auth_protocol_id. In the case of Other, it is defined by the event source.",
"type": "string_t"
},
"auth_protocol_id": {
@@ -294,6 +294,9 @@
"10": {
"caption": "RADIUS"
},
+ "11": {
+ "caption": "Basic Authentication"
+ },
"99": {
"caption": "Other",
"description": "The authentication protocol is not mapped. See the auth_protocol attribute, which contains a data source specific value."
@@ -786,9 +789,15 @@
"cc": {
"caption": "Cc",
"description": "The email header Cc values, as defined by RFC 5322.",
+ "references": [{"url": "https://www.rfc-editor.org/rfc/rfc5322", "description": "RFC 5322"}],
"type": "email_t",
"is_array": true
},
+ "cell_name": {
+ "caption": "Cell Name",
+ "description": "The name of the cell. See specific usage.",
+ "type": "string_t"
+ },
"certificate": {
"caption": "Certificate",
"description": "The certificate object containing information about the digital certificate.",
@@ -896,6 +905,11 @@
"type": "string_t",
"is_array": true
},
+ "classifier_details": {
+ "caption": "Classifier Details",
+ "description": "Describes details about the classifier used for data classification.",
+ "type": "classifier_details"
+ },
"client_ciphers": {
"caption": "Client Cipher Suites",
"description": "The client cipher suites that were exchanged during the TLS handshake negotiation.",
@@ -945,6 +959,16 @@
"description": "The numeric color depth.",
"type": "integer_t"
},
+ "column_name": {
+ "caption": "Column Name",
+ "description": "The name of the column. See specific usage.",
+ "type": "string_t"
+ },
+ "column_number": {
+ "caption": "Column Number",
+ "description": "The number of the column. See specific usage.",
+ "type": "integer_t"
+ },
"command": {
"caption": "Command",
"description": "The command name.",
@@ -1160,7 +1184,8 @@
"country": {
"observable": 14,
"caption": "Country",
- "description": "The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes.Note: The two letter country code should be capitalized. For example: US or CA.
Note: The two letter country code should be capitalized. For example: US or CA.
Discovery Details objects. See specific usage.",
+ "type": "discovery_details",
+ "is_array": true
+ },
"dispersion": {
"caption": "Root Dispersion",
"description": "The dispersion in the NTP protocol is the estimated time error or uncertainty relative to the reference clock in milliseconds.",
@@ -1831,6 +1868,11 @@
"description": "The employee identifier assigned to the user by the organization.",
"type": "string_t"
},
+ "encryption_details": {
+ "caption": "Encryption Details",
+ "description": "The encryption details of a file or other content. See specific usage.",
+ "type": "encryption_details"
+ },
"end_line": {
"caption": "End Line",
"description": "The line number of the last line of code block identified as vulnerable.",
@@ -2129,6 +2171,7 @@
"from": {
"caption": "From",
"description": "The email header From values, as defined by RFC 5322.",
+ "references": [{"url": "https://www.rfc-editor.org/rfc/rfc5322", "description": "RFC 5322"}],
"type": "email_t"
},
"full_name": {
@@ -2282,6 +2325,11 @@
"description": "The client identifier cookie during client/server exchange.",
"type": "string_t"
},
+ "idle_timeout": {
+ "caption": "SSO Idle Timeout",
+ "description": "Duration (in minutes) of allowed inactivity before a timeout See specific usage.",
+ "type": "integer_t"
+ },
"idp": {
"caption": "Identity Provider",
"description": "This object describes details about the Identity Provider used.",
@@ -2513,6 +2561,11 @@
"description": "Indicates if the entity was deleted. See specific usage.",
"type": "boolean_t"
},
+ "is_encrypted": {
+ "caption": "Encrypted",
+ "description": "Indicates if the entity was encrypted. See specific usage.",
+ "type": "boolean_t"
+ },
"is_exploit_available": {
"caption": "Exploit Availability",
"description": "Indicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability.",
@@ -2523,6 +2576,11 @@
"description": "Indicates if a fix is available for the reported vulnerability.",
"type": "boolean_t"
},
+ "is_group_provisioning_enabled": {
+ "caption": "Group Provisioning Enabled",
+ "description": "Indicates whether group provisioning is automated (e.g., for a SCIM resource). See specific usage.",
+ "type": "boolean_t"
+ },
"is_hotp": {
"caption": "HMAC-based One-time Password (HOTP)",
"description": "Whether the authentication factor is an HMAC-based One-time Password (HOTP).",
@@ -2613,6 +2671,11 @@
"description": "The event occurred on a trusted device.",
"type": "boolean_t"
},
+ "is_user_provisioning_enabled": {
+ "caption": "User Provisioning Enabled",
+ "description": "Indicates whether user provisioning is automated (e.g., for a SCIM resource). See specific usage.",
+ "type": "boolean_t"
+ },
"is_vpn": {
"caption": "VPN Session",
"description": "The indication of whether the session is a VPN session.",
@@ -2654,6 +2717,11 @@
"description": "The user's job title.",
"type": "string_t"
},
+ "json_path": {
+ "caption": "JSON Path",
+ "description": "The JSON path of the attribute. See specific usage.",
+ "type": "string_t"
+ },
"kb_article_list": {
"caption": "Knowledgebase Articles",
"description": "A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.",
@@ -2675,11 +2743,21 @@
"description": "The kernel resource object that pertains to the event.",
"type": "kernel"
},
+ "kernel_release": {
+ "caption": "Kernel Release",
+ "description": "The kernel release of the operating system. On Unix-based systems, this is determined from the uname -r command output, for example \"5.15.0-122-generic\".",
+ "type": "string_t"
+ },
"key_length": {
"caption": "Key Length",
"description": "The length of the encryption key.",
"type": "integer_t"
},
+ "key_uid": {
+ "caption": "Key UID",
+ "description": "The unique identifier of the key. See specific usage.",
+ "type": "string_t"
+ },
"keyboard_info": {
"caption": "Keyboard Information",
"description": "The keyboard detailed information.",
@@ -2960,6 +3038,16 @@
}
}
},
+ "login_endpoint": {
+ "caption": "Login Endpoint",
+ "description": "URL for initiating a login request. See specific usage.",
+ "type": "url_t"
+ },
+ "logout_endpoint": {
+ "caption": "Logout Endpoint",
+ "description": "URL for initiating a logout request. See specific usage.",
+ "type": "url_t"
+ },
"long": {
"caption": "Longitude",
"description": "The geographical Longitude coordinate represented in Decimal Degrees (DD). For example: -71.057083.",
@@ -3000,6 +3088,7 @@
"message_uid": {
"caption": "Message UID",
"description": "The email header Message-ID value, as defined by RFC 5322.",
+ "references": [{"url": "https://www.rfc-editor.org/rfc/rfc5322", "description": "RFC 5322"}],
"type": "string_t"
},
"metadata": {
@@ -3007,6 +3096,11 @@
"description": "The metadata associated with the event or a finding.",
"type": "metadata"
},
+ "metadata_endpoint": {
+ "caption": "Metadata Endpoint",
+ "description": "URL where metadata about a configuration or resource is available (e.g., for SAML configurations). See specific usage.",
+ "type": "url_t"
+ },
"metrics": {
"caption": "Metrics",
"description": "The general purpose metrics associated with the event. See specific usage.",
@@ -3147,6 +3241,11 @@
"type": "observable",
"is_array": true
},
+ "occurrence_details": {
+ "caption": "Occurrence Details",
+ "description": "Details about where in the target entity, specified information was discovered. See specific usage.",
+ "type": "occurrence_details"
+ },
"office_location": {
"caption": "Office Location",
"description": "The primary office location associated with the user. This could be any string and isn't a specific address. For example, South East Virtual.",
@@ -3267,7 +3366,8 @@
},
"package": {
"caption": "Software Package",
- "description": "The Software Package object describes details about a software package. Defined by D3FEND d3f:SoftwarePackage.",
+ "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:SoftwarePackage/", "description": "D3FEND™ Ontology d3f:SoftwarePackage."}],
+ "description": "The Software Package object describes details about a software package.",
"type": "package"
},
"package_manager": {
@@ -3305,6 +3405,11 @@
"description": "The number of packets sent from the source to the destination.",
"type": "long_t"
},
+ "page_number": {
+ "caption": "Page Number",
+ "description": "The page number of the document. See specific usage.",
+ "type": "integer_t"
+ },
"parent_folder": {
"caption": "Parent Folder",
"description": "The parent folder in which the file resides. For example: c:\\windows\\system32",
@@ -3767,6 +3872,11 @@
"description": "The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record.",
"type": "string_t"
},
+ "record_index_in_array": {
+ "caption": "Record Index in Array",
+ "description": "The index of the record in the array of records.",
+ "type": "integer_t"
+ },
"references": {
"caption": "References",
"description": "A list of reference URLs supporting the finding/detection.",
@@ -3841,6 +3951,7 @@
"reply_to": {
"caption": "Reply To",
"description": "The email header Reply-To values, as defined by RFC 5322.",
+ "references": [{"url": "https://www.rfc-editor.org/rfc/rfc5322", "description": "RFC 5322"}],
"type": "email_t"
},
"reputation": {
@@ -3941,6 +4052,11 @@
"description": "The risk score as reported by the event source.",
"type": "integer_t"
},
+ "row_number": {
+ "caption": "Row Number",
+ "description": "The row number. See specific usage.",
+ "type": "integer_t"
+ },
"rpc_interface": {
"caption": "Remote Procedure Call Interface",
"description": "The RPC Interface object describes the details pertaining to the remote procedure call interface.",
@@ -4031,11 +4147,50 @@
"description": "The unique identifier of the schedule associated with a scan job.",
"type": "string_t"
},
+ "scim": {
+ "caption": "SCIM",
+ "description": "The System for Cross-domain Identity Management (SCIM) resource object provides a structured set of attributes related to SCIM protocols used for identity provisioning and management across cloud-based platforms. It standardizes user and group provisioning details, enabling identity synchronization and lifecycle management with compatible Identity Providers (IdPs) and applications. SCIM is defined in RFC-7634",
+ "references": [
+ {
+ "url": "https://datatracker.ietf.org/doc/html/rfc7643",
+ "description": "System for Cross-domain Identity Management (SCIM) RFC."
