From 6afd9468991e0aaae0619632cc23bb854c6c22cb Mon Sep 17 00:00:00 2001 From: Mitchell Wasson Date: Tue, 26 Nov 2024 11:40:55 -0700 Subject: [PATCH] Add `security_control` and `host` profiles to base_event.json `security_control` and `host` are universally applicable in OCSF Both were applied in an ad-hoc manner _almost_ everywhere Also, sometimes the profile wasn't correctly applied (e.g. cloud_resources_inventory_info.json) This change enables providing a consistent interface with these profiles to downstream data consumers. Change optionality of `action_id` in `security_control` to `recommended` Also removed redundant profile declarations in event hierarchy (e.g. cloud in dhcp_activity.json) Profile declarations in objects left alone to facilitate "Referenced By" feature Signed-off-by: Mitchell Wasson --- CHANGELOG.md | 2 ++ events/application/application_lifecycle.json | 8 +------- events/application/datastore_activity.json | 8 +------- events/application/scan_activity.json | 8 +------- events/application/web_resource_access_activity.json | 2 -- events/application/web_resources_activity.json | 8 ++------ events/base_event.json | 8 ++++++-- events/discovery/cloud_resources_inventory_info.json | 5 +---- events/discovery/config_state.json | 5 +---- events/discovery/device_config_state_change.json | 5 +---- events/discovery/discovery_result.json | 8 +------- events/discovery/inventory_info.json | 5 +---- events/discovery/patch_state.json | 8 +------- events/discovery/software_info.json | 5 +---- events/findings/data_security_finding.json | 8 +------- events/findings/detection_finding.json | 8 +------- events/findings/finding.json | 8 +------- events/iam/iam.json | 8 +------- events/network/dhcp_activity.json | 9 +-------- events/network/email_activity.json | 10 +--------- events/network/email_file_activity.json | 10 +--------- events/network/email_url_activity.json | 10 +--------- events/network/network.json | 4 ---- events/remediation/remediation_activity.json | 8 +------- events/system/system.json | 9 +-------- events/unmanned_systems/unmanned_systems.json | 8 +------- profiles/security_control.json | 2 +- 27 files changed, 32 insertions(+), 155 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b9aed8ea..2f51e6cbc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -109,6 +109,8 @@ Thankyou! --> 1. Added `risk_level_id`, `risk_level`, `risk_score`, `risk_details` attributes to the `security_control` profile. #1178 1. Added `policy` attribute to the `security_control` profile. #1178 1. Added enum values to `action_id` of 'Observed', 'Modified', and 'Unknown'. #1265 + 1. Added `security_control` and `host` profiles to base_event.json #1270 + 1. Changed optionality of `action_id` in the `security_control` profile from `required` to `recommended` #1270 * #### Objects 1. Added `phone_number` to `user` and `ldap_person` objects. #1155 1. Added `has_mfa` to `user` object. #1155 diff --git a/events/application/application_lifecycle.json b/events/application/application_lifecycle.json index c312b3db6..8ae69456e 100644 --- a/events/application/application_lifecycle.json +++ b/events/application/application_lifecycle.json @@ -5,9 +5,6 @@ "extends": "application", "name": "application_lifecycle", "attributes": { - "$include": [ - "profiles/host.json" - ], "activity_id": { "requirement": "required", "enum": { @@ -50,8 +47,5 @@ "group": "primary", "requirement": "required" } - }, - "profiles": [ - "host" - ] + } } \ No newline at end of file diff --git a/events/application/datastore_activity.json b/events/application/datastore_activity.json index 9bc67d7f3..dce516ee5 100644 --- a/events/application/datastore_activity.json +++ b/events/application/datastore_activity.json @@ -5,9 +5,6 @@ "extends": "application", "name": "datastore_activity", "attributes": { - "$include": [ - "profiles/security_control.json" - ], "activity_id": { "enum": { "1": { @@ -128,8 +125,5 @@ "databucket", "table" ] - }, - "profiles": [ - "security_control" - ] + } } \ No newline at end of file diff --git a/events/application/scan_activity.json b/events/application/scan_activity.json index 88bd5dbe6..4acc11006 100644 --- a/events/application/scan_activity.json +++ b/events/application/scan_activity.json @@ -5,9 +5,6 @@ "extends": "application", "name": "scan_activity", "attributes": { - "$include": [ - "profiles/host.json" - ], "activity_id": { "enum": { "1": { @@ -124,8 +121,5 @@ "group": "primary", "requirement": "recommended" } - }, - "profiles": [ - "host" - ] + } } \ No newline at end of file diff --git a/events/application/web_resource_access_activity.json b/events/application/web_resource_access_activity.json index ea37c76c0..058b50e51 100644 --- a/events/application/web_resource_access_activity.json +++ b/events/application/web_resource_access_activity.json @@ -10,7 +10,6 @@ }, "attributes": { "$include": [ - "profiles/host.json", "profiles/network_proxy.json" ], "activity_id": { @@ -65,7 +64,6 @@ } }, "profiles": [ - "host", "network_proxy" ] } \ No newline at end of file diff --git a/events/application/web_resources_activity.json b/events/application/web_resources_activity.json index 92d34f200..3bb2ec3b4 100644 --- a/events/application/web_resources_activity.json +++ b/events/application/web_resources_activity.json @@ -6,9 +6,7 @@ "name": "web_resources_activity", "attributes": { "$include": [ - "profiles/host.json", - "profiles/network_proxy.json", - "profiles/security_control.json" + "profiles/network_proxy.json" ], "activity_id": { "enum": { @@ -81,8 +79,6 @@ } }, "profiles": [ - "host", - "network_proxy", - "security_control" + "network_proxy" ] } \ No newline at end of file diff --git a/events/base_event.json b/events/base_event.json index 247ff8ffa..a545c0bb2 100644 --- a/events/base_event.json +++ b/events/base_event.json @@ -7,7 +7,9 @@ "$include": [ "profiles/cloud.json", "profiles/datetime.json", - "profiles/osint.json" + "profiles/host.json", + "profiles/osint.json", + "profiles/security_control.json" ], "activity_id": { "group": "classification", @@ -138,6 +140,8 @@ "profiles": [ "cloud", "datetime", - "osint" + "host", + "osint", + "security_control" ] } \ No newline at end of file diff --git a/events/discovery/cloud_resources_inventory_info.json b/events/discovery/cloud_resources_inventory_info.json index 08616076f..a5cd3d617 100644 --- a/events/discovery/cloud_resources_inventory_info.json +++ b/events/discovery/cloud_resources_inventory_info.json @@ -66,8 +66,5 @@ "resources", "table" ] - }, - "profiles": [ - "host" - ] + } } \ No newline at end of file diff --git a/events/discovery/config_state.json b/events/discovery/config_state.json index 5cd879c01..070031bd1 100644 --- a/events/discovery/config_state.json +++ b/events/discovery/config_state.json @@ -18,8 +18,5 @@ "group": "primary", "requirement": "required" } - }, - "profiles": [ - "host" - ] + } } \ No newline at end of file diff --git a/events/discovery/device_config_state_change.json b/events/discovery/device_config_state_change.json index b6e6ab964..3971b850c 100644 --- a/events/discovery/device_config_state_change.json +++ b/events/discovery/device_config_state_change.json @@ -68,8 +68,5 @@ } } } - }, - "profiles": [ - "host" - ] + } } \ No newline at end of file diff --git a/events/discovery/discovery_result.json b/events/discovery/discovery_result.json index 9e3869be0..238bbd9ce 100644 --- a/events/discovery/discovery_result.json +++ b/events/discovery/discovery_result.json @@ -5,9 +5,6 @@ "extends": "base_event", "name": "discovery_result", "attributes": { - "$include": [ - "profiles/host.json" - ], "activity_id": { "enum": { "1": { @@ -29,8 +26,5 @@ "group": "primary", "requirement": "required" } - }, - "profiles": [ - "host" - ] + } } \ No newline at end of file diff --git a/events/discovery/inventory_info.json b/events/discovery/inventory_info.json index e9726a69c..bc7e0356a 100644 --- a/events/discovery/inventory_info.json +++ b/events/discovery/inventory_info.json @@ -14,8 +14,5 @@ "group": "primary", "requirement": "required" } - }, - "profiles": [ - "host" - ] + } } \ No newline at end of file diff --git a/events/discovery/patch_state.json b/events/discovery/patch_state.json index db0240c4a..100808d02 100644 --- a/events/discovery/patch_state.json +++ b/events/discovery/patch_state.json @@ -5,9 +5,6 @@ "extends": "discovery", "name": "patch_state", "attributes": { - "$include": [ - "profiles/host.json" - ], "device": { "group": "primary", "requirement": "required", @@ -24,8 +21,5 @@ "device.os.sp_ver", "device.os.version