Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding Device Config State Change event class #914

Merged
merged 8 commits into from
Jan 23, 2024

Conversation

maxhotta
Copy link
Contributor

@maxhotta maxhotta commented Jan 4, 2024

Used to report security state changes for managed entities.
This class was ported from the entity change event class that was part of the security category in the ICD schema.

Used to report security state changes for managed entities.
@maxhotta maxhotta added enhancement New feature or request non_breaking Non Breaking, backwards compatible changes application_activity Issues related to Application Activity Category labels Jan 4, 2024
@maxhotta maxhotta added the v1.1.0 Changes marked for v1.1.0 of OCSF label Jan 4, 2024
@pagbabian-splunk
Copy link
Contributor

A few questions: We have an Entity Management class in the IAM category, and this will be an Entity Change class but in the Application category. It has activities more akin to the Discovery category (i.e. Logged), rather than any actual update activities (so I guess, just logging the change?).

That's ok, as long as it is explainable - e.g. Discovery classes are proactive (e.g. scans for changes, vulns etc.) while other categories are what would be asynchronously received events for the most part.

This class logs security related changes to a Managed Entity - why is it in the Application category? What is the application, or is it an application layer service (e.g. Web, Email, Systems Management)? Could it live in the IAM category where the Entity Management class resides?

Three possible category choices: IAM, Discovery (only if proactive), and Application.

@maxhotta
Copy link
Contributor Author

maxhotta commented Jan 9, 2024

@pagbabian-splunk It's been a little while since we'd discussed this last, but the purpose for this class is to capture security related opstates like changes in the compliance or infected status of applications on devices. It was originally in the Security category of the ICD schema, but in the absence of that category, we'd thought that the application category made the most sense.

@maxhotta
Copy link
Contributor Author

@pagbabian-splunk Is the consensus that we move this class into the Discovery category?

@pagbabian-splunk
Copy link
Contributor

pagbabian-splunk commented Jan 12, 2024 via email

dictionary.json Outdated Show resolved Hide resolved
objects/security_state.json Outdated Show resolved Hide resolved
Copy link
Contributor

@pagbabian-splunk pagbabian-splunk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a risk_level and risk_level_id, and a log_level. Can we not say current_security_level and just say security_level? It would imply current. Then we only need to call out prev_security_level to distinguish it. We have this convention for Registry: reg_key and prev_reg_key, reg_value and prev_reg_value.

@pagbabian-splunk
Copy link
Contributor

Very minor: our convention so far is to use prev_ not previous_ as with the Registry Key and Registry Value attributes. It's also shorter but still quite clear.

Copy link
Contributor

@floydtree floydtree left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Max!

@floydtree floydtree changed the title Entity Change event class: Adding Device Config State Change event class Jan 20, 2024
Copy link
Contributor

@jasonbreimer jasonbreimer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues.

@pagbabian-splunk pagbabian-splunk merged commit 8e5b57f into ocsf:main Jan 23, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
application_activity Issues related to Application Activity Category enhancement New feature or request non_breaking Non Breaking, backwards compatible changes v1.1.0 Changes marked for v1.1.0 of OCSF
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants