other gaps in the `Evidence Artifacts` object, e.g. PR #1078. Signed-off-by: Dave McCormack Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com> --- CHANGELOG.md | 1 + extensions/windows/objects/evidences.json | 1 + objects/evidences.json | 7 ++++++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f4728cf9..8c89e49b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -81,6 +81,7 @@ Thankyou! --> 6. Added `type_id` and associated entity objects to `Managed Entity`. #1094 7. Added `vendor_name`, `type`, `type_id` to object `package`. #1093 8. Added `router`, `ids`, and `ips` entries to `type_id` enum in the `Endpoint` object. #1121 + 9. Added `job` to `Evidence Artifacts` object. #1130 * #### Platform Extensions ### Bugfixes diff --git a/extensions/windows/objects/evidences.json b/extensions/windows/objects/evidences.json index cca15c5e3..9b4dff146 100644 --- a/extensions/windows/objects/evidences.json +++ b/extensions/windows/objects/evidences.json @@ -33,6 +33,7 @@ "src_endpoint", "url", "user", + "job", "reg_key", "reg_value", "win_service" diff --git a/objects/evidences.json b/objects/evidences.json index 6cc1bcc49..8b41cc88c 100644 --- a/objects/evidences.json +++ b/objects/evidences.json @@ -67,6 +67,10 @@ "user": { "description": "Describes details about the user that was the target or somehow else associated with the activity that triggered the detection.", "requirement": "recommended" + }, + "job": { + "description": "Describes details about the scheduled job that was associated with the activity that triggered the detection.", + "requirement": "recommended" } }, "constraints": { @@ -85,7 +89,8 @@ "query", "src_endpoint", "url", - "user" + "user", + "job" ] } } \ No newline at end of file From d7d5665f1491373d2357b4ad0f543f88567fa7bb Mon Sep 17 00:00:00 2001 From: Rajas <89877409+floydtree@users.noreply.github.com> Date: Tue, 23 Jul 2024 09:03:36 -0400 Subject: [PATCH 7/8] Fixing event class names, file names for the new remediation events (#1144) #### Related Issue: surfaced by @dkolbly in slack #### Description of changes: 1. Fixing event class names in the Remediation category to avoid name collision within the framework 2. No need for a changelog entry, this is fixing a new item added in 1.3.0-dev Signed-off-by: Rajas Panat --- .../{file_remediation.json => file_remediation_activity.json} | 4 ++-- ...ork_remediation.json => network_remediation_activity.json} | 4 ++-- ...ess_remediation.json => process_remediation_activity.json} | 4 ++-- .../{remediation.json => remediation_activity.json} | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) rename events/remediation/{file_remediation.json => file_remediation_activity.json} (87%) rename events/remediation/{network_remediation.json => network_remediation_activity.json} (88%) rename events/remediation/{process_remediation.json => process_remediation_activity.json} (87%) rename events/remediation/{remediation.json => remediation_activity.json} (98%) diff --git a/events/remediation/file_remediation.json b/events/remediation/file_remediation_activity.json similarity index 87% rename from events/remediation/file_remediation.json rename to events/remediation/file_remediation_activity.json index e3c5e648f..e6c63fa2c 100644 --- a/events/remediation/file_remediation.json +++ b/events/remediation/file_remediation_activity.json @@ -1,8 +1,8 @@ { "caption": "File Remediation Activity", "description": "File Remediation Activity events report on attempts at remediating files. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Sub-techniques will include File, such as File Removal or Restore File.", - "extends": "remediation", - "name": "file_remediation", + "extends": "remediation_activity", + "name": "file_remediation_activity", "uid": 2, "attributes": { "file": { diff --git a/events/remediation/network_remediation.json b/events/remediation/network_remediation_activity.json similarity index 88% rename from events/remediation/network_remediation.json rename to events/remediation/network_remediation_activity.json index e9c328f80..f5455ff92 100644 --- a/events/remediation/network_remediation.json +++ b/events/remediation/network_remediation_activity.json @@ -1,8 +1,8 @@ { "caption": "Network Remediation Activity", "description": "Network Remediation Activity events report on attempts at remediating computer networks. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Techniques and Sub-techniques will include Network, such as Network Isolation or Network Traffic Filtering.", - "extends": "remediation", - "name": "network_remediation", + "extends": "remediation_activity", + "name": "network_remediation_activity", "uid": 4, "attributes": { "connection_info": { diff --git a/events/remediation/process_remediation.json b/events/remediation/process_remediation_activity.json similarity index 87% rename from events/remediation/process_remediation.json rename to events/remediation/process_remediation_activity.json index 5874dca6d..feb15b938 100644 --- a/events/remediation/process_remediation.json +++ b/events/remediation/process_remediation_activity.json @@ -1,8 +1,8 @@ { "caption": "Process Remediation Activity", "description": "Process Remediation Activity events report on attempts at remediating processes. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Sub-techniques will include Process, such as Process Termination or Kernel-based Process Isolation.", - "extends": "remediation", - "name": "process_remediation", + "extends": "remediation_activity", + "name": "process_remediation_activity", "uid": 3, "attributes": { "process": { diff --git a/events/remediation/remediation.json b/events/remediation/remediation_activity.json similarity index 98% rename from events/remediation/remediation.json rename to events/remediation/remediation_activity.json index 3dad5905e..6c9384560 100644 --- a/events/remediation/remediation.json +++ b/events/remediation/remediation_activity.json @@ -1,7 +1,7 @@ { "caption": "Remediation Activity", "description": "Remediation Activity events report on attempts at remediating a compromised device or computer network. It follows the MITRE countermeasures defined by the D3FEND™ Matrix.", - "name": "remediation", + "name": "remediation_activity", "category": "remediation", "extends": "base_event", "uid": 1, From f0ea6bff0f00c87d5b01b7d8166c778bac95f95b Mon Sep 17 00:00:00 2001 From: eliraz-levi <100218904+eliraz-levi@users.noreply.github.com> Date: Tue, 23 Jul 2024 19:16:57 +0300 Subject: [PATCH 8/8] Adjust Entity Management class (3004) to be aligned with Windows event 4662 (#1114) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adjust Entity Management class (3004) to be aligned with fields exist in Windows event 4662 - “An operation was performed on an object”. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662 #### Related Issue: https://github.com/ocsf/ocsf-schema/issues/1090 #### Description of changes: We add the attributes access_list, access_mask. ![Screenshot 2024-06-04 at 15 50 27](https://github.com/ocsf/ocsf-schema/assets/100218904/5417d9a9-5956-441c-b173-437183875f49) Signed-off-by: Eliraz Levi [eliraz.levi@hunters.ai](mailto:eliraz.levi@hunters.ai) Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com> --- CHANGELOG.md | 2 ++ events/iam/entity_management.json | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8c89e49b5..3f64d1d69 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -160,6 +160,8 @@ Thankyou! --> 7. Added a `Preauth` `activity_id` to the `Authentication` class. #1018 8. Added the `Security Control` profile to the `Datastore Activity` class. #1030 9. Added `risk_details` to Detection Finding. #1032 + 10. Added `access_mask` to Entity Management class. #1090 + 11. Added `access_list` to Entity Management class. #1090 * #### Profiles n/a diff --git a/events/iam/entity_management.json b/events/iam/entity_management.json index 77e9550a0..c33d0cfff 100644 --- a/events/iam/entity_management.json +++ b/events/iam/entity_management.json @@ -77,6 +77,14 @@ "entity_result": { "group": "primary", "requirement": "recommended" + }, + "access_mask": { + "group": "context", + "requirement": "optional" + }, + "access_list": { + "group": "context", + "requirement": "optional" } } }