+ }
+ ],
+ "type": "scim"
+ },
+ "scim_group_schema": {
+ "caption": "SCIM Group Schema",
+ "description": "SCIM provides a schema for representing groups, identified using the following schema URI: urn:ietf:params:scim:schemas:core:2.0:Group as defined in RFC-7634. This attribute will capture key-value pairs for the scheme implemented in a SCIM resource.",
+ "references": [
+ {
+ "url": "https://datatracker.ietf.org/doc/html/rfc7643",
+ "description": "System for Cross-domain Identity Management (SCIM) RFC spec."
+ }
+ ],
+ "type": "json_t"
+ },
+ "scim_user_schema": {
+ "caption": "SCIM User Schema",
+ "description": "SCIM provides a resource type for user resources. The core schema for user is identified using the following schema URI: urn:ietf:params:scim:schemas:core:2.0:User as defined in RFC-7634. his attribute will capture key-value pairs for the scheme implemented in a SCIM resource. This object is inclusive of both the basic and Enterprise User Schema Extension.",
+ "references": [
+ {
+ "url": "https://datatracker.ietf.org/doc/html/rfc7643",
+ "description": "System for Cross-domain Identity Management (SCIM) RFC spec."
+ }
+ ],
+ "type": "json_t"
+ },
"scheme": {
"caption": "Scheme",
"description": "The scheme portion of the URL. For example: http, https, ftp, or sftp.",
"type": "string_t"
},
+ "scopes": {
+ "caption": "Scopes",
+ "description": "Scopes define the specific permissions or actions that the client is allowed to perform on behalf of the user. Each scope represents a different set of permissions, and the user can selectively grant or deny access to specific scopes during the authorization process.",
+ "is_array": true,
+ "type": "string_t"
+ },
"score": {
"caption": "Reputation Score",
"description": "The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source.",
@@ -4377,6 +4532,11 @@
"description": "The URL pointing towards the source of an entity. See specific usage.",
"type": "url_t"
},
+ "sso": {
+ "caption": "SSO",
+ "description": "The Single Sign-On (SSO) object provides a structure for normalizing SSO attributes, configuration, and/or settings from Identity Providers.",
+ "type": "sso"
+ },
"standards": {
"caption": "Compliance Standards: List",
"description": "Compliance standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001",
@@ -4520,6 +4680,11 @@
}
}
},
+ "storage_class":{
+ "caption": "Storage Class",
+ "description": "The storage class of the entity. See specific usage.",
+ "type": "string_t"
+ },
"stratum": {
"caption": "Stratum",
"description": "The stratum level of the NTP server's time source, normalized to the caption of the stratum_id value.",
@@ -4716,6 +4881,7 @@
"to": {
"caption": "To",
"description": "The email header To values, as defined by RFC 5322.",
+ "references": [{"url": "https://www.rfc-editor.org/rfc/rfc5322", "description": "RFC 5322"}],
"type": "email_t",
"is_array": true
},
@@ -4838,11 +5004,6 @@
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "object"
},
- "unmanned_system_operator": {
- "caption": "Unmanned Systems Operator",
- "description": "The human or machine operator of an UAS",
- "type": "user"
- },
"untruncated_size": {
"caption": "Untruncated Size",
"description": "The size in bytes of an attribute before truncation. See specific usage.",
@@ -4887,9 +5048,15 @@
},
"value": {
"caption": "Value",
- "description": "The value that pertains to the object. See specific usage.",
+ "description": "The value associated to an attribute. See specific usage.",
"type": "string_t"
},
+ "values": {
+ "caption": "Values",
+ "description": "An array of values associated to an attribute. See specific usage.",
+ "type": "string_t",
+ "is_array": true
+ },
"variable_name": {
"caption": "Variable Name",
"description": "The name of a variable. See specific usage.",
@@ -4905,6 +5072,11 @@
"description": "The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.",
"type": "string_t"
},
+ "vendor_attributes":{
+ "caption": "Vendor Attributes",
+ "description": "The Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-prodvided values and consumer-updated values, of key attributes like severity_id.aws-isob, Azure US DoD, etc.",
+ "group": "context",
+ "requirement": "recommended"
+ },
+ "container": {
+ "profile": null,
+ "description": "A cloud-based container image or running container discovered by an inventory process.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "database": {
+ "description": "A cloud-based database discovered by an inventory process.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "databucket": {
+ "description": "A cloud-based data bucket or other object storage discovered by an inventory process.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "idp": {
+ "description": "The Identity Provider that is being discovered by an inventory process, or that is related to the cloud resource(s) being discovered by an inventory process.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "region": {
+ "profile": null,
+ "description": "The cloud region where the resource is located, e.g., us-isof-south-1, eastus2, us-central1, etc.",
+ "group": "context",
+ "requirement": "recommended"
+ },
+ "resources": {
+ "caption": "Cloud Resources",
+ "description": "The cloud resource(s) that are being discovered by an inventory process. Use this object if there is not a direct object match in the class.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "table": {
+ "description": "A cloud-based database table discovered by an inventory process.",
+ "group": "primary",
+ "requirement": "recommended"
+ }
+ },
+ "constraints": {
+ "at_least_one": [
+ "cloud",
+ "container",
+ "database",
+ "databucket",
+ "idp",
+ "resources",
+ "table"
+ ]
+ },
+ "profiles": [
+ "host"
+ ]
+}
\ No newline at end of file
diff --git a/events/findings/data_security_finding.json b/events/findings/data_security_finding.json
index 780dde1e0..1612a9e81 100644
--- a/events/findings/data_security_finding.json
+++ b/events/findings/data_security_finding.json
@@ -26,7 +26,11 @@
},
"4": {
"caption": "Suppressed",
- "description": "An existing Data Security finding is suppressed due to inaccurate detection techniques or a known true negative."
