Resolve merge conflicts with main

Signed-off-by: Rebecca Senger <resenger@cisco.com>

CHANGELOG.md

@@ -49,6 +49,7 @@ Thankyou! -->
     1. Added `Script Activity` event class to the System category. #1159
     1. Added `Startup Item Query` event class. #1119
     1. Added `Drone Flights Activity` event class to the Unmanned Systems category. #1169
+    1. Added `Cloud Resources Inventory Info` event class to the Discovery category. #1250
 * #### Dictionary Attributes
     1. Added `has_mfa` as a `boolean_t`. #1155
     1. Added `environment_variables` as an array of `environment_variable` object. #1172
@@ -71,6 +72,7 @@ Thankyou! -->
     1. Added `is_encrypted` as `boolean_t`; `column_name`, `cell_name`, `storage_class`, `key_uid`, `json_path` as `string_t` & `column_number`, `row_number`, `page_number`, `record_index_in_array` as `integer_t`. #1245
     1. Added `group_provisioning_enabled`, `scim_group_schema`, `user_provisioning_enabled`, `scim_user_schema`, `scopes`, `idle_timeout`, `login_endpoint`, `logout_endpoint`, and `metadata_url` entries to the dictionary to support the new `scim` and `sso` objects. #1239
     1. Added new `11: Basic Authentication` enum value to `auth_protocol_id`. #1239
+    1. Added `values` as an array of `string_t`. #1251
     1. Added `kernel_release` as a `string_t`.
 * #### Objects
     1. Added `environment_variable` object. #1172
@@ -89,6 +91,7 @@ Thankyou! -->
     1. Added `risk_details` to `data_security_finding` class. #1178
     1. Removed constraint from `group_management` class. #1193
     1. Added `Archived|5` as an enum item to `status_id` attribute in Findings classes. #1219
+    1. Added a `Trace` `activity_id` to the `Email Activity` class. #1252
 * #### Profiles
     1. Added `is_alert`, `confidence_id`, `confidence`,  `confidence_score` attributes to the `security_control` profile. #1178
     1. Added `risk_level_id`, `risk_level`, `risk_score`, `risk_details` attributes to the `security_control` profile.  #1178
@@ -121,7 +124,12 @@ Thankyou! -->
     1. Added `discovery_details`, `occurrence_details`, `status` trio, `total`, `uid`, `size`, & `src_url` to the `data_classification` object. #1245
     1. `data_bucket` object now inherits `resource_details` instead of `_entity`. Also, added `encryption_details` object to the `data_bucket` object. #1245
     1. Added `auth_factors`, `domain`, `fingerprint`, `has_mfa`, `issuer`, `protocol_name`, `scim`, `sso`, `state`, `state_id`, `tenant_uid`, and `uid` to `idp`. #1239
+<<<<<<< HEAD
     1. Added `kernel_release` to `os` object.
+=======
+    1. Added `hostname`, `ip`, and `name` to `resource_details` for purposes of assigning an Observable number. #1250
+    1. Added `values` to `key_value_object`. #1251
+>>>>>>> 5ac9b788383a2ca54680aef0c205922a60249a7c
 
 ### Bugfixes
 1. Added sibling definition to `confidence_id` in dictionary, accurately associating `confidence` as its sibling. #1180
@@ -170,7 +178,7 @@ Thankyou! -->
 1. Fixed minor spelling mistakes in attribute descriptions in `dictionary.json`. #1213
 1. In the metaschema, added support for `@deprecated` in enum values. #1237
 1. Fixed some more formatting of attribute descriptions in `dictionary.json` and `idp.json`. #1239
-
+1. Added `resource_details.name` as an Observable type `type_id: 38`. #1250
 
 ## [v1.3.0] - August 1st, 2024
 

NOTICE

@@ -1,15 +1,9 @@
 Open Cybersecurity Schema Framework
 
-This project includes the ICD Schema developed by Symantec, a division of Broadcom.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
+Copyright © OCSF a Series of LF Projects, LLC
+For web site terms of use, trademark policy and other project policies please see https://lfprojects.org.
 
-    http://www.apache.org/licenses/LICENSE-2.0
+This project includes the ICD Schema developed by Symantec, a division of Broadcom.
 
