ocsf · davemcatcisco · Nov 1, 2024 · Oct 16, 2024 · Oct 16, 2024 · Oct 17, 2024
@@ -52,14 +52,12 @@ Thankyou! -->
 * #### Dictionary Attributes
     1. Added `has_mfa` as a `boolean_t`. #1155
     1. Added `environment_variables` as an array of `environment_variable` object. #1172
-    1. Added `is_attribute_truncated` as a `boolean_t`. #1172
     1. Added `forward_addr` as an `email_t`. #1179
     1. Added `related_cves`, `related_cwes` as arrays of `cve`, `cwe` objects respectively. #1176
     1. Added `exploit_last_seen_time` as a `timestamp_t`. #1176
     1. Added `is_alert` as a `boolean_t`, #1179
     1. Added `working_directory` as a `string_t`. #1195
     1. Added `is_deleted` a `boolean_t`. #1196
-    1. Added `is_script_content_truncated` as a `boolean_t`. #1198
     1. Added `body_length` as an `integer_t` #1200
     1. Added `is_public` as a `boolean_t` #1208
     1. Added `tags`, `control_parameters` as an array of `key_value_object` object. #1219
@@ -68,11 +66,13 @@ Thankyou! -->
     1. Added `unmanned_system_operator` to the dictionary, extends `user`. #1169
     1. Added `locations` to the dictionary, an array type of the `location` object, used within the new `operating_area` object. #1169
     1. Added `altitude_ceiling`, `altitude_floor`, `geodetic_altitude`, `aerial_height`, `horizontal_accuracy`, `pressure_altitude`, `radius`, `speed`, `track_direction`, and `vertical_speed` all to support `operating_area` and `unmanned_aerial_system` objects. #1169 
+    1. Added `variable_name` and `variable_value` as `long_string`. #1228
 * #### Objects
     1. Added `environment_variable` object. #1172
     1. Added `advisory` object. #1176
     1. Added a generic `key_value_object` object. #1219
     1. Added `unmanned_aerial_system` and `unmanned_system_operating_area` objects. #1169
+    1. Added a `long_string` object. #1228
 
 ### Improved
 * #### Event Classes
@@ -95,7 +95,6 @@ Thankyou! -->
     1. Added `http_headers` to `email` object. #1199
     1. Added `working_directory` to `process` object. #1195
     1. Added `is_deleted` to `file` object. #1196
-    1. Added `is_script_content_truncated` to `script` object. #1198
     1. Added entry for VBA macros to `type_id` enum in `script` object. #1198
     1. Added `body_length` to the `http_response` and `http_request` objects. #1200
     1. Added `is_public` to the `databucket` object. #1208

@@ -2483,11 +2483,6 @@
       "description": "A determination if a policy, rule, or enforcement action was applied.",
       "type": "boolean_t"
     },
-    "is_attribute_truncated": {
-      "caption": "Attribute Truncated",
-      "description": "The indication of whether or not an attribute is truncated.",
-      "type": "boolean_t"
-    },
     "is_cleartext": {
       "caption": "Cleartext Credentials",
       "description": "Indicates whether the credentials were passed in clear text.<p><b>Note:</b> True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text.</p>",
@@ -2568,11 +2563,6 @@
       "description": "The indication of whether this is a lease/session renewal event.",
       "type": "boolean_t"
     },
-    "is_script_content_truncated": {
-      "caption": "Is Script Content Truncated",
-      "description": "Indicates if the contents of the <code>script_content</code> attribute have been truncated.",
-      "type": "boolean_t"
-    },
     "is_secure": {
       "caption": "Secure",
       "description": "The cookie attribute indicates that cookies are sent to the server only when the request is encrypted using the HTTPS protocol.",
@@ -2603,6 +2593,11 @@
       "description": "Whether the authentication factor is a Time-based One-time Password (TOTP).",
       "type": "boolean_t"
     },
+    "is_truncated": {
+      "caption": "Is Truncated",
+      "description": "Indicates that an attribute has been truncated. See specific usage.",
+      "type": "boolean_t"
+    },
     "is_trusted": {
       "caption": "Trusted Device",
       "description": "The event occurred on a trusted device.",
@@ -4101,7 +4096,7 @@
       "observable": 36,
       "caption": "Script Content",
       "description": "The script content, normalized to UTF-8 encoding irrespective of its original encoding. When emitting this attribute, it may be appropriate to truncate large scripts. When consuming this attribute, large scripts should be anticipated.",
-      "type": "string_t"
+      "type": "long_string"
     },
     "section_a": {
       "caption": "JA4 Section A",
@@ -4833,6 +4828,11 @@
       "description": "The human or machine operator of an UAS",
       "type": "user"
     },
+    "untruncated_size": {
+      "caption": "Untruncated Size",
+      "description": "The size in bytes of an attribute before truncation. See specific usage.",
+      "type": "integer_t"
+    },
     "url": {
       "caption": "URL",
       "description": "The URL object that pertains to the event or object. See specific usage.",
@@ -4875,6 +4875,16 @@
       "description": "The value that pertains to the object. See specific usage.",
       "type": "string_t"
     },
+    "variable_name": {
+      "caption": "Variable Name",
+      "description": "The name of a variable. See specific usage.",
+      "type": "long_string"
+    },
+    "variable_value": {
+      "caption": "Variable Value",
+      "description": "The value of a variable. See specific usage.",
+      "type": "long_string"
+    },
     "vector_string": {
       "caption": "Vector String",
       "description": "The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: <code>3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H</code>.",

@@ -4,17 +4,13 @@
     "extends": "object",
     "name": "environment_variable",
     "attributes": {
-        "name": {
-            "description": "The name of the environment variable.",
+        "variable_name": {
+            "description": "The name of the environment variable. Note that some operating systems permit environment variables to have very long names.",
             "requirement": "required"
         },
-        "value": {
-            "description": "The value of the environment variable.",
+        "variable_value": {
+            "description": "The value of the environment variable. Note that some operating systems permit environment variables to have very long values.",
             "requirement": "required"
-        },
-        "is_attribute_truncated": {
-            "description": "Whether the <code>name</code> or <code>value</code> of the environment variable has been truncated.",
-            "requirement": "optional"
         }
     }
 }
@@ -0,0 +1,20 @@
+{
+  "caption": "Long String",
+  "description": "This object is a used to capture strings which may be truncated by a security product due to their length.",
+  "extends": "object",
+  "name": "long_string",
+  "attributes": {
+    "value": {
+      "description": "The string value, truncated if <code>is_truncated</code> is <code>true</code>.",
+      "requirement" : "required"
+    },
+    "is_truncated": {
+      "description": "Indicates that <code>value</code> has been truncated. May be omitted if truncation has not occurred.",
+      "requirement" : "optional"
+    },
+    "untruncated_size": {
+      "description": "The size in bytes of the string represented by <code>value</code> before truncation. Should be omitted if truncation has not occurred.",
+      "requirement" : "optional"
+    }
+  }
+}
@@ -12,9 +12,6 @@
       "description": "An array of the script's cryptographic hashes. Note that these hashes are calculated on the script in its original encoding, and not on the normalized UTF-8 encoding found in the <code>script_content</code> attribute.",
       "requirement": "recommended"
     },
-    "is_script_content_truncated": {
-      "requirement": "optional"
-    },
     "parent_uid": {
       "description": "This attribute relates a sub-script to a parent script having the matching <code>uid</code> attribute. In the case of PowerShell, sub-script execution can be identified by matching the activity correlation ID of the raw ETW events provided by the OS.",
       "requirement": "optional"