+ "description": "An existing Data Security finding is suppressed due to inaccurate detection techniques or a known true negative.",
+ "@deprecated": {
+ "message": "Use status_id attribute instead.",
+ "since": "1.4.0"
+ }
}
}
},
@@ -60,12 +64,12 @@
},
"database": {
"description": "Describes the database where classified or sensitive data is stored in, or was accessed from. Databases are typically datastore services that contain an organized collection of structured and/or semi-structured data.",
- "group": "context",
+ "group": "primary",
"requirement": "recommended"
},
"databucket": {
"description": "Describes the databucket where classified or sensitive data is stored in, or was accessed from. The data bucket object is a basic container that holds data, typically organized through the use of data partitions.",
- "group": "context",
+ "group": "primary",
"requirement": "recommended"
},
"device": {
@@ -80,7 +84,7 @@
},
"file": {
"description": "Describes a file that contains classified or sensitive data.",
- "group": "context",
+ "group": "primary",
"requirement": "recommended"
},
"impact": {
@@ -102,9 +106,9 @@
"requirement": "recommended"
},
"resources": {
- "caption": "Affected Resources",
- "description": "Describes details about resources where classified or sensitive data is stored in, or was accessed from.",
- "group": "context",
+ "caption": "Additional Resources",
+ "description": "Describes details about additional resources, where classified or sensitive data is stored in, or was accessed from. You can populate this object, if the specific resource type objects available in the class ( Note: The two letter country code should be capitalized. For example: database, databucket, table, file) aren't sufficient; OR
You can also choose to duplicate uid, name of the specific resources objects, for a consistent access to resource uids across all findings.",
+ "group": "primary",
"requirement": "recommended"
},
"risk_details": {
@@ -128,14 +132,13 @@
"requirement": "optional"
},
"src_endpoint": {
- "caption": "Affected Resources",
"description": "Details about the source endpoint where classified or sensitive data was accessed from.",
"group": "context",
"requirement": "recommended"
},
"table": {
"description": "Describes the table where classified or sensitive data is stored in, or was accessed from. The table object represents a table within a structured relational database, warehouse, lake, or similar.",
- "group": "context",
+ "group": "primary",
"requirement": "recommended"
}
},
diff --git a/events/findings/finding.json b/events/findings/finding.json
index aded567b1..cf0417739 100644
--- a/events/findings/finding.json
+++ b/events/findings/finding.json
@@ -93,6 +93,9 @@
"description": "The Finding was archived."
}
}
+ },
+ "vendor_attributes": {
+ "requirement": "optional"
}
},
"profiles": [
diff --git a/events/findings/incident_finding.json b/events/findings/incident_finding.json
index 45873ab2a..fbeba2ec6 100644
--- a/events/findings/incident_finding.json
+++ b/events/findings/incident_finding.json
@@ -140,6 +140,9 @@
"group": "context",
"requirement": "optional"
},
+ "vendor_attributes": {
+ "requirement": "optional"
+ },
"verdict": {
"group": "primary",
"requirement": "recommended"
diff --git a/events/network/email_activity.json b/events/network/email_activity.json
index ae87db42f..f37bf43bb 100644
--- a/events/network/email_activity.json
+++ b/events/network/email_activity.json
@@ -22,6 +22,10 @@
"3": {
"caption": "Scan",
"description": "Email being scanned (example: security scanning)"
+ },
+ "4": {
+ "caption": "Trace",
+ "description": "Follow an email message as it travels through an organization. For example: O365 Email Message Trace."
}
}
},
diff --git a/objects/certificate.json b/objects/certificate.json
index ce8249844..9426b5732 100644
--- a/objects/certificate.json
+++ b/objects/certificate.json
@@ -1,8 +1,9 @@
{
"caption": "Digital Certificate",
"name": "certificate",
+ "description": "The Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key. It serves as a means to establish trust in the authenticity and integrity of the public key and the associated entity.",
"extends": "object",
- "description": "The Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key. It serves as a means to establish trust in the authenticity and integrity of the public key and the associated entity. Defined by D3FEND d3f:Certificate.",
+ "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Certificate/", "description": "D3FEND™ Ontology d3f:Certificate."}],
"attributes": {
"created_time": {
"description": "The time when the certificate was created.",
diff --git a/objects/classifier_details.json b/objects/classifier_details.json
new file mode 100644
index 000000000..fb679bc40
--- /dev/null
+++ b/objects/classifier_details.json
@@ -0,0 +1,20 @@
+{
+ "caption": "Classifier Details",
+ "description": "The Classifier Details object describes details about the classifier used for data classification.",
+ "extends": "object",
+ "name": "classifier_details",
+ "attributes": {
+ "name": {
+ "description": "The name of the classifier.",
+ "requirement": "recommended"
+ },
+ "type": {
+ "description": "The type of the classifier.",
+ "requirement": "required"
+ },
+ "uid": {
+ "description": "The unique identifier of the classifier.",
+ "requirement": "recommended"
+ }
+ }
+}
\ No newline at end of file
diff --git a/objects/d3f_tactic.json b/objects/d3f_tactic.json
index 410eba9f2..30cd790f8 100644
--- a/objects/d3f_tactic.json
+++ b/objects/d3f_tactic.json
@@ -1,15 +1,18 @@
{
"caption": "MITRE D3FEND™ Tactic",
- "description": "The MITRE D3FEND™ Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by D3FENDTM Matrix.",
- "extends": "_entity",
"name": "d3f_tactic",
+ "description": "The MITRE D3FEND™ Tactic object describes the tactic ID and/or name that is associated to an attack",
+ "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
+ "extends": "_entity",
"attributes": {
"name": {
- "description": "The tactic name that is associated with the defensive technique, as defined by D3FENDTM Matrix. For example: Isolate.",
+ "description": "The tactic name that is associated with the defensive technique. For example: Isolate.",
+ "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
"requirement" : "optional"
},
"src_url": {
- "description": "The versioned permalink of the defensive tactic, as defined by D3FENDTM Matrix. For example: https://d3fend.mitre.org/tactic/d3f:Isolate/.",
+ "description": "The versioned permalink of the defensive tactic. For example: https://d3fend.mitre.org/tactic/d3f:Isolate/.",
+ "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
"requirement" : "optional"
}
}
diff --git a/objects/d3f_technique.json b/objects/d3f_technique.json
index 75d70d243..d138f296c 100644
--- a/objects/d3f_technique.json
+++ b/objects/d3f_technique.json
@@ -1,18 +1,22 @@
{
"caption": "MITRE DEFEND™ Technique",
- "description": "The MITRE DEFEND™ Technique object describes the leaf defensive technique ID and/or name associated to a countermeasure, as defined by D3FENDTM Matrix.",
- "extends": "_entity",
"name": "d3f_technique",
+ "description": "The MITRE D3FEND™ Technique object describes the leaf defensive technique ID and/or name associated to a countermeasure.",
+ "references": [{"url": "href='https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
+ "extends": "_entity",
"attributes": {
"name": {
- "description": "The name of the defensive technique, as defined by D3FENDTM Matrix. For example: IO Port Restriction."
+ "description": "The name of the defensive technique. For example: IO Port Restriction.",
+ "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}]
},
"src_url": {
- "description": "The versioned permalink of the defensive technique, as defined by D3FENDTM Matrix. For example: https://d3fend.mitre.org/technique/d3f:IOPortRestriction/.",
+ "description": "The versioned permalink of the defensive technique. For example: https://d3fend.mitre.org/technique/d3f:IOPortRestriction/.",
+ "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
"requirement" : "optional"
},
"uid": {
- "description": "The unique identifier of the defensive technique, as defined by D3FENDTM Matrix. For example: D3-IOPR."
