Merge branch 'main' into topic/http-request-body-length

.github/workflows/validate-compatibility.yml

@@ -0,0 +1,33 @@
+name: Compatibility Validation
+
+# To test with `act` on Apple silicon:
+# act -s GITHUB_TOKEN="$(gh auth token)" --container-architecture linux/amd64 -W .github/workflows/validate-compatibility.yml
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  validate:
+    name: Validate that changes are backwards compatible with the last stable release
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repository content
+      uses: actions/checkout@v4
+
+    - name: Setup python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.11'
+
+    - name: Install validator
+      run: python -m pip install "ocsf-lib>=${{ vars.COMPATIBILITY_VALIDATOR_VERSION || '0.8,<0.9' }}"
+
+    - name: Run validator
+      shell: bash
+      run: export FORCE_COLOR=1 && python -m ocsf.validate.compatibility ${{ vars.LATEST_STABLE || '1.3.0' }} .
+        #      with:
+        #repository: ocsf/ocsf-schema
+        #path: schema

.github/workflows/deep-validate.yml → .github/workflows/validate-metaschema.yml

@@ -1,4 +1,4 @@
-name: Validate (ocsf-validator)
+name: Metaschema Validation
 
 on:
   push:
@@ -8,7 +8,7 @@ on:
 
 jobs:
   validate:
-    name: Validate the schema
+    name: Validate the schema satisfies the requirements of the metaschema
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository content
@@ -20,7 +20,7 @@ jobs:
         python-version: '3.11'
 
     - name: Install validator
-      run: python -m pip install 'ocsf-validator>=0.2,<0.3'
+      run: python -m pip install "ocsf-validator>=${{ vars.SCHEMA_VALIDATOR_VERSION || '0.2,<0.3' }}"
 
     - name: Run validator
       shell: bash

.github/workflows/validate.yml

@@ -1,4 +1,4 @@
-name: OCSF Schema Validation - Elixir Server
+name: Server Validation
 
 on:
   push:
@@ -8,7 +8,7 @@ on:
 
 jobs:
    build:
-    name: Validate the schema can be understood by the OCSF Elixir server
+    name: Validate the schema can be understood by the OCSF server
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3

CHANGELOG.md

@@ -39,6 +39,21 @@ Thankyou! -->
 
 ## [Unreleased]
 
+### Added
+* #### Event Classes
+    1. Added `OSINT Inventory Info` event class to the Discovery category. #1154
+
+### Improved
+* #### Objects
+    1. Added `phone_number` to `user` and `ldap_person` objects. #1155
+    2. Added `has_mfa` to `user` object. #1155
+
+### Misc
+1. Added `user.uid` as an Observable type - `type_id: 31`. #1155
+2. Added `group.name` and `group.uid` as Observable types - `type_id: 32` and `type_id: 33`, respectively. #1155
+3. Added `account.name` and `account.uid` as Observable types - `type_id: 34` and `type_id: 35`, respectively. #1155
+4. Added `has_mfa` boolean_t to Dictionary. #1155
+
 ## [v1.3.0] - August 1st, 2024
 
 ### Added

dictionary.json

@@ -2124,6 +2124,11 @@
       "description": "The amount of total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds.",
       "type": "integer_t"
     },
+    "has_mfa": {
+      "caption": "MFA Assigned",
+      "description": "The user has a multi-factor or secondary-factor device assigned.",
+      "type": "boolean_t"
+    },
     "hash": {
       "caption": "Hash",
       "description": "The hash attribute is the value of a digital fingerprint including information about its algorithm.",

events/discovery/osint_inventory_info.json

@@ -0,0 +1,19 @@
+{
+    "caption": "OSINT Inventory Info",
+    "description": "OSINT Inventory Info events report open source intelligence or threat intelligence inventory data that is either logged or proactively collected. For example, when collecting OSINT information from Threat Intelligence Platforms (TIPs) or Extended Detection and Response (XDR) platforms, or collecting data from OSINT or other generic threat intelligence and enrichment feeds such as APIs and datastores.",
+    "extends": "discovery",
+    "name": "osint_inventory_info",
+    "uid": 21,
+    "attributes": {
+        "actor": {
+            "description": "The actor describes the process that was the source of the inventory activity. In the case of OSINT inventory data, that could be a particular process or script that is run to scrape the OSINT or threat intelligence data. For example, it could be a Python process that runs to pull data from a MISP or Shodan API.",
+            "group": "context",
+            "requirement": "optional"
+        },
+        "osint": {
+            "group": "primary",
+            "requirement": "required",
+            "description": "The OSINT that is being discovered by an inventory process."
+        }
+    }
+}

objects/account.json

@@ -5,7 +5,8 @@
   "extends": "_entity",
   "attributes": {
     "name": {
-      "description": "The name of the account (e.g. GCP Account Name)."
+      "description": "The name of the account (e.g. GCP Account Name).",
+      "observable": 34
     },
     "type": {
       "caption": "Type",
@@ -58,7 +59,8 @@
       "requirement": "recommended"
     },
     "uid": {
-      "description": "The unique identifier of the account (e.g. AWS Account ID)."
+      "description": "The unique identifier of the account (e.g. AWS Account ID).",
+      "observable": 35
     },
     "labels": {
       "caption": "Labels",

objects/group.json

@@ -13,7 +13,8 @@
       "requirement": "optional"
     },
     "name": {
-      "description": "The group name."
+      "description": "The group name.",
+      "observable": 32
     },
     "privileges": {
       "description": "The group privileges.",
@@ -25,7 +26,8 @@
       "requirement": "optional"
     },
     "uid": {
-      "description": "The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group."
+      "description": "The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.",
+      "observable": 33
     }
   }
 }

objects/ldap_person.json

@@ -59,6 +59,11 @@
     "office_location": {
       "requirement": "optional"
     },
+    "phone_number": {
+      "caption": "Telephone Number",
+      "description": "The telephone number of the user. Corresponds to the LDAP <code>Telephone-Number</code> CN.",
+      "requirement": "optional"
+    },
     "surname": {
       "requirement": "optional"
     }

objects/user.json

@@ -26,6 +26,9 @@
       "description": "The administrative groups to which the user belongs.",
       "requirement": "optional"
     },
+    "has_mfa": {
+      "requirement": "recommended"
+    },
     "ldap_person": {
       "description": "The additional LDAP attributes that describe a person.",
       "requirement": "optional"
@@ -39,6 +42,11 @@
       "description": "Organization and org unit related to the user.",
       "requirement": "optional"
     },
+    "phone_number": {
+      "caption": "Telephone Number",
+      "description": "The telephone number of the user.",
+      "requirement": "optional"
+    },
     "risk_level": {
       "requirement": "optional"
     },
@@ -78,7 +86,8 @@
     },
     "uid": {
       "description": "The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.",
-      "requirement": "recommended"
+      "requirement": "recommended",
+      "observable": 31
     },
     "uid_alt": {
       "description": "The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.",