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+Licensed under the Apache 2 license.
+Refer to the Apache 2 license in the file LICENSE.

dictionary.json

@@ -1183,7 +1183,8 @@
     "country": {
       "observable": 14,
       "caption": "Country",
-      "description": "The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see <a target='_blank' href='https://www.iso.org/obp/ui/#iso:pub:PUB500001:en' >ISO 3166-1 alpha-2 codes</a>.<p><b>Note:</b> The two letter country code should be capitalized. For example: <code>US</code> or <code>CA</code>.</p>",
+      "references": [{"url": "https://www.iso.org/obp/ui/#iso:pub:PUB500001:en", "description": "ISO 3166-1 alpha-2 codes"}],
+      "description": "The ISO 3166-1 Alpha-2 country code.<p><b>Note:</b> The two letter country code should be capitalized. For example: <code>US</code> or <code>CA</code>.</p>",
       "type": "string_t"
     },
     "cpe_name": {
@@ -3362,7 +3363,8 @@
     },
     "package": {
       "caption": "Software Package",
-      "description": "The Software Package object describes details about a software package. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:SoftwarePackage/'>d3f:SoftwarePackage</a>.",
+      "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:SoftwarePackage/", "description": "D3FEND™ Ontology d3f:SoftwarePackage."}],
+      "description": "The Software Package object describes details about a software package.",
       "type": "package"
     },
     "package_manager": {
@@ -5041,9 +5043,15 @@
     },
     "value": {
       "caption": "Value",
-      "description": "The value that pertains to the object. See specific usage.",
+      "description": "The value associated to an attribute. See specific usage.",
       "type": "string_t"
     },
+    "values": {
+      "caption": "Values",
+      "description": "An array of values associated to an attribute. See specific usage.",
+      "type": "string_t",
+      "is_array": true
+    },
     "variable_name": {
       "caption": "Variable Name",
       "description": "The name of a variable. See specific usage.",

events/discovery/cloud_resources_inventory_info.json

@@ -0,0 +1,73 @@
+{
+  "uid": 23,
+  "caption": "Cloud Resources Inventory Info",
+  "description": "Cloud Resources Inventory Info events report cloud asset inventory data that is either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.",
+  "extends": "discovery",
+  "name": "cloud_resources_inventory_info",
+  "attributes": {
+    "cloud": {
+      "profile": null,
+      "description": "Cloud service provider or SaaS platform metadata about the cloud resource(s) that are being discovered by an inventory process.",
+      "group": "primary",
+      "requirement": "recommended"
+    },
+    "cloud_partition": {
+      "profile": null,
+      "description": "The cloud partition where the resource is located, e.g., <code>aws-isob</code>, <code>Azure US DoD</code>, etc.",
+      "group": "context",
+      "requirement": "recommended"
+    },
+    "container": {
+      "profile": null,
+      "description": "A cloud-based container image or running container discovered by an inventory process.",
+      "group": "primary",
+      "requirement": "recommended"
+    },
+    "database": {
+      "description": "A cloud-based database discovered by an inventory process.",
+      "group": "primary",
+      "requirement": "recommended"
+    },
+    "databucket": {
+      "description": "A cloud-based data bucket or other object storage discovered by an inventory process.",
+      "group": "primary",
+      "requirement": "recommended"
+    },
+    "idp": {
+      "description": "The Identity Provider that is being discovered by an inventory process, or that is related to the cloud resource(s) being discovered by an inventory process.",
+      "group": "primary",
+      "requirement": "recommended"
+    },
+    "region": {
+      "profile": null,
+      "description": "The cloud region where the resource is located, e.g., <code>us-isof-south-1</code>, <code>eastus2</code>, <code>us-central1</code>, etc.",
+      "group": "context",
+      "requirement": "recommended"
+    },
+    "resources": {
+      "caption": "Cloud Resources",
+      "description": "The cloud resource(s) that are being discovered by an inventory process. Use this object if there is not a direct object match in the class.",
+      "group": "primary",
+      "requirement": "recommended"
+    },
+    "table": {
+      "description": "A cloud-based database table discovered by an inventory process.",
+      "group": "primary",
+      "requirement": "recommended"
+    }
+  },
+  "constraints": {
+    "at_least_one": [
+      "cloud",
+      "container",
+      "database",
+      "databucket",
+      "idp",
+      "resources",
+      "table"
+    ]
+  },
+  "profiles": [
+    "host"
+  ]
+}

