From da6b0a5faa8d7285c166d3e1ee6f147d98e031ed Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Thu, 23 May 2024 10:32:52 -0700 Subject: [PATCH 01/18] Added type_id and associated objects and constraints on the attributes. Signed-off-by: Paul Agbabian --- objects/managed_entity.json | 55 ++++++++++++++++++++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/objects/managed_entity.json b/objects/managed_entity.json index ef26f78bc..43978a1b3 100644 --- a/objects/managed_entity.json +++ b/objects/managed_entity.json @@ -1,6 +1,6 @@ { "caption": "Managed Entity", - "description": "The Managed Entity object describes the type and version of an entity, such as a policy or configuration.", + "description": "The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.", "extends": "_entity", "name": "managed_entity", "attributes": { @@ -15,12 +15,65 @@ "description": "The managed entity type. For example: policy, user, organizational unit, device.", "requirement": "recommended" }, + "type_id": { + "requirement": "recommended", + "description": "The type of the Managed Entity. It is recommended to also populate the type attribute with the associated label, or the source specific name if Other.", + "enum": { + "1": { + "caption": "Device", + "description": "A managed Device entity." + }, + "2": { + "caption": "User", + "description": "A managed User entity." + }, + "3": { + "caption": "Group", + "description": "A managed Group entity." + }, + "4": { + "caption": "Organization", + "description": "A managed Organization entity." + }, + "5": { + "caption": "Policy", + "description": "A managed Policy entity." + } + } + }, + "device": { + "requirement": "recommended" + }, + "group": { + "requirement": "recommended" + }, + "org": { + "requirement": "recommended" + }, + "policy": { + "requirement": "recommended", + "description": "Describes details of a managed policy." + }, "uid": { "description": "The identifier of the managed entity." }, + "user": { + "requirement": "recommended" + }, "version": { "description": "The version of the managed entity. For example: 1.2.3.", "requirement": "recommended" } + }, + "constraints": { + "at_least_one": [ + "name", + "uid", + "device", + "group", + "org", + "policy", + "user" + ] } } \ No newline at end of file From b717f6f26ed6c0476c0cceea995e2ccbd610fbf1 Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Thu, 23 May 2024 12:13:01 -0700 Subject: [PATCH 02/18] Added the email attribute and item to the type_id. Signed-off-by: Paul Agbabian --- objects/managed_entity.json | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/objects/managed_entity.json b/objects/managed_entity.json index 43978a1b3..1c2cffc8e 100644 --- a/objects/managed_entity.json +++ b/objects/managed_entity.json @@ -1,6 +1,6 @@ { "caption": "Managed Entity", - "description": "The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.", + "description": "The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.", "extends": "_entity", "name": "managed_entity", "attributes": { @@ -21,29 +21,36 @@ "enum": { "1": { "caption": "Device", - "description": "A managed Device entity." + "description": "A managed Device entity. This item corresponds to population of the device attribute." }, "2": { "caption": "User", - "description": "A managed User entity." + "description": "A managed User entity. This item corresponds to population of the user attribute." }, "3": { "caption": "Group", - "description": "A managed Group entity." + "description": "A managed Group entity. This item corresponds to population of the group attribute." }, "4": { "caption": "Organization", - "description": "A managed Organization entity." + "description": "A managed Organization entity. This item corresponds to population of the org attribute." }, "5": { "caption": "Policy", - "description": "A managed Policy entity." + "description": "A managed Policy entity. This item corresponds to population of the policy attribute." + }, + "6": { + "caption": "Email", + "description": "A managed Email entity. This item corresponds to population of the email attribute." } } }, "device": { "requirement": "recommended" }, + "email": { + "requirement": "recommended" + }, "group": { "requirement": "recommended" }, From 7b7e0a4c7614eb8fc9ae62b6c17b3bdbd4c8fa03 Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Wed, 29 May 2024 09:42:58 -0700 Subject: [PATCH 03/18] Updated Changelog with Managed Entity improvements. Signed-off-by: Paul Agbabian --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 69fb55655..b522e7fcb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -66,6 +66,7 @@ Thankyou! --> 2. Added `account`, `device`, `email`, `url`, `user` to `evidences` in detection finding. #1000 3. Added `state_id`, `state` to `Digital Signature` object. #1069 4. Added `ticket` to `Incident Finding` object. ticket. #1068 + 5. Added `type_id` and associated entity objects to `Managed Entity`. #1094 * #### Platform Extensions ### Bugfixes From ddb36046defc8c79e1574e5f6347217539109f75 Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Wed, 29 May 2024 10:12:14 -0700 Subject: [PATCH 04/18] Reordered CHANGELOG numbering to resolve conflict. Signed-off-by: Paul Agbabian --- CHANGELOG.