+ "description": "The unique identifier of the defensive technique. For example: D3-IOPR.",
+ "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}]
}
}
}
\ No newline at end of file
diff --git a/objects/d3fend.json b/objects/d3fend.json
index fbfccf3fd..44c00c04b 100644
--- a/objects/d3fend.json
+++ b/objects/d3fend.json
@@ -1,19 +1,20 @@
{
"caption": "MITRE D3FEND™",
"name": "d3fend",
- "description": "The MITRE D3FEND™ object describes the tactic, technique & sub-technique associated with a countermeasure as defined in DEFEND MatrixTM.",
+ "description": "The MITRE D3FEND™ object describes the tactic, technique & sub-technique associated with a countermeasure.",
+ "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
"extends": "object",
"attributes": {
"d3f_tactic": {
- "description": "The Tactic object describes the tactic ID and/or name that is associated with a countermeasure, as defined by D3FEND MatrixTM.",
+ "description": "The Tactic object describes the tactic ID and/or name that is associated with a countermeasure.",
"requirement": "recommended"
},
"d3f_technique": {
- "description": "The Defend Technique object describes the technique ID and/or name associated with a countermeasure, as defined by D3FEND MatrixTM.",
+ "description": "The Technique object describes the technique ID and/or name associated with a countermeasure.",
"requirement": "recommended"
},
"version": {
- "description": "The D3FEND MatrixTM version.",
+ "description": "The D3FEND™ Matrix version.",
"requirement": "recommended"
}
},
diff --git a/objects/data_classification.json b/objects/data_classification.json
index c76a944b3..4ed70aa8f 100644
--- a/objects/data_classification.json
+++ b/objects/data_classification.json
@@ -10,6 +10,7 @@
},
"category_id": {
"description": "The normalized identifier of the data classification category.",
+ "requirement": "recommended",
"enum": {
"0": {
"caption": "Unknown",
@@ -43,7 +44,9 @@
"caption": "Other",
"description": "Any other type of data classification or a multi-variate classification made up of several other classification categories."
}
- },
+ }
+ },
+ "classifier_details": {
"requirement": "recommended"
},
"confidentiality": {
@@ -52,9 +55,62 @@
"confidentiality_id": {
"requirement": "recommended"
},
+ "discovery_details": {
+ "description": "Details about the data discovered by classification job.",
+ "requirement": "optional"
+ },
"policy": {
"description": "Details about the data policy that governs data handling and security measures related to classification.",
"requirement": "optional"
+ },
+ "size": {
+ "description": "Size of the data classified.",
+ "requirement": "optional"
+ },
+ "src_url": {
+ "description": "The source URL pointing towards the full classifcation job details.",
+ "requirement": "optional"
+ },
+ "status": {
+ "description": "The resultant status of the classification job normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.",
+ "requirement": "recommended"
+ },
+ "status_details": {
+ "description": "The contextual description of the status, status_id value.",
+ "requirement": "optional"
+ },
+ "status_id": {
+ "description": "The normalized status identifier of the classification job.",
+ "requirement": "recommended",
+ "enum": {
+ "0": {
+ "caption": "Unknown"
+ },
+ "1": {
+ "caption": "Complete",
+ "description": "The classification job completed for the evaluated resource."
+ },
+ "2": {
+ "caption": "Partial",
+ "description": "The classification job partially completed for the evaluated resource."
+ },
+ "3": {
+ "caption": "Fail",
+ "description": "The classification job failed for the evaluated resource."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The classification job type id is not mapped."
+ }
+ }
+ },
+ "total": {
+ "description": "The total count of discovered entities, by the classification job.",
+ "requirement": "optional"
+ },
+ "uid": {
+ "description": "The unique identifier of the classification job.",
+ "requirement": "optional"
}
},
"constraints": {
diff --git a/objects/databucket.json b/objects/databucket.json
index 2dfa32d1a..2b133c578 100644
--- a/objects/databucket.json
+++ b/objects/databucket.json
@@ -1,11 +1,8 @@
{
"caption": "Databucket",
"description": "The databucket object is a basic container that holds data, typically organized through the use of data partitions.",
- "extends": "_entity",
+ "extends": "resource_details",
"name": "databucket",
- "profiles": [
- "data_classification"
- ],
"attributes": {
"$include": [
"profiles/data_classification.json"
@@ -14,31 +11,42 @@
"description": "The time when the databucket was known to have been created.",
"requirement": "optional"
},
- "modified_time": {
- "description": "The most recent time when any changes, updates, or modifications were made within the databucket.",
- "requirement": "optional"
- },
"desc": {
"caption": "Description",
"description": "The description of the databucket.",
"requirement": "optional"
},
- "size": {
- "description": "The size of the databucket in bytes.",
+ "encryption_details": {
+ "description": "The encryption details of the databucket. Should be populated if the databucket is encrypted.",
"requirement": "optional"
},
"file": {
- "description": "A file within a databucket.",
+ "description": "Details about the file/object within a databucket.",
"requirement": "optional"
},
"groups": {
"description": "The group names to which the databucket belongs.",
"requirement": "optional"
},
+ "is_encrypted": {
+ "description": "Indicates if the databucket is encrypted.",
+ "requirement": "optional"
+ },
"is_public": {
"description": "Indicates if the databucket is publicly accessible.",
"requirement": "recommended"
},
+ "modified_time": {
+ "description": "The most recent time when any changes, updates, or modifications were made within the databucket.",
+ "requirement": "optional"
+ },
+ "name": {
+ "description": "The databucket name."
+ },
+ "size": {
+ "description": "The size of the databucket in bytes.",
+ "requirement": "optional"
+ },
"type": {
"description": "The databucket type.",
"requirement": "recommended"
@@ -64,11 +72,11 @@
}
}
},
- "name": {
- "description": "The databucket name."
- },
"uid": {
"description": "The unique identifier of the databucket."
}
- }
-}
+ },
+ "profiles": [
+ "data_classification"
+ ]
+}
\ No newline at end of file
diff --git a/objects/dce_rpc.json b/objects/dce_rpc.json
index 6074e1580..22e22cd2e 100644
--- a/objects/dce_rpc.json
+++ b/objects/dce_rpc.json
@@ -1,7 +1,8 @@
{
"caption": "DCE/RPC",
"name": "dce_rpc",
- "description": "The DCE/RPC, or Distributed Computing Environment/Remote Procedure Call, object describes the remote procedure call system for distributed computing environments. Defined by D3FEND d3f:RemoteProcedureCall.",
+ "description": "The DCE/RPC, or Distributed Computing Environment/Remote Procedure Call, object describes the remote procedure call system for distributed computing environments.",
+ "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:RemoteProcedureCall/", "description": "D3FEND™ Ontology d3f:RemoteProcedureCall."}],
"extends": "object",
"attributes": {
"command": {
diff --git a/objects/device.json b/objects/device.json
index 1aa80eba6..d569f80ae 100644
--- a/objects/device.json
+++ b/objects/device.json
@@ -1,8 +1,9 @@
{
"caption": "Device",
- "description": "The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.",
- "extends": "endpoint",
"name": "device",
+ "description": "The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.",
+ "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Host/", "description": "D3FEND™ Ontology d3f:Host."}],
+ "extends": "endpoint",
"attributes": {
"autoscale_uid": {
"requirement": "optional"
@@ -29,7 +30,7 @@
"requirement": "optional"
},
"groups": {
- "description": "The group names to which the device belongs. For example: [\"Windows Laptops\", \"Engineering\"].",
+ "description": "The group names to which the device belongs. For example: [\"Windows Laptops\", \"Engineering\"].",
"requirement": "optional"
},
"hostname": {
diff --git a/objects/discovery_details.json b/objects/discovery_details.json
new file mode 100644
index 000000000..a02e03cab
--- /dev/null
+++ b/objects/discovery_details.json
@@ -0,0 +1,24 @@
+{
+ "caption": "Discovery Details",