events/network/email_activity.json

@@ -22,6 +22,10 @@
         "3": {
           "caption": "Scan",
           "description": "Email being scanned (example: security scanning)"
+        },
+        "4": {
+          "caption": "Trace",
+          "description": "Follow an email message as it travels through an organization. For example: <a target='_blank' href='https://learn.microsoft.com/en-us/Exchange/monitoring/trace-an-email-message/message-trace-modern-eac'>O365 Email Message Trace</a>."
         }
       }
     },

objects/certificate.json

@@ -1,8 +1,9 @@
 {
   "caption": "Digital Certificate",
   "name": "certificate",
+  "description": "The Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key. It serves as a means to establish trust in the authenticity and integrity of the public key and the associated entity.",
   "extends": "object",
-  "description": "The Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key. It serves as a means to establish trust in the authenticity and integrity of the public key and the associated entity. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Certificate/'>d3f:Certificate</a>.",
+  "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Certificate/", "description": "D3FEND™ Ontology d3f:Certificate."}],
   "attributes": {
     "created_time": {
       "description": "The time when the certificate was created.",

objects/d3f_tactic.json

@@ -1,15 +1,18 @@
 {
   "caption": "MITRE D3FEND™ Tactic",
-  "description": "The MITRE D3FEND™ Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND<sup>TM</sup> Matrix</a>.",
-  "extends": "_entity",
   "name": "d3f_tactic",
+  "description": "The MITRE D3FEND™ Tactic object describes the tactic ID and/or name that is associated to an attack",
+  "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
+  "extends": "_entity",
   "attributes": {
     "name": {
-      "description": "The tactic name that is associated with the defensive technique, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND<sup>TM</sup> Matrix</a>. For example: <code>Isolate</code>.",
+      "description": "The tactic name that is associated with the defensive technique. For example: <code>Isolate</code>.",
+      "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
       "requirement" : "optional"
     },    
     "src_url": {
-      "description": "The versioned permalink of the defensive tactic, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND<sup>TM</sup> Matrix</a>. For example: <code>https://d3fend.mitre.org/tactic/d3f:Isolate/</code>.",
+      "description": "The versioned permalink of the defensive tactic. For example: <code>https://d3fend.mitre.org/tactic/d3f:Isolate/</code>.",
+      "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
       "requirement" : "optional"
     }
   }

objects/d3f_technique.json

@@ -1,18 +1,22 @@
 {
   "caption": "MITRE DEFEND™ Technique",
-  "description": "The MITRE DEFEND™ Technique object describes the leaf defensive technique ID and/or name associated to a countermeasure, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND<sup>TM</sup> Matrix</a>.",
-  "extends": "_entity",
   "name": "d3f_technique",
+  "description": "The MITRE D3FEND™ Technique object describes the leaf defensive technique ID and/or name associated to a countermeasure.",
+  "references": [{"url": "href='https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
+  "extends": "_entity",
   "attributes": {
     "name": {
-      "description": "The name of the defensive technique, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND<sup>TM</sup> Matrix</a>. For example: <code>IO Port Restriction</code>."
+      "description": "The name of the defensive technique. For example: <code>IO Port Restriction</code>.",
+      "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}]
     },
     "src_url": {
-      "description": "The versioned permalink of the defensive technique, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND<sup>TM</sup> Matrix</a>. For example: <code>https://d3fend.mitre.org/technique/d3f:IOPortRestriction/</code>.",
+      "description": "The versioned permalink of the defensive technique. For example: <code>https://d3fend.mitre.org/technique/d3f:IOPortRestriction/</code>.",
+      "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
       "requirement" : "optional"
     },
     "uid": {
-      "description": "The unique identifier of the defensive technique, as defined by <a target='_blank' href='https://mitre.mitre.org'>D3FEND<sup>TM</sup> Matrix</a>. For example: <code>D3-IOPR</code>."
+      "description": "The unique identifier of the defensive technique. For example: <code>D3-IOPR</code>.",
+      "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}]
     }
   }
 }

objects/d3fend.json

@@ -1,19 +1,20 @@
 {
     "caption": "MITRE D3FEND™",
     "name": "d3fend",
-    "description": "The <a target='_blank' href='https://d3fend.mitre.org'>MITRE D3FEND™</a> object describes the tactic, technique & sub-technique associated with a countermeasure as defined in <a target='_blank' href='https://d3fend.mitre.org/'>DEFEND Matrix<sup>TM</sup></a>.",
+    "description": "The MITRE D3FEND™ object describes the tactic, technique & sub-technique associated with a countermeasure.",
+    "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
     "extends": "object",
     "attributes": {
       "d3f_tactic": {
-        "description": "The Tactic object describes the tactic ID and/or name that is associated with a countermeasure, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND Matrix<sup>TM</sup></a>.",
+        "description": "The Tactic object describes the tactic ID and/or name that is associated with a countermeasure.",
         "requirement": "recommended"
       },
       "d3f_technique": {
-        "description": "The Defend Technique object describes the technique ID and/or name associated with a countermeasure, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND Matrix<sup>TM</sup></a>.",
+        "description": "The Technique object describes the technique ID and/or name associated with a countermeasure.",
         "requirement": "recommended"
       },
       "version": {
-        "description": "The <a target='_blank' href='https://d3fend.mitre.org'>D3FEND Matrix<sup>TM</sup></a> version.",
+        "description": "The D3FEND™ Matrix version.",
         "requirement": "recommended"
       }
     },

objects/dce_rpc.json

@@ -1,7 +1,8 @@
 {
   "caption": "DCE/RPC",
   "name": "dce_rpc",
-  "description": "The DCE/RPC, or Distributed Computing Environment/Remote Procedure Call, object describes the remote procedure call system for distributed computing environments. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:RemoteProcedureCall/'>d3f:RemoteProcedureCall</a>.",
+  "description": "The DCE/RPC, or Distributed Computing Environment/Remote Procedure Call, object describes the remote procedure call system for distributed computing environments.",
+  "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:RemoteProcedureCall/", "description": "D3FEND™ Ontology d3f:RemoteProcedureCall."}],
   "extends": "object",
   "attributes": {
     "command": {

objects/device.json

@@ -1,8 +1,9 @@
 {
   "caption": "Device",
-  "description": "The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Host/'>d3f:Host</a>.",
-  "extends": "endpoint",
   "name": "device",
+  "description": "The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.",
+  "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Host/", "description": "D3FEND™ Ontology d3f:Host."}],
+  "extends": "endpoint",
   "attributes": {
     "autoscale_uid": {
       "requirement": "optional"

objects/dns_query.json

@@ -2,7 +2,8 @@
   "caption": "DNS Query",
   "name": "dns_query",
   "extends": "_dns",
-  "description": "The DNS query object represents a specific request made to the Domain Name System (DNS) to retrieve information about a domain or perform a DNS operation. This object encapsulates the necessary attributes and methods to construct and send DNS queries, specify the query type (e.g., A, AAAA, MX). Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:DNSLookup/'>d3f:DNSLookup</a>.",
+  "description": "The DNS query object represents a specific request made to the Domain Name System (DNS) to retrieve information about a domain or perform a DNS operation. This object encapsulates the necessary attributes and methods to construct and send DNS queries, specify the query type (e.g., A, AAAA, MX).",
+  "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:DNSLookup/", "description": "D3FEND™ Ontology d3f:DNSLookup."}],
   "attributes": {
     "hostname": {
       "description": "The hostname or domain being queried. For example: <code>www.example.com</code>",

objects/email.json

@@ -1,7 +1,8 @@
 {
   "caption": "Email",
-  "description": "The Email object describes the email metadata such as sender, recipients, and direction. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Email/'>d3f:Email</a>.",
   "name": "email",
+  "description": "The Email object describes the email metadata such as sender, recipients, and direction.",
+  "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Email/", "description": "D3FEND™ Ontology d3f:Email."}],
   "extends": "object",
   "observable": 22,
   "profiles": [

objects/endpoint.json

@@ -1,8 +1,8 @@
 {
   "caption": "Endpoint",
+  "name": "endpoint",
   "description": "The Endpoint object describes a physical or virtual device that connects to and exchanges information with a computer network. Some examples of endpoints are mobile devices, desktop computers, virtual machines, embedded devices, and servers. Internet-of-Things devices—like cameras, lighting, refrigerators, security systems, smart speakers, and thermostats—are also endpoints.",
   "extends": "_entity",
-  "name": "endpoint",
   "observable": 20,
   "profiles": [
     "container"