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3d121a234..295cd51f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -66,13 +66,10 @@ Thankyou! --> 2. Added `account`, `device`, `email`, `url`, `user` to `evidences` in detection finding. #1000 3. Added `state_id`, `state` to `Digital Signature` object. #1069 4. Added `ticket` to `Incident Finding` object. ticket. #1068 -<<<<<<< HEAD - 5. Added `type_id` and associated entity objects to `Managed Entity`. #1094 -======= 5. Added `domain` to `Uniform Resource Locator` object. #1096 6. Added `reg_key` and `reg_value` to `Evidence Artifacts` object. #1078 - ->>>>>>> c12527dee8ebd45df67db3ae46d4ab843b5d8ec0 + 7. Added `type_id` and associated entity objects to `Managed Entity`. #1094 + * #### Platform Extensions ### Bugfixes From 6ee8cbe232a3efeec1b487a63f13b3320cb78ff0 Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Thu, 23 May 2024 14:25:39 -0400 Subject: [PATCH 05/18] Add activities Signed-off-by: Michael Radka --- events/iam/entity_management.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/events/iam/entity_management.json b/events/iam/entity_management.json index 529d479d4..3c92fef4b 100644 --- a/events/iam/entity_management.json +++ b/events/iam/entity_management.json @@ -18,6 +18,21 @@ }, "4": { "caption": "Delete" + }, + "5": { + "caption": "Enroll" + }, + "6": { + "caption": "Activate" + }, + "7": { + "caption": "Deactivate" + }, + "8": { + "caption": "Suspend" + }, + "9": { + "caption": "Unsuspend" } } }, From 75a2bad2d64d33cdc5035a2e399dd80733785e2e Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Thu, 23 May 2024 14:37:17 -0400 Subject: [PATCH 06/18] Add activity descriptions Signed-off-by: Michael Radka --- events/iam/entity_management.json | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/events/iam/entity_management.json b/events/iam/entity_management.json index 3c92fef4b..9eda6d025 100644 --- a/events/iam/entity_management.json +++ b/events/iam/entity_management.json @@ -8,31 +8,40 @@ "activity_id": { "enum": { "1": { - "caption": "Create" + "caption": "Create", + "description": "Create a new managed entity." }, "2": { - "caption": "Read" + "caption": "Read", + "description": "Read an existing managed entity." }, "3": { - "caption": "Update" + "caption": "Update", + "description": "Update an existing managed entity." }, "4": { - "caption": "Delete" + "caption": "Delete", + "description": "Delete a managed entity." }, "5": { - "caption": "Enroll" + "caption": "Enroll", + "description": "Enroll an existing managed entity." }, "6": { - "caption": "Activate" + "caption": "Activate", + "description": "Activate an existing managed entity." }, "7": { - "caption": "Deactivate" + "caption": "Deactivate", + "description": "Deactivate an existing managed entity." }, "8": { - "caption": "Suspend" + "caption": "Suspend", + "description": "Suspend an existing managed entity." }, "9": { - "caption": "Unsuspend" + "caption": "Unsuspend", + "description": "Unsuspend an existing managed entity." } } }, From 38c698cbfaf571599877ab055e68fa0a4449c058 Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Thu, 23 May 2024 14:39:20 -0400 Subject: [PATCH 07/18] Update changelog Signed-off-by: Michael Radka --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c8668dbf4..8e54381f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -60,6 +60,7 @@ Thankyou! --> 2. Added entries to `injection_type_id` enum (`Process Activity`) and `activity_id` enum (`Memory Activity`). #1060 3. Added a `Restart`, `Enable`, `Disable`, and `Update` `activity_id` to the `Application Lifecycle` class. #1064 4. Added `ja4_fingerprint_list` to base network event class. #834 + 5. Added new activities `Enroll`, `Activate`, `Deactivate`, `Suspend`, and `Unsuspend` to the `Entity Management` class. #1095 * #### Profiles * #### Objects 1. Added `ext` to `File` object. #1046 From eb099c630d47dab518c4ff48287390c74b2c8434 Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Thu, 23 May 2024 15:12:59 -0400 Subject: [PATCH 08/18] Add Move activity Signed-off-by: Michael Radka --- events/iam/entity_management.json | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/events/iam/entity_management.json b/events/iam/entity_management.json index 9eda6d025..a8d842a1e 100644 --- a/events/iam/entity_management.json +++ b/events/iam/entity_management.json @@ -24,22 +24,26 @@ "description": "Delete a managed entity." }, "5": { + "caption": "Move", + "description": "Delete an existing managed entity." + }, + "6": { "caption": "Enroll", "description": "Enroll an existing managed entity." }, - "6": { + "7": { "caption": "Activate", "description": "Activate an existing managed entity." }, - "7": { + "8": { "caption": "Deactivate", "description": "Deactivate an existing managed entity." }, - "8": { + "9": { "caption": "Suspend", "description": "Suspend an existing managed entity." }, - "9": { + "10": { "caption": "Unsuspend", "description": "Unsuspend an existing managed entity." } From 4be307d297f079de609176402bb8ba65c4ac90f7 Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Thu, 23 May 2024 15:22:54 -0400 Subject: [PATCH 09/18] Add enable/disable and update descs Signed-off-by: Michael Radka --- events/iam/entity_management.json | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/events/iam/entity_management.json b/events/iam/entity_management.json index a8d842a1e..4276af11f 100644 --- a/events/iam/entity_management.json +++ b/events/iam/entity_management.json @@ -32,18 +32,26 @@ "description": "Enroll an existing managed entity." }, "7": { - "caption": "Activate", - "description": "Activate an existing managed entity." + "caption": "Enable", + "description": "Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change." }, "8": { - "caption": "Deactivate", - "description": "Deactivate an existing managed entity." + "caption": "Disable", + "description": "Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change." }, "9": { + "caption": "Activate", + "description": "Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine." + }, + "10": { + "caption": "Deactivate", + "description": "Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine." + }, + "11": { "caption": "Suspend", "description": "Suspend an existing managed entity." }, - "10": { + "12": { "caption": "Unsuspend", "description": "Unsuspend an existing managed entity." } From 4c57e27257c65a17a876aa252304afbebf79abd5 Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Thu, 23 May 2024 15:33:49 -0400 Subject: [PATCH 10/18] Add unenroll for symmetry Signed-off-by: Michael Radka --- events/iam/entity_management.json | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/events/iam/entity_management.json b/events/iam/entity_management.json index 4276af11f..1618f1ff4 100644 --- a/events/iam/entity_management.json +++ b/events/iam/entity_management.json @@ -32,26 +32,30 @@ "description": "Enroll an existing managed entity." }, "7": { + "caption": "Unenroll", + "description": "Unenroll an existing managed entity." + }, + "8": { "caption": "Enable", "description": "Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change." }, - "8": { + "9": { "caption": "Disable", "description": "Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change." }, - "9": { + "10": { "caption": "Activate", "description": "Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine." }, - "10": { + "11": { "caption": "Deactivate", "description": "Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine." }, - "11": { + "12": { "caption": "Suspend", "description": "Suspend an existing managed entity." }, - "12": { + "13": { "caption": "Unsuspend", "description": "Unsuspend an existing managed entity." } From 50e88f9a41f3ffc63e37659a67bacd6a940eeae6 Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Tue, 28 May 2024 11:18:08 -0400 Subject: [PATCH 11/18] Update activity descriptions Signed-off-by: Michael Radka --- events/iam/entity_management.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/events/iam/entity_management.json b/events/iam/entity_management.json index 1618f1ff4..f0316b112 100644 --- a/events/iam/entity_management.json +++ b/events/iam/entity_management.json @@ -25,7 +25,7 @@ }, "5": { "caption": "Move", - "description": "Delete an existing managed entity." + "description": "Move an existing managed entity." }, "6": { "caption": "Enroll", @@ -57,7 +57,7 @@ }, "13": { "caption": "Unsuspend", - "description": "Unsuspend an existing managed entity." + "description": "Unsuspend (Resume) an existing managed entity." } } }, From 81883d51426477fad6168d732c0a583962f09a9b Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Tue, 28 May 2024 11:20:05 -0400 Subject: [PATCH 12/18] Add clarity in activity desc Signed-off-by: Michael Radka --- events/iam/entity_management.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/events/iam/entity_management.json b/events/iam/entity_management.json index f0316b112..5f3a0ef8f 100644 --- a/events/iam/entity_management.json +++ b/events/iam/entity_management.json @@ -25,7 +25,7 @@ }, "5": { "caption": "Move", - "description": "Move an existing managed entity." + "description": "Move or rename an existing managed entity." }, "6": { "caption": "Enroll", From 07d57b29d330deff4af9890a2dc1a084631d49b4 Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Tue, 28 May 2024 11:21:21 -0400 Subject: [PATCH 13/18] update casing Signed-off-by: Michael Radka --- events/iam/entity_management.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/events/iam/entity_management.json b/events/iam/entity_management.json index 5f3a0ef8f..bf8f1a414 100644 --- a/events/iam/entity_management.json +++ b/events/iam/entity_management.json @@ -57,7 +57,7 @@ }, "13": { "caption": "Unsuspend", - "description": "Unsuspend (Resume) an existing managed entity." + "description": "Unsuspend (resume) an existing managed entity." } } }, From 5c799b3ae420604a7830c59919a2b493860b43c7 Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Wed, 29 May 2024 12:11:25 -0400 Subject: [PATCH 14/18] Update caption and desc Signed-off-by: Michael Radka --- events/iam/entity_management.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/events/iam/entity_management.json b/events/iam/entity_management.json index bf8f1a414..6a770f733 100644 --- a/events/iam/entity_management.json +++ b/events/iam/entity_management.json @@ -56,8 +56,8 @@ "description": "Suspend an existing managed entity." }, "13": { - "caption": "Unsuspend", - "description": "Unsuspend (resume) an existing managed entity." + "caption": "Resume", + "description": "Resume (unsuspend) an existing managed entity." } } }, From 2dd900be34ed6e9b6bde79db6be28474bd342a57 Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Wed, 29 May 2024 15:27:04 -0400 Subject: [PATCH 15/18] Update changelog Signed-off-by: Michael Radka --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8e54381f7..0879cbd03 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -60,7 +60,7 @@ Thankyou! --> 2. Added entries to `injection_type_id` enum (`Process Activity`) and `activity_id` enum (`Memory Activity`). #1060 3. Added a `Restart`, `Enable`, `Disable`, and `Update` `activity_id` to the `Application Lifecycle` class. #1064 4. Added `ja4_fingerprint_list` to base network event class. #834 - 5. Added new activities `Enroll`, `Activate`, `Deactivate`, `Suspend`, and `Unsuspend` to the `Entity Management` class. #1095 + 5. Added new activities `Enroll`, `Activate`, `Deactivate`, `Suspend`, and `Resume` to the `Entity Management` class. #1095 * #### Profiles * #### Objects 1. Added `ext` to `File` object. #1046 From ef6e5923671e29350f365a20cc71876966738b08 Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Thu, 30 May 2024 13:20:31 -0400 Subject: [PATCH 16/18] Fix typo in actor desc Signed-off-by: Michael Radka --- events/iam/entity_management.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/events/iam/entity_management.json b/events/iam/entity_management.json index 6a770f733..77e9550a0 100644 --- a/events/iam/entity_management.json +++ b/events/iam/entity_management.json @@ -62,7 +62,7 @@ } }, "actor": { - "description": "Use for when the entity acting upon another entity is a process or user.", + "description": "Used for when the entity acting upon another entity is a process or user.", "group": "context" }, "comment": { From 277d210f42a7ede761c29563f3bdf24f8d760852 Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Thu, 30 May 2024 10:37:24 -0700 Subject: [PATCH 17/18] Corrected the bad link in the d3fend object description (duplicate https://) Signed-off-by: Paul Agbabian --- objects/d3fend.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/d3fend.json b/objects/d3fend.json index a68847550..fbfccf3fd 100644 --- a/objects/d3fend.json +++ b/objects/d3fend.json @@ -1,7 +1,7 @@ { "caption": "MITRE D3FEND™", "name": "d3fend", - "description": "The MITRE D3FEND™ object describes the tactic, technique & sub-technique associated with a countermeasure as defined in DEFEND MatrixTM.", + "description": "The MITRE D3FEND™ object describes the tactic, technique & sub-technique associated with a countermeasure as defined in DEFEND MatrixTM.", "extends": "object", "attributes": { "d3f_tactic": { From 7a8970d0856a924af4638e4bddd3b59c218af2ab Mon Sep 17 00:00:00 2001 From: Jeremy Fisher <106115283+query-jeremy@users.noreply.github.com> Date: Thu, 30 May 2024 14:30:57 -0500 Subject: [PATCH 18/18] Increasing ocsf-validator dependency to 0.2.x --- .github/workflows/deep-validate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deep-validate.yml b/.github/workflows/deep-validate.yml index b1690d77b..45e4a4adc 100644 --- a/.github/workflows/deep-validate.yml +++ b/.github/workflows/deep-validate.yml @@ -20,7 +20,7 @@ jobs: python-version: '3.11' - name: Install validator - run: python -m pip install 'ocsf-validator>=0.1.1,<0.2' + run: python -m pip install 'ocsf-validator>=0.2,<0.3' - name: Run validator shell: bash