+ "description": "The Discovery Details object describes results of a discovery task/job.",
+ "extends": "object",
+ "name": "discovery_details",
+ "attributes": {
+ "count": {
+ "description": "The number of discovered entities of the specified type.",
+ "requirement": "recommended"
+ },
+ "occurrence_details":{
+ "description": "Details about where in the target entity, specified information was discovered. Only the attributes, relevant to the target entity type should be populuated.",
+ "requirement": "optional"
+ },
+ "type": {
+ "description": "The specific type of information that was discovered. e.g. name, phone_number, etc.",
+ "requirement": "recommended"
+ },
+ "value": {
+ "description": "Optionally, the specific value of discovered information.",
+ "requirement": "optional"
+ }
+ }
+}
\ No newline at end of file
diff --git a/objects/dns_query.json b/objects/dns_query.json
index 726b885dd..cd95c10ac 100644
--- a/objects/dns_query.json
+++ b/objects/dns_query.json
@@ -2,7 +2,8 @@
"caption": "DNS Query",
"name": "dns_query",
"extends": "_dns",
- "description": "The DNS query object represents a specific request made to the Domain Name System (DNS) to retrieve information about a domain or perform a DNS operation. This object encapsulates the necessary attributes and methods to construct and send DNS queries, specify the query type (e.g., A, AAAA, MX). Defined by D3FEND d3f:DNSLookup.",
+ "description": "The DNS query object represents a specific request made to the Domain Name System (DNS) to retrieve information about a domain or perform a DNS operation. This object encapsulates the necessary attributes and methods to construct and send DNS queries, specify the query type (e.g., A, AAAA, MX).",
+ "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:DNSLookup/", "description": "D3FEND™ Ontology d3f:DNSLookup."}],
"attributes": {
"hostname": {
"description": "The hostname or domain being queried. For example: www.example.com",
diff --git a/objects/email.json b/objects/email.json
index dd972f9da..c81e6391b 100644
--- a/objects/email.json
+++ b/objects/email.json
@@ -1,7 +1,8 @@
{
"caption": "Email",
- "description": "The Email object describes the email metadata such as sender, recipients, and direction. Defined by D3FEND d3f:Email.",
"name": "email",
+ "description": "The Email object describes the email metadata such as sender, recipients, and direction.",
+ "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Email/", "description": "D3FEND™ Ontology d3f:Email."}],
"extends": "object",
"observable": 22,
"profiles": [
@@ -45,6 +46,7 @@
"subject": {
"caption": "Subject",
"description": "The email header Subject value, as defined by RFC 5322.",
+ "references": [{"url": "https://www.rfc-editor.org/rfc/rfc5322", "description": "RFC 5322"}],
"requirement": "recommended"
},
"to": {
diff --git a/objects/encryption_details.json b/objects/encryption_details.json
new file mode 100644
index 000000000..b27119664
--- /dev/null
+++ b/objects/encryption_details.json
@@ -0,0 +1,58 @@
+{
+ "caption": "Encryption Details",
+ "description": "Details about the encrytpion methodology utilized.",
+ "extends": "object",
+ "name": "encryption_details",
+ "attributes": {
+ "key_length": {
+ "caption": "Encryption Key Length",
+ "description": "The length of the encryption key used.",
+ "requirement": "optional"
+ },
+ "key_uid": {
+ "description": "The unique identifier of the key used for encrpytion. For example, AWS KMS Key ARN.",
+ "requirement": "optional"
+ },
+ "type": {
+ "caption": "Encryption Type",
+ "description": "The type of the encryption used.",
+ "requirement": "recommended"
+ },
+ "algorithm": {
+ "caption": "Encryption Algorithm",
+ "description": "The encryption algorithm used, normalized to the caption of 'algorithm_id",
+ "requirement": "optional"
+ },
+ "algorithm_id": {
+ "caption": "Encryption Algorithm ID",
+ "description": "The encryption algorithm used.",
+ "requirement": "recommended",
+ "enum": {
+ "1": {
+ "caption": "DES",
+ "description": "Data Encryption Standard Algorithm"
+ },
+ "2": {
+ "caption": "TripleDES",
+ "description": "Triple Data Encryption Standard Algorithm"
+ },
+ "3": {
+ "caption": "AES",
+ "description": "Advanced Encryption Standard Algorithm."
+ },
+ "4": {
+ "caption": "RSA",
+ "description": "Rivest-Shamir-Adleman Algorithm"
+ },
+ "5": {
+ "caption": "ECC",
+ "description": "Elliptic Curve Cryptography Algorithm"
+ },
+ "6": {
+ "caption": "SM2",
+ "description": "ShangMi Cryptographic Algorithm"
+ }
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/objects/endpoint.json b/objects/endpoint.json
index 1bc85992e..53b4b57c9 100644
--- a/objects/endpoint.json
+++ b/objects/endpoint.json
@@ -1,8 +1,8 @@
{
"caption": "Endpoint",
+ "name": "endpoint",
"description": "The Endpoint object describes a physical or virtual device that connects to and exchanges information with a computer network. Some examples of endpoints are mobile devices, desktop computers, virtual machines, embedded devices, and servers. Internet-of-Things devices—like cameras, lighting, refrigerators, security systems, smart speakers, and thermostats—are also endpoints.",
"extends": "_entity",
- "name": "endpoint",
"observable": 20,
"profiles": [
"container"
diff --git a/objects/file.json b/objects/file.json
index bafaf9ef8..c01680bc0 100644
--- a/objects/file.json
+++ b/objects/file.json
@@ -1,8 +1,9 @@
{
"caption": "File",
- "observable": 24,
"name": "file",
- "description": "The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details. Defined by D3FEND d3f:File.",
+ "observable": 24,
+ "description": "The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details.",
+ "references": [{"url": "https://next.d3fend.mitre.org/dao/artifact/d3f:File/", "description": "D3FEND™ Ontology d3f:File"}],
"extends": "_entity",
"profiles": [
"data_classification"
@@ -41,6 +42,10 @@
"description": "The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.",
"requirement": "optional"
},
+ "encryption_details": {
+ "description": "The encryption details of the file. Should be populated if the file is encrypted.",
+ "requirement": "optional"
+ },
"ext": {
"caption": "File Extension",
"description": "The extension of the file, excluding the leading dot. For example: exe from svchost.exe, or gz from export.tar.gz.",
@@ -53,9 +58,18 @@
"description": "Indicates if the file was deleted from the filesystem.",
"requirement": "optional"
},
+ "is_encrypted": {
+ "description": "Indicates if the file is encrypted.",
+ "requirement": "optional"
+ },
"is_system": {
"requirement": "optional"
},
+ "is_public":{
+ "description": "Indicates if the file is publicly accessible. For example in an object's public access in AWS S3",
+ "requirement": "optional",
+ "profile": "cloud"
+ },
"mime_type": {
"requirement": "optional"
},
@@ -95,6 +109,15 @@
"size": {
"requirement": "optional"
},
+ "storage_class":{
+ "description": "The storage class of the file. For example in AWS S3: STANDARD, STANDARD_IA, GLACIER.",
+ "requirement": "optional",
+ "profile": "cloud"
+ },
+ "tags":{
+ "description": "The list of tags; {key:value} pairs associated to the file.",
+ "requirement": "optional"
+ },
"type": {
"description": "The file type.",
"requirement": "optional"
diff --git a/objects/fingerprint.json b/objects/fingerprint.json
index 4e5e847ba..2830935d8 100644
--- a/objects/fingerprint.json
+++ b/objects/fingerprint.json
@@ -6,7 +6,7 @@
"observable": 30,
"attributes": {
"algorithm": {
- "description": "The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.",
+ "description": "The hash algorithm used to create the digital fingerprint, normalized to the caption of algorithm_id. In the case of Other, it is defined by the event source.",
"requirement": "optional"
},
"algorithm_id": {
diff --git a/objects/idp.json b/objects/idp.json
index 5cc398f7e..017c5c578 100644
--- a/objects/idp.json
+++ b/objects/idp.json
@@ -4,11 +4,89 @@
"extends": "_entity",
"name": "idp",
"attributes": {
+ "auth_factors": {
+ "description": "The Authentication Factors object describes the different types of Multi-Factor Authentication (MFA) methods and/or devices supported by the Identity Provider.",
+ "requirement": "optional"
+ },
"name": {
- "description":"The name of the identity provider."
