Merge pull request #782 from ocsf/logger

Add a Logger object that represents a device and associated product where events are logged.

dictionary.json

@@ -1961,6 +1961,12 @@
       "description": "<p>The time when the logging system collected and logged the event.</p>This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.",
       "type": "timestamp_t"
     },
+    "loggers": {
+      "caption": "Loggers",
+      "description": "An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.",
+      "is_array": "true",
+      "type": "logger"
+    },
     "logon_process": {
       "caption": "Logon Process",
       "description": "The trusted process that validated the authentication credentials.",
@@ -3245,6 +3251,11 @@
       "description": "The unique identifier of the transaction.",
       "type": "string_t"
     },
+    "transmit_time": {
+      "caption": "Transmission Time",
+      "description": "The event transmission time from one device to another.  See specific usage",
+      "type": "timestamp_t"
+    },
     "tree_uid": {
       "caption": "Tree UID",
       "description": "The tree id is a unique SMB identifier which represents an open connection to a share.",

objects/logger.json

@@ -0,0 +1,45 @@
+{
+    "caption": "Logger",
+    "description": "The Logger object represents the device and product where events are stored with times for receipt and transmission.  This may be at the source device where the event occurred, a remote scanning device, intermediate hops, or the ultimate destination.",
+    "name": "logger",
+    "extends": "_entity",
+    "attributes": {
+        "device": {
+            "description": "The device where the events are logged.",
+            "requirement": "recommended"
+        },
+        "log_level": {
+            "requirement": "optional"
+        },
+        "log_name": {
+            "requirement": "recommended"
+        },
+        "log_provider": {
+            "requirement": "recommended"
+        },
+        "log_version": {
+            "requirement": "optional"
+        },
+        "logged_time": {},
+        "name": {
+            "description": "The name of the logging product instance.",
+            "requirement": "recommended"
+        },
+        "product": {
+            "description": "The product logging the event.  This may be the event source product, a management server product, a scanning product, a SIEM, etc.",
+            "requirement": "recommended"
+        },
+        "transmit_time": {
+            "description": "The time when the event was transmitted from the logging device to it's next destination",
+            "requirement": "optional"
+        },
+        "uid": {
+            "description": "The unique identifier of the logging product instance.",
+            "requirement": "recommended"
+          },      
+        "version": {
+            "description": "The version of the logging product.",
+            "requirement": "optional"
+        }
+    }
+}  

objects/metadata.json

@@ -43,6 +43,7 @@
       "description": "The time when the event was last modified or enriched.",
       "requirement": "optional"
     },
+    "loggers": {},
     "original_time": {
       "requirement": "recommended"
     },