Merge branch 'main' into package_extension_1091

Signed-off-by: Pavel Jurka <[email protected]>

.github/workflows/deep-validate.yml

@@ -20,7 +20,7 @@ jobs:
         python-version: '3.11'
 
     - name: Install validator
-      run: python -m pip install 'ocsf-validator>=0.1.1,<0.2'
+      run: python -m pip install 'ocsf-validator>=0.2,<0.3'
 
     - name: Run validator
       shell: bash

CHANGELOG.md

@@ -60,16 +60,17 @@ Thankyou! -->
     2. Added entries to `injection_type_id` enum (`Process Activity`) and `activity_id` enum (`Memory Activity`). #1060
     3. Added a `Restart`, `Enable`, `Disable`, and `Update` `activity_id` to the `Application Lifecycle` class. #1064
     4. Added `ja4_fingerprint_list` to base network event class. #834 
+    5. Added new activities `Enroll`, `Activate`, `Deactivate`, `Suspend`, and `Resume` to the `Entity Management` class. #1095
 * #### Profiles
 * #### Objects
     1. Added `ext` to `File` object. #1046
     2. Added `account`, `device`, `email`, `url`, `user` to `evidences` in detection finding. #1000
     3. Added `state_id`, `state` to `Digital Signature` object. #1069
     4. Added `ticket` to `Incident Finding` object. ticket. #1068
     5. Added `domain` to `Uniform Resource Locator` object. #1096
-    6. Added `reg_key` and `reg_value` to `Evidence Artifacts` object. #1078
-    7. Added `vendor_name`, `type`, `type_id` to object `package`. #1093
-
+    6. Added `reg_key` and `reg_value` to `Evidence Artifacts` object. #1078  
+    7. Added `type_id` and associated entity objects to `Managed Entity`. #1094
+    8. Added `vendor_name`, `type`, `type_id` to object `package`. #1093
 * #### Platform Extensions
 
 ### Bugfixes

events/iam/entity_management.json

@@ -8,21 +8,61 @@
     "activity_id": {
       "enum": {
         "1": {
-          "caption": "Create"
+          "caption": "Create",
+          "description": "Create a new managed entity."
         },
         "2": {
-          "caption": "Read"
+          "caption": "Read",
+          "description": "Read an existing managed entity."
         },
         "3": {
-          "caption": "Update"
+          "caption": "Update",
+          "description": "Update an existing managed entity."
         },
         "4": {
-          "caption": "Delete"
+          "caption": "Delete",
+          "description": "Delete a managed entity."
+        },
+        "5": {
+          "caption": "Move",
+          "description": "Move or rename an existing managed entity."
+        },
+        "6": {
+          "caption": "Enroll",
+          "description": "Enroll an existing managed entity."
+        },
+        "7": {
+          "caption": "Unenroll",
+          "description": "Unenroll an existing managed entity."
+        },
+        "8": {
+          "caption": "Enable",
+          "description": "Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change."
+        },
+        "9": {
+          "caption": "Disable",
+          "description": "Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change."
+        },
+        "10": {
+          "caption": "Activate",
+          "description": "Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine."
+        },
+        "11": {
+          "caption": "Deactivate",
+          "description": "Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine."
+        },
+        "12": {
+          "caption": "Suspend",
+          "description": "Suspend an existing managed entity."
+        },
+        "13": {
+          "caption": "Resume",
+          "description": "Resume (unsuspend) an existing managed entity."
         }
       }
     },
     "actor": {
-      "description": "Use for when the entity acting upon another entity is a process or user.",
+      "description": "Used for when the entity acting upon another entity is a process or user.",
       "group": "context"
     },
     "comment": {

objects/d3fend.json

@@ -1,7 +1,7 @@
 {
     "caption": "MITRE D3FEND™",
     "name": "d3fend",
-    "description": "The <a target='_blank' href='https://d3fend.mitre.org'>MITRE D3FEND™</a> object describes the tactic, technique & sub-technique associated with a countermeasure as defined in <a target='_blank' href='https://https://d3fend.mitre.org/'>DEFEND Matrix<sup>TM</sup></a>.",
+    "description": "The <a target='_blank' href='https://d3fend.mitre.org'>MITRE D3FEND™</a> object describes the tactic, technique & sub-technique associated with a countermeasure as defined in <a target='_blank' href='https://d3fend.mitre.org/'>DEFEND Matrix<sup>TM</sup></a>.",
     "extends": "object",
     "attributes": {
       "d3f_tactic": {

objects/managed_entity.json

@@ -1,6 +1,6 @@
 {
   "caption": "Managed Entity",
-  "description": "The Managed Entity object describes the type and version of an entity, such as a policy or configuration.",
+  "description": "The Managed Entity object describes the type and version of an entity, such as a user, device, or policy.  For types in the <code>type_id</code> enum list, an associated attribute should be populated.  If the type of entity is not in the <code>type_id</code> list, information can be put into the <code>data</code> attribute and the <code>type</code> attribute should identify the entity.",
   "extends": "_entity",
   "name": "managed_entity",
   "attributes": {
@@ -15,12 +15,72 @@
       "description": "The managed entity type. For example: <code>policy</code>, <code>user</code>, <code>organizational unit</code>, <code>device</code>.",
       "requirement": "recommended"
     },
+    "type_id": {
+      "requirement": "recommended",
+      "description": "The type of the Managed Entity. It is recommended to also populate the <code>type</code> attribute with the associated label, or the source specific name if <code>Other</code>.",
+      "enum": {
+        "1": {
+          "caption": "Device",
+          "description": "A managed Device entity.  This item corresponds to population of the <code>device</code> attribute."
+        },
+        "2": {
+          "caption": "User",
+          "description": "A managed User entity.  This item corresponds to population of the <code>user</code> attribute."
+        },
+        "3": {
+          "caption": "Group",
+          "description": "A managed Group entity.  This item corresponds to population of the <code>group</code> attribute."
+        },
+        "4": {
+          "caption": "Organization",
+          "description": "A managed Organization entity.  This item corresponds to population of the <code>org</code> attribute."
+        },
+        "5": {
+          "caption": "Policy",
+          "description": "A managed Policy entity.  This item corresponds to population of the <code>policy</code> attribute."
+        },
+        "6": {
+          "caption": "Email",
+          "description": "A managed Email entity.  This item corresponds to population of the <code>email</code> attribute."
+        }
+      }
+    },
+    "device": {
+      "requirement": "recommended"
+    },
+    "email": {
+      "requirement": "recommended"
+    },
+    "group": {
+      "requirement": "recommended"
+    },
+    "org": {
+      "requirement": "recommended"
+    },
+    "policy": {
+      "requirement": "recommended",
+      "description": "Describes details of a managed policy."
+    },
     "uid": {
       "description": "The identifier of the managed entity."
     },
+    "user": {
+      "requirement": "recommended"
+    },
     "version": {
       "description": "The version of the managed entity. For example: <code>1.2.3</code>.",
       "requirement": "recommended"
     }
+  },
+  "constraints": {
+    "at_least_one": [
+      "name",
+      "uid",  
+      "device",
+      "group",
+      "org",
+      "policy",
+      "user"
+    ]
   }
 }