+ "description": "The name of the Identity Provider.",
+ "requirement": "recommended"
+ },
+ "domain": {
+ "description": "The primary domain associated with the Identity Provider.",
+ "requirement": "optional"
+ },
+ "fingerprint": {
+ "caption": "Certificate Fingerprint",
+ "description": "The fingerprint of the X.509 certificate used by the Identity Provider.",
+ "requirement": "optional"
+ },
+ "has_mfa": {
+ "caption": "MFA Enforced",
+ "description": "The Identity Provider enforces Multi Factor Authentication (MFA).",
+ "requirement": "optional"
+ },
+ "issuer": {
+ "description": "The unique identifier (often a URL) used by the Identity Provider as its issuer.",
+ "requirement": "optional"
+ },
+ "protocol_name": {
+ "caption": "Supported Protocol",
+ "description": "The supported protocol of the Identity Provider. E.g., SAML, OIDC, or OAuth2.",
+ "requirement": "optional"
+ },
+ "scim": {
+ "requirement": "optional"
+ },
+ "sso": {
+ "requirement": "optional"
+ },
+ "state": {
+ "description": "The configuration state of the Identity Provider, normalized to the caption of the state_id value. In the case of Other, it is defined by the event source.",
+ "requirement": "optional"
+ },
+ "state_id": {
+ "description": "The normalized state ID of the Identity Provider to reflect its configuration or activation status.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The configuration state of the Identity Provider is unknown."
+ },
+ "1": {
+ "caption": "Active",
+ "description": "The Identity Provider is in an Active state, or otherwise enabled."
+ },
+ "2": {
+ "caption": "Suspended",
+ "description": "The Identity Provider is in a Suspended state."
+ },
+ "3": {
+ "caption": "Deprecated",
+ "description": "The Identity Provider is in a Deprecated state, or is otherwise disabled."
+ },
+ "4": {
+ "caption": "Deleted",
+ "description": "The Identity Provider is in a Deleted state."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The configuration state of the Identity Provider is not mapped. See the state attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "optional"
+ },
+ "tenant_uid": {
+ "description": "The tenant ID associated with the Identity Provider.",
+ "requirement": "optional"
},
"uid": {
- "description":"The unique identifier of the identity provider."
+ "description": "The unique identifier of the Identity Provider.",
+ "requirement": "recommended"
+ },
+ "url_string": {
+ "caption": "Configuration URL",
+ "description": "The URL for accessing the configuration or metadata of the Identity Provider.",
+ "requirement": "optional"
}
}
}
\ No newline at end of file
diff --git a/objects/image.json b/objects/image.json
index ab9645a74..d77189ba3 100644
--- a/objects/image.json
+++ b/objects/image.json
@@ -1,8 +1,9 @@
{
"caption": "Image",
- "description": "The Image object provides a description of a specific Virtual Machine (VM) or Container image. Defined by D3FEND d3f:ContainerImage.",
- "extends": "_entity",
"name": "image",
+ "description": "The Image object provides a description of a specific Virtual Machine (VM) or Container image.",
+ "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:ContainerImage/", "description": "D3FEND™ Ontology d3f:ContainerImage"}],
+ "extends": "_entity",
"attributes": {
"labels": {
"description": "The list of labels associated to the image.",
diff --git a/objects/kernel.json b/objects/kernel.json
index dc43e9555..acc2cd793 100644
--- a/objects/kernel.json
+++ b/objects/kernel.json
@@ -1,8 +1,9 @@
{
"caption": "Kernel Resource",
- "description": "The Kernel Resource object provides information about a specific kernel resource, including its name and type. It describes essential attributes associated with a resource managed by the kernel of an operating system. Defined by D3FEND d3f:Kernel.",
- "extends": "object",
"name": "kernel",
+ "description": "The Kernel Resource object provides information about a specific kernel resource, including its name and type. It describes essential attributes associated with a resource managed by the kernel of an operating system.",
+ "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Kernel/", "description": "D3FEND™ Ontology d3f:Kernel"}],
+ "extends": "object",
"attributes": {
"is_system": {
"requirement": "optional"
diff --git a/objects/kernel_driver.json b/objects/kernel_driver.json
index 0b82f70df..ab0c0b29c 100644
--- a/objects/kernel_driver.json
+++ b/objects/kernel_driver.json
@@ -1,7 +1,8 @@
{
"caption": "Kernel Extension",
"name": "kernel_driver",
- "description": "The Kernel Extension object describes a kernel driver that has been loaded or unloaded into the operating system (OS) kernel. Defined by D3FEND d3f:KernelModule.",
+ "description": "The Kernel Extension object describes a kernel driver that has been loaded or unloaded into the operating system (OS) kernel.",
+ "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:KernelModule/", "description": "D3FEND™ Ontology d3f:KernelModule"}],
"extends": "object",
"attributes": {
"file": {
diff --git a/objects/key_value_object.json b/objects/key_value_object.json
index 9ac63c991..527323b31 100644
--- a/objects/key_value_object.json
+++ b/objects/key_value_object.json
@@ -10,7 +10,17 @@
},
"value": {
"description": "The value associated to the key.",
- "requirement": "required"
+ "requirement": "optional"
+ },
+ "values": {
+ "description": "Optionall, the values associated to the key. You can populate this attribute, when you have multiple values for the same key.",
+ "requirement": "optional"
}
+ },
+ "constraints": {
+ "at_least_one": [
+ "value",
+ "values"
+ ]
}
}
\ No newline at end of file
diff --git a/objects/location.json b/objects/location.json
index f4ca0caed..d06feb941 100644
--- a/objects/location.json
+++ b/objects/location.json
@@ -1,9 +1,9 @@
{
- "observable": 26,
"caption": "Geo Location",
- "description": "The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation.",
- "extends": "object",
"name": "location",
+ "observable": 26,
+ "description": "The Geo Location object describes a geographical location, usually associated with an IP address.",
+ "extends": "object",
"attributes": {
"aerial_height": {
"requirement": "optional"
@@ -59,7 +59,8 @@
"requirement": "optional"
},
"region": {
- "description": "The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US.",
+ "description": "The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. For example, 'CH-VD' for the Canton of Vaud, Switzerland",
+ "references": [{"url": "https://www.iso.org/iso-3166-country-codes.html", "description": "ISO Region Codes"}, {"url": "https://www.iso.org/obp/ui/#iso:code:3166:US", "description": "U.S. Region Codes"}],
"requirement": "optional"
}
},
diff --git a/objects/metadata.json b/objects/metadata.json
index c33b599fe..2f15baee0 100644
--- a/objects/metadata.json
+++ b/objects/metadata.json
@@ -1,8 +1,9 @@
{
"caption": "Metadata",
- "description": "The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.",
- "extends": "object",
"name": "metadata",
+ "description": "The Metadata object describes the metadata associated with the event.",
+ "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Metadata/", "description": "D3FEND™ Ontology d3f:Metadata"}],
+ "extends": "object",
"attributes": {
"$include": [
"profiles/data_classification.json"
diff --git a/objects/network_connection_info.json b/objects/network_connection_info.json
index efcf302dd..c9f0112da 100644
--- a/objects/network_connection_info.json
+++ b/objects/network_connection_info.json
@@ -1,8 +1,9 @@
{
"caption": "Network Connection Information",
- "description": "The Network Connection Information object describes characteristics of an OSI Transport Layer communication, including TCP and UDP. Defined by D3FEND d3f:NetworkSession.",
- "extends": "object",
"name": "network_connection_info",
+ "description": "The Network Connection Information object describes characteristics of an OSI Transport Layer communication, including TCP and UDP.",
+ "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:NetworkSession/", "description": "D3FEND™ Ontology d3f:NetworkSession"}],
+ "extends": "object",
"attributes": {
"boundary": {
"requirement": "optional"
diff --git a/objects/network_proxy.json b/objects/network_proxy.json
index 3c21700c1..2aa92418b 100644
--- a/objects/network_proxy.json
+++ b/objects/network_proxy.json
@@ -1,7 +1,8 @@
{
"caption": "Network Proxy Endpoint",
"name": "network_proxy",
- "description": "The network proxy endpoint object describes a proxy server, which acts as an intermediary between a client requesting a resource and the server providing that resource. Defined by D3FEND d3f:ProxyServer.",
+ "description": "The network proxy endpoint object describes a proxy server, which acts as an intermediary between a client requesting a resource and the server providing that resource.",
+ "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:ProxyServer/", "description": "D3FEND™ Ontology d3f:ProxyServer"}],
"extends": "network_endpoint",
"attributes": {
}
diff --git a/objects/network_traffic.json b/objects/network_traffic.json
index 49fe4674b..9adb1e8e7 100644
--- a/objects/network_traffic.json
+++ b/objects/network_traffic.json
@@ -1,8 +1,9 @@
{
"caption": "Network Traffic",
- "description": "The Network Traffic object describes characteristics of network traffic. Network traffic refers to data moving across a network at a given point of time. Defined by D3FEND d3f:NetworkTraffic.",
- "extends": "object",
"name": "network_traffic",
+ "description": "The Network Traffic object describes characteristics of network traffic. Network traffic refers to data moving across a network at a given point of time.",
+ "references": [{"description": "D3FEND™ Ontology d3f:NetworkTraffic", "url": "https://d3fend.mitre.org/dao/artifact/d3f:NetworkTraffic/"}],
+ "extends": "object",
"attributes": {
"bytes": {
"requirement": "recommended"
diff --git a/objects/occurrence_details.json b/objects/occurrence_details.json
new file mode 100644
index 000000000..4af035d34
--- /dev/null
+++ b/objects/occurrence_details.json
@@ -0,0 +1,57 @@
+{
+ "caption": "Occurrence Details",
+ "description": "Details about where in the target entity, specified information was discovered. Only the attributes, relevant to the target entity type should be populuated.",
+ "extends": "object",
+ "name": "occurrence_details",
+ "attributes": {
+ "cell_name": {
+ "description": "The cell name/reference in a spreadsheet. e.g A2",
+ "requirement": "optional"
+ },
+ "column_name": {
+ "description": "The column name in a spreadsheet, where the information was discovered.",
+ "requirement": "optional"
+ },
+ "column_number": {
+ "description": "The column number in a spreadsheet or a plain text document, where the information was discovered.",
+ "requirement": "optional"
+ },
+ "end_line": {
+ "description": "The line number of the last line of the file, where the information was discovered.",
+ "requirement": "optional"
+ },
+ "json_path": {
+ "description": "The JSON path of the attribute in a json record, where the information was discovered",
+ "requirement": "optional"
+ },
+ "page_number": {
+ "description": "The page number in a document, where the information was discovered.",
+ "requirement": "optional"
+ },
+ "record_index_in_array": {
+ "description": "The index of the record in the array of records, where the information was discovered. e.g. the index of a record in an array of JSON records in a file.",
+ "requirement": "optional"
+ },
+ "row_number": {
+ "description": "The row number in a spreadsheet, where the information was discovered.",
+ "requirement": "optional"
+ },
+ "start_line": {
+ "description": "The line number of the first line of the file, where the information was discovered.",
+ "requirement": "optional"
+ }
+ },
+ "constraints": {
+ "at_least_one": [
+ "cell_name",
+ "column_name",
+ "column_number",
+ "end_line",
+ "json_path",
+ "page_number",
+ "record_index_in_array",
+ "row_number",
+ "start_line"
+ ]
+ }
+}
\ No newline at end of file
diff --git a/objects/os.json b/objects/os.json
index ab3b097e0..ac279fb59 100644
--- a/objects/os.json
+++ b/objects/os.json
@@ -1,14 +1,16 @@
{
"caption": "Operating System (OS)",
- "description": "The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. Defined by D3FEND d3f:OperatingSystem.",
- "extends": "object",
"name": "os",
+ "description": "The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows.",
+ "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:OperatingSystem/", "description": "D3FEND™ Ontology d3f:OperatingSystem"}],
+ "extends": "object",
"attributes": {
"build": {
"requirement": "optional"
},
"country": {
- "description": "The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes.",
+ "references": [{"url": "https://www.iso.org/obp/ui/#iso:pub:PUB500001:en", "description": "ISO 3166-1 alpha-2 codes"}],
+ "description": "The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code).US or CA.auth_protocol_id. In the case of Other, it is defined by the event source.",
+ "requirement": "optional"
+ },
+ "auth_protocol_id": {
+ "description": "The normalized identifier of the authorization protocol used by the SCIM resource.",
+ "requirement": "optional"
+ },
+ "created_time": {
+ "description": "When the SCIM resource was added to the service provider.",
+ "requirement": "optional"
+ },
+ "error_message": {
+ "caption": "Last Error Message",
+ "description": "Message or code associated with the last encountered error.",
+ "requirement": "optional"
+ },
+ "is_group_provisioning_enabled": {
+ "caption": "SCIM Group Provisioning Enabled",
+ "description": "Indicates whether the SCIM resource is configured to provision groups, automatically or otherwise.",
+ "requirement": "optional"
+ },
+ "is_user_provisioning_enabled": {
+ "caption": "SCIM User Provisioning Enabled",
+ "description": "Indicates whether the SCIM resource is configured to provision users, automatically or otherwise.",
+ "requirement": "optional"
+ },
+ "last_run_time": {
+ "caption": "Last Sync Time",
+ "description": "Timestamp of the most recent successful synchronization.",
+ "requirement": "optional"
+ },
+ "modified_time": {
+ "description": "The most recent time when the SCIM resource was updated at the service provider.",
+ "requirement": "optional"
+ },
+ "name": {
+ "description": "The name of the SCIM resource.",
+ "requirement": "recommended"
+ },
+ "protocol_name": {
+ "caption": "Supported Protocol",
+ "description": "The supported protocol for the SCIM resource. E.g., SAML, OIDC, or OAuth2.",
+ "requirement": "optional"
+ },
+ "rate_limit": {
+ "description": "Maximum number of requests allowed by the SCIM resource within a specified time frame to avoid throttling.",
+ "requirement": "optional"
+ },
+ "scim_group_schema": {
+ "requirement": "recommended"
+ },
+ "scim_user_schema": {
+ "requirement": "recommended"
+ },
+ "state": {
+ "description": "The provisioning state of the SCIM resource, normalized to the caption of the state_id value. In the case of Other, it is defined by the event source.",
+ "requirement": "optional"
+ },
+ "state_id": {
+ "description": "The normalized state ID of the SCIM resource to reflect its activation status.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The provisioning state of the SCIM resource is unknown."
+ },
+ "1": {
+ "caption": "Pending",
+ "description": "The SCIM resource is Pending activation or creation."
+ },
+ "2": {
+ "caption": "Active",
+ "description": "The SCIM resource is in an Active state, or otherwise enabled."
+ },
+ "3": {
+ "caption": "Failed",
+ "description": "The SCIM resource is in a Failed state."
