Add security_control and host profiles to base_event.json

`security_control` and `host` are universally applicable in OCSF Both were applied in an ad-hoc manner _almost_ everywhere Also, sometimes the profile wasn't correctly applied (e.g. cloud_resources_inventory_info.json) This change enables providing a consistent interface with these profiles to downstream data consumers. Change optionality of `action_id` in `security_control` to `recommended` Also removed redundant profile declarations in event hierarchy (e.g. cloud in dhcp_activity.json) Profile declarations in objects left alone to facilitate "Referenced By" feature Signed-off-by: Mitchell Wasson <miwasson@cisco.com>
ocsf · Dec 9, 2024 · 6afd946 · 6afd946
1 parent f42effc
commit 6afd946
Show file tree

Hide file tree

Showing 27 changed files with 32 additions and 155 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -109,6 +109,8 @@ Thankyou! -->
     1. Added `risk_level_id`, `risk_level`, `risk_score`, `risk_details` attributes to the `security_control` profile.  #1178
     1. Added `policy` attribute to the `security_control` profile. #1178
     1. Added enum values to `action_id` of 'Observed', 'Modified', and 'Unknown'. #1265
+    1. Added `security_control` and `host` profiles to base_event.json #1270
+    1. Changed optionality of `action_id` in the `security_control` profile from `required` to `recommended` #1270
 * #### Objects
     1. Added `phone_number` to `user` and `ldap_person` objects. #1155
     1. Added `has_mfa` to `user` object. #1155

diff --git a/events/application/application_lifecycle.json b/events/application/application_lifecycle.json
@@ -5,9 +5,6 @@
   "extends": "application",
   "name": "application_lifecycle",
   "attributes": {
-    "$include": [
-      "profiles/host.json"
-    ],
     "activity_id": {
       "requirement": "required",
       "enum": {
@@ -50,8 +47,5 @@
       "group": "primary",
       "requirement": "required"
     }
-  },
-  "profiles": [
-    "host"
-  ]
+  }
 }
diff --git a/events/application/datastore_activity.json b/events/application/datastore_activity.json
@@ -5,9 +5,6 @@
     "extends": "application",
     "name": "datastore_activity",
     "attributes": {
-        "$include": [
-            "profiles/security_control.json"
-        ],
         "activity_id": {
             "enum": {
                 "1": {
@@ -128,8 +125,5 @@
             "databucket",
             "table"
         ]
-    },
-    "profiles": [
-        "security_control"
-    ]
+    }
 }
diff --git a/events/application/scan_activity.json b/events/application/scan_activity.json
@@ -5,9 +5,6 @@
   "extends": "application",
   "name": "scan_activity",
   "attributes": {
-    "$include": [
-      "profiles/host.json"
-    ],
     "activity_id": {
       "enum": {
         "1": {
@@ -124,8 +121,5 @@
       "group": "primary",
       "requirement": "recommended"
     }
-  },
-  "profiles": [
-    "host"
-  ]
+  }
 }
diff --git a/events/application/web_resource_access_activity.json b/events/application/web_resource_access_activity.json
@@ -10,7 +10,6 @@
   },
   "attributes": {
     "$include": [
-      "profiles/host.json",
       "profiles/network_proxy.json"
     ],
     "activity_id": {
@@ -65,7 +64,6 @@
     }
   },
   "profiles": [
-    "host",
     "network_proxy"
   ]
 }
diff --git a/events/application/web_resources_activity.json b/events/application/web_resources_activity.json
@@ -6,9 +6,7 @@
     "name": "web_resources_activity",
     "attributes": {
         "$include": [
-            "profiles/host.json",
-            "profiles/network_proxy.json",
-            "profiles/security_control.json"
+            "profiles/network_proxy.json"
         ],
         "activity_id": {
             "enum": {
@@ -81,8 +79,6 @@
         }
     },
     "profiles": [
-        "host",
-        "network_proxy",
-        "security_control"
+        "network_proxy"
     ]
 }
diff --git a/events/base_event.json b/events/base_event.json
@@ -7,7 +7,9 @@
     "$include": [
       "profiles/cloud.json",
       "profiles/datetime.json",
-      "profiles/osint.json"
+      "profiles/host.json",
+      "profiles/osint.json",
+      "profiles/security_control.json"
     ],
     "activity_id": {
       "group": "classification",
@@ -138,6 +140,8 @@
   "profiles": [
     "cloud",
     "datetime",
-    "osint"
+    "host",
+    "osint",
+    "security_control"
   ]
 }
diff --git a/events/discovery/cloud_resources_inventory_info.json b/events/discovery/cloud_resources_inventory_info.json
@@ -66,8 +66,5 @@
       "resources",
       "table"
     ]
-  },
-  "profiles": [
-    "host"
-  ]
+  }
 }
diff --git a/events/discovery/config_state.json b/events/discovery/config_state.json
@@ -18,8 +18,5 @@
       "group": "primary",
       "requirement": "required"
     }
-  },
-  "profiles": [
-    "host"
-  ]
+  }
 }
diff --git a/events/discovery/device_config_state_change.json b/events/discovery/device_config_state_change.json
@@ -68,8 +68,5 @@
                 }
             }
         }
-    },
-    "profiles": [
-        "host"
-    ]
+    }
 }
diff --git a/events/discovery/discovery_result.json b/events/discovery/discovery_result.json
@@ -5,9 +5,6 @@
   "extends": "base_event",
   "name": "discovery_result",
   "attributes": {
-    "$include": [
-      "profiles/host.json"
-    ],
     "activity_id": {
       "enum": {
         "1": {
@@ -29,8 +26,5 @@
       "group": "primary",
       "requirement": "required"
     }
-  },
-  "profiles": [
-    "host"
-  ]
+  }
 }
diff --git a/events/discovery/inventory_info.json b/events/discovery/inventory_info.json
@@ -14,8 +14,5 @@
       "group": "primary",
       "requirement": "required"
     }
-  },
-  "profiles": [
-    "host"
-  ]
+  }
 }
diff --git a/events/discovery/patch_state.json b/events/discovery/patch_state.json
@@ -5,9 +5,6 @@
   "extends": "discovery",
   "name": "patch_state",
   "attributes": {
-    "$include": [
-      "profiles/host.json"
-    ],
     "device": {
       "group": "primary",
       "requirement": "required",
@@ -24,8 +21,5 @@
       "device.os.sp_ver",
       "device.os.version"
     ]
-  },
-  "profiles": [
-    "host"
-  ]
+  }
 }
diff --git a/events/discovery/software_info.json b/events/discovery/software_info.json
@@ -33,8 +33,5 @@
       "group": "context",
       "requirement": "optional"
     }
-  },
-  "profiles": [
-    "host"
-  ]
+  }
 }
diff --git a/events/findings/data_security_finding.json b/events/findings/data_security_finding.json
@@ -5,9 +5,6 @@
     "extends": "finding",
     "name": "data_security_finding",
     "attributes": {
-        "$include": [
-            "profiles/security_control.json"
-        ],
         "activity_id": {
             "description": "The normalized identifier of the Data Security Finding activity.",
             "requirement": "required",
@@ -141,8 +138,5 @@
             "group": "primary",
             "requirement": "recommended"
         }
-    },
-    "profiles": [
-        "security_control"
-    ]
+    }
 }
diff --git a/events/findings/detection_finding.json b/events/findings/detection_finding.json
@@ -5,9 +5,6 @@
   "extends": "finding",
   "name": "detection_finding",
   "attributes": {
-    "$include": [
-      "profiles/security_control.json"
-    ],
     "confidence": {
       "profile": null,
       "group": "context",
@@ -81,8 +78,5 @@
       "group": "context",
       "requirement": "optional"
     }
-  },
-  "profiles": [
-    "security_control"
-  ]
+  }
 }
diff --git a/events/findings/finding.json b/events/findings/finding.json
@@ -5,9 +5,6 @@
   "extends": "base_event",
   "name": "finding",
   "attributes": {
-    "$include": [
-      "profiles/host.json"
-    ],
     "activity_id": {
       "description": "The normalized identifier of the finding activity.",
       "enum": {
@@ -97,8 +94,5 @@
     "vendor_attributes": {
       "requirement": "optional"
     }
-  },
-  "profiles": [
-    "host"
-  ]
+  }
 }
diff --git a/events/iam/iam.json b/events/iam/iam.json
@@ -5,9 +5,6 @@
   "extends": "base_event",
   "name": "iam",
   "attributes": {
-    "$include": [
-      "profiles/host.json"
-    ],
     "http_request": {
       "description": "Details about the underlying HTTP request.",
       "group": "context",
@@ -23,8 +20,5 @@
       "group": "primary",
       "requirement": "recommended"
     }
-  },
-  "profiles": [
-    "host"
-  ]
+  }
 }
diff --git a/events/network/dhcp_activity.json b/events/network/dhcp_activity.json
@@ -5,10 +5,6 @@
   "extends": "network",
   "name": "dhcp_activity",
   "attributes": {
-    "$include": [
-      "profiles/cloud.json",
-      "profiles/host.json"
-    ],
     "activity_id": {
       "requirement": "required",
       "enum": {
@@ -77,8 +73,5 @@
       "group": "primary",
       "requirement": "recommended"
     }
-  },
-  "profiles": [
-    "host"
-  ]
+  }
 }
diff --git a/events/network/email_activity.json b/events/network/email_activity.json
@@ -6,10 +6,6 @@
   "extends": "base_event",
   "name": "email_activity",
   "attributes": {
-    "$include": [
-      "profiles/host.json",
-      "profiles/security_control.json"
-    ],
     "activity_id": {
       "requirement": "optional",
       "enum": {
@@ -100,9 +96,5 @@
       "group": "primary",
       "requirement": "recommended"
     }
-  },
-  "profiles": [
-    "host",
-    "security_control"
-  ]
+  }
 }
diff --git a/events/network/email_file_activity.json b/events/network/email_file_activity.json
@@ -10,10 +10,6 @@
     "since": "1.3.0"
   },
   "attributes": {
-    "$include": [
-      "profiles/host.json",
-      "profiles/security_control.json"
-    ],
     "activity_id": {
       "requirement": "optional",
       "enum": {
@@ -38,9 +34,5 @@
       "group": "primary",
       "requirement": "required"
     }
-  },
-  "profiles": [
-    "host",
-    "security_control"
-  ]
+  }
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -66,8 +66,5 @@ @@
           "resources",
           "table"
         ]
-      },
-      "profiles": [
-        "host"
-      ]
+      }
     }