Create agent Object, add agent and owner to endpoint

CHANGELOG.md

@@ -40,6 +40,7 @@ Thankyou! -->
     1. Added `auth_factor` object. #949
     2. Added `data_security` object. #953
     3. Added `autonomous_system` object. #978
+    4. Added `agent` object. #987
 * #### Platform Extensions
 
 ### Improved
@@ -64,6 +65,12 @@ Thankyou! -->
     3. Added `risk_score`, `risk_level_id`, `risk_level` to `user` object. Issue #972.
     4. Added `app_name`, `app_uid` to `actor` object.  Issue #966, PR #979.
     5. Added `container`, `database`, `databucket` to the `evidences` object. #984
+    6. Added `owner` to `endpoint` object. #987
+    7. Added `is_applied` Boolean attribute to `policy` object. #987
+    8. Added `agent_list` as an array of `agent` objects. #987
+    9. Added `policies` object as an array of `policy` objects. #987
+    10. Added `agent_list` to `endpoint` object. #987 
+
 * #### Platform Extensions
 
 ### Bugfixes

dictionary.json

@@ -122,6 +122,17 @@
       "is_array": true,
       "type": "affected_package"
     },
+    "agent": {
+      "caption": "Agent",
+      "description": "An Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action. These activities and possible actions are defined by the upstream system controlling the Agent and its intended purpose. For instance, an Agent can include Endpoint Detection & Response (EDR) agents, backup/disaster recovery sensors, Application Performance Monitoring or profiling sensors, and similar software.",
+      "type": "agent"
+    },
+    "agent_list": {
+      "caption": "Agent List",
+      "description": "A list of <code>agent</code> objects associated with a device, endpoint, or resource.",
+      "is_array": true,
+      "type": "agent"
+    },
     "alert": {
       "caption": "Client TLS Alert",
       "description": "The integer value of TLS alert if present. The alerts are defined in the TLS specification in <a target='_blank' href='https://datatracker.ietf.org/doc/html/rfc2246'>RFC-2246</a>.",
@@ -2134,6 +2145,11 @@
       "description": "The IP address, in either IPv4 or IPv6 format.",
       "type": "ip_t"
     },
+    "is_applied": {
+      "caption": "Applied",
+      "description": "A determination if a policy, rule, or enforcement action was applied.",
+      "type": "boolean_t"
+    },
     "is_cleartext": {
       "caption": "Cleartext Credentials",
       "description": "Indicates whether the credentials were passed in clear text.<p><b>Note:</b> True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text.</p>",
@@ -2962,6 +2978,12 @@
       "description": "Describes details of a policy. See specific usage.",
       "type": "policy"
     },
+    "policies": {
+      "caption": "Policies",
+      "description": "An array of <code>Policy</code> objects.",
+      "is_array": true,
+      "type": "policy"
+    },
     "port": {
       "caption": "Port",
       "description": "The TCP/UDP port number associated with a connection. See specific usage.",

objects/agent.json

@@ -0,0 +1,92 @@
+{
+    "caption": "Agent",
+    "description": "An Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action. These activities and possible actions are defined by the upstream system controlling the Agent and its intended purpose. For instance, an Agent can include Endpoint Detection & Response (EDR) agents, backup/disaster recovery sensors, Application Performance Monitoring or profiling sensors, and similar software.",
+    "extends": "object",
+    "name": "agent",
+    "attributes": {
+        "type_id": {
+          "caption": "Type ID",
+          "description": "The normalized representation of an agent or sensor. E.g., EDR, vulnerability management, APM, backup & recovery, etc.",
+          "enum": {
+            "1": {
+              "caption": "Endpoint Detection and Response",
+              "description": "Any EDR sensor or agent. Or any tool that provides similar threat detection, anti-malware, anti-ransomware, or similar capabilities. E.g., Crowdstrike Falcon, Microsoft Defender for Endpoint, Wazuh."
+            },
+            "2": {
+              "caption": "Data Loss Prevention",
+              "description": "Any DLP sensor or agent. Or any tool that provides similar data classification, data loss detection, and/or data loss prevention capabilities. E.g., Forcepoint DLP, Microsoft Purview, Symantec DLP."
+            },
+            "3": {
+              "caption": "Backup & Recovery",
+              "description": "Any agent or sensor that provides backups, archival, or recovery capabilities. E.g., Azure Backup, AWS Backint Agent."
+            },
+            "4": {
+              "caption": "Performance Monitoring & Observability",
+              "description": "Any agent or sensor that provides Application Performance Monitoring (APM), active tracing, profiling, or other observability use cases and optionally forwards the logs. E.g., New Relic Agent, Datadog Agent, Azure Monitor Agent."
+            },
+            "5": {
+              "caption": "Vulnerability Management",
+              "description": "Any agent or sensor that provides vulnerability management or scanning capabilities. E.g., Qualys VMDR, Microsoft Defender for Endpoint, Crowdstrike Spotlight, Amazon Inspector Agent."
+            },
+            "6": {
+              "caption": "Log Forwarding",
+              "description": "Any agent or sensor that forwards logs to a 3rd party storage system such as a data lake or SIEM. E.g., Splunk Universal Forwarder, Tenzir, FluentBit, Amazon CloudWatch Agent, Amazon Kinesis Agent."
+            },
+            "7": {
+              "caption": "Mobile Device Management",
+              "description": "Any agent or sensor responsible for providing Mobile Device Management (MDM) or Mobile Enterprise Management (MEM) capabilities. E.g., JumpCloud Agent, Esper Agent, Jamf Pro binary."
+            },
+            "8": {
+              "caption": "Configuration Management",
+              "description": "Any agent or sensor that provides configuration management of a device, such as scanning for software, license management, or applying configurations. E.g., AWS Systems Manager Agent, Flexera, ServiceNow MID Server."
+            },
+            "9": {
+              "caption": "Remote Access",
+              "description": "Any agent or sensor that provides remote access capabilities to a device. E.g., BeyondTrust, Amazon Systems Manager Agent, Verkada Agent."
+            }
+          },
+          "requirement": "recommended"
+        },
+        "type": {
+          "caption": "Agent Type",
+          "description": "The normalized caption of the type_id value for the agent or sensor. In the case of 'Other' or 'Unknown', it is defined by the event source.",
+          "requirement": "optional"
+        },
+        "uid": {
+          "caption": "Agent ID",
+          "description": "The UID of the agent or sensor, sometimes known as a Sensor ID or <code>aid</code>.",
+          "requirement": "recommended"
+        },
+        "uid_alt": {
+          "caption": "Alternate Agent ID",
+          "description": "An alternative or contextual identifier for the agent or sensor, such as a configuration, organization, or license UID.",
+          "requirement": "optional"
+        },
+        "version": {
+          "caption": "Agent Version",
+          "description": "The semantic version of the agent or sensor, e.g., <code>7.101.50.0</code>.",
+          "requirement": "optional"
+        },
+        "vendor_name": {
+          "description": "The company or author who created the agent or sensor. For example: <code>Crowdstrike</code>.",
+          "requirement": "optional"
+        },
+        "name": {
+          "caption": "Agent Name",
+          "description": "The name of the agent or sensor. For example: <code>AWS SSM Agent</code>.",
+          "requirement": "recommended"
+        },
+        "policies": {
+          "caption": "Agent Policies",
+          "description": "Describes the various policies that may be applied or enforced by an agent or sensor. E.g., Conditional Access, prevention, auto-update, tamper protection, destination configuration, etc.",
+          "requirement": "optional"
+        }
+    },
+    "constraints": {
+      "at_least_one": [
+        "uid",
+        "name"
+      ]
+    }
+  }
+

objects/endpoint.json

@@ -11,6 +11,9 @@
     "$include": [
       "profiles/container.json"
     ],
+    "agent_list": {
+      "requirement": "optional"
+    },
     "domain": {
       "requirement": "optional"
     },
@@ -49,6 +52,10 @@
       "description": "The endpoint operating system.",
       "requirement": "optional"
     },
+    "owner": {
+      "description": "The identity of the service or user account that owns the endpoint or was last logged into it.",
+      "requirement": "recommended"
+    },
     "subnet_uid": {
       "requirement": "optional"
     },

objects/policy.json

@@ -21,6 +21,11 @@
     "version": {
       "description": "The policy version number.",
       "requirement": "recommended"
+    },
+    "is_applied": {
+      "caption": "Applied",
+      "description": "A determination if the content of a policy was applied to a target or request, or not.",
+      "type": "boolean_t"
     }
   }
 }

objects/resource_details.json

@@ -4,6 +4,9 @@
   "extends": "_resource",
   "name": "resource_details",
   "attributes": {
+    "agent_list": {
+      "requirement": "optional"
+    },
     "cloud_partition": {
       "profile": "cloud",
       "requirement": "optional"