+ },
+ "4": {
+ "caption": "Deleted",
+ "description": "The SCIM resource is in a Deleted state, or otherwise disabled."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The provisioning state of the SCIM resource is not mapped. See the state attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "optional"
+ },
+ "vendor_name": {
+ "caption": "Service Provider",
+ "description": "Name of the vendor or service provider implementing SCIM. E.g., Okta, Auth0, Microsoft.",
+ "requirement": "optional"
+ },
+ "version": {
+ "caption": "SCIM Version",
+ "description": "SCIM protocol version supported e.g., SCIM 2.0.",
+ "requirement": "recommended"
+ },
+ "uid": {
+ "description": "A unique identifier for a SCIM resource as defined by the service provider.",
+ "requirement": "recommended"
+ },
+ "uid_alt": {
+ "caption": "External ID",
+ "description": "A String that is an identifier for the resource as defined by the provisioning client. The externalId may simplify identification of a resource between the provisioning client and the service provider by allowing the client to use a filter to locate the resource with an identifier from the provisioning domain, obviating the need to store a local mapping between the provisioning domain's identifier of the resource and the identifier used by the service provider.",
+ "requirement": "optional"
+ },
+ "url_string": {
+ "caption": "SCIM Endpoint URL",
+ "description": "The primary URL for SCIM API requests.",
+ "requirement": "optional"
+ }
+ }
+ }
+
\ No newline at end of file
diff --git a/objects/session.json b/objects/session.json
index a57dc91c7..250a1fc0e 100644
--- a/objects/session.json
+++ b/objects/session.json
@@ -1,8 +1,9 @@
{
"caption": "Session",
- "description": "The Session object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer. Defined by D3FEND d3f:Session.",
- "extends": "object",
"name": "session",
+ "description": "The Session object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer.",
+ "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Session/", "description": "D3FEND™ Ontology d3f:Session"}],
+ "extends": "object",
"attributes": {
"count": {
"description": "The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time.",
diff --git a/objects/sso.json b/objects/sso.json
new file mode 100644
index 000000000..ff580b244
--- /dev/null
+++ b/objects/sso.json
@@ -0,0 +1,75 @@
+{
+ "caption": "SSO",
+ "description": "The Single Sign-On (SSO) object provides a structure for normalizing SSO attributes, configuration, and/or settings from Identity Providers.",
+ "extends": "object",
+ "name": "sso",
+ "attributes": {
+ "auth_protocol": {
+ "description": "The authorization protocol as defined by the caption of auth_protocol_id. In the case of Other, it is defined by the event source.",
+ "requirement": "optional"
+ },
+ "auth_protocol_id": {
+ "description": "The normalized identifier of the authentication protocol used by the SSO resource.",
+ "requirement": "optional"
+ },
+ "certificate": {
+ "caption": "SAML Certificate",
+ "description": "Digital Signature associated with the SSO resource, e.g., SAML X.509 certificate details.",
+ "requirement": "recommended"
+ },
+ "created_time": {
+ "description": "When the SSO resource was created.",
+ "requirement": "optional"
+ },
+ "duration_mins": {
+ "caption": "SSO Session Duration",
+ "description": "The duration (in minutes) for an SSO session, after which re-authentication is required.",
+ "requirement": "optional"
+ },
+ "idle_timeout": {
+ "caption": "SSO Idle Timeout",
+ "description": "Duration (in minutes) of allowed inactivity before Single Sign-On (SSO) session expiration.",
+ "requirement": "optional"
+ },
+ "login_endpoint": {
+ "caption": "SSO Login Endpoint",
+ "description": "URL for initiating an SSO login request.",
+ "requirement": "optional"
+ },
+ "logout_endpoint": {
+ "caption": "SSO Logout Endpoint",
+ "description": "URL for initiating an SSO logout request, allowing sessions to be terminated across applications.",
+ "requirement": "optional"
+ },
+ "metadata_endpoint": {
+ "caption": "SSO Metadata Endpoint",
+ "description": "URL where metadata about the SSO configuration is available (e.g., for SAML configurations).",
+ "requirement": "optional"
+ },
+ "modified_time": {
+ "description": "The most recent time when the SSO resource was updated.",
+ "requirement": "optional"
+ },
+ "name": {
+ "description": "The name of the SSO resource.",
+ "requirement": "recommended"
+ },
+ "protocol_name": {
+ "caption": "Supported Protocol",
+ "description": "The supported protocol for the SSO resource. E.g., SAML or OIDC.",
+ "requirement": "optional"
+ },
+ "scopes": {
+ "requirement": "optional"
+ },
+ "vendor_name": {
+ "caption": "Service Provider",
+ "description": "Name of the vendor or service provider implementing SSO. E.g., Okta, Auth0, Microsoft.",
+ "requirement": "optional"
+ },
+ "uid": {
+ "description": "A unique identifier for a SSO resource.",
+ "requirement": "recommended"
+ }
+ }
+ }
\ No newline at end of file
diff --git a/objects/url.json b/objects/url.json
index 4e875d540..c4bd9c04c 100644
--- a/objects/url.json
+++ b/objects/url.json
@@ -1,9 +1,10 @@
{
- "observable": 23,
"caption": "Uniform Resource Locator",
- "description": "The Uniform Resource Locator(URL) object describes the characteristics of a URL. Defined in RFC 1738 and by D3FEND d3f:URL.",
- "extends": "object",
"name": "url",
+ "observable": 23,
+ "description": "The Uniform Resource Locator (URL) object describes the characteristics of a URL.",
+ "references": [{"url": "https://datatracker.ietf.org/doc/html/rfc1738", "description": "Defined in RFC 1738"}, {"url": "https://d3fend.mitre.org/dao/artifact/d3f:URL/", "description": "D3FEND™ Ontology d3f:URL"}],
+ "extends": "object",
"attributes": {
"categories": {
"requirement": "optional"
diff --git a/objects/user.json b/objects/user.json
index 386a5fb82..76ad0fb55 100644
--- a/objects/user.json
+++ b/objects/user.json
@@ -1,8 +1,9 @@
{
"caption": "User",
- "description": "The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.",
- "extends": "_entity",
"name": "user",
+ "description": "The User object describes the characteristics of a user/person or a security principal.",
+ "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/", "description": "D3FEND™ Ontology d3f:UserAccount"}],
+ "extends": "_entity",
"observable": 21,
"attributes": {
"account": {
diff --git a/objects/vendor_attributes.json b/objects/vendor_attributes.json
new file mode 100644
index 000000000..61d4d5ff7
--- /dev/null
+++ b/objects/vendor_attributes.json
@@ -0,0 +1,17 @@
+{
+ "caption": "Vendor Attributes",
+ "description": "The Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-prodvided values and consumer-updated values, of key attributes like severity_id.
The original finding producer should not populate this object. It should be populated by consuming systems that support data mutability.",
+ "extends": "object",
+ "name": "vendor_attributes",
+ "attributes": {
+ "severity": {
+ "description": "The finding severity, as reported by the Vendor (Finding Provider). The value should be normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.",
+ "requirement": "optional"
+ },
+ "severity_id": {
+ "description": "The finding severity ID, as reported by the Vendor (Finding Provider).",
+ "requirement": "optional"
+ }
+ }
+}
+
diff --git a/profiles/data_classification.json b/profiles/data_classification.json
index 3eb577f4f..0bd7fdd23 100644
--- a/profiles/data_classification.json
+++ b/profiles/data_classification.json
@@ -1,10 +1,18 @@
{
- "description": "The attributes that describe information specific to data classification.",
+ "description": "The Data Classification profile adds attributes to spepcific resource objects, allowing users to describe information about classifiers & data classification results.",
"meta": "profile",
"caption": "Data Classification",
"name": "data_classification",
"attributes": {
"data_classification": {
+ "group": "context",
+ "requirement": "recommended",
+ "@deprecated": {
+ "message": "Use the attribute data_classifications instead",
+ "since": "1.4.0"
+ }
+ },
+ "data_classifications": {
"group": "context",
"requirement": "recommended"
}
diff --git a/profiles/security_control.json b/profiles/security_control.json
index 6aeaa9b72..dd26bfb43 100644
--- a/profiles/security_control.json
+++ b/profiles/security_control.json
@@ -1,5 +1,5 @@
{
- "description": "The attributes including disposition that represent the outcome of a security control including but not limited to access control, malware or policy violation, network proxy, firewall, or data control. The profile is intended to augment activities or findings with an outcome where a security control has intervened. If the control detected a security violation, the is_detection flag should be set to true.",
+ "description": "The attributes including disposition that represent the outcome of a security control including but not limited to access control, malware or policy violation, network proxy, intrusion detection, firewall, or data control. The profile is intended to augment activities or findings with an outcome when a security control has observed or intervened. If the control detected a security violation, and the disposition_id or action_id is an alertable outcome or action, the is_alert flag may be set to true.",
"meta": "profile",
"caption": "Security Control",
"name": "security_control",
@@ -18,7 +18,7 @@
"enum": {
"0": {
"caption": "Unknown",
- "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Count', 'Uncorrected', 'Isolated', 'Quarantined' or 'Exonerated'."
+ "description": "The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'."
},
"1": {
"caption": "Allowed",
@@ -27,6 +27,18 @@
"2": {
"caption": "Denied",
"description": "The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc."
+ },
+ "3": {
+ "caption": "Observed",
+ "description": "The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc."
+ },
+ "4": {
+ "caption": "Modified",
+ "description": "The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The action is not mapped. See the action attribute which contains a data source specific value."
}
},
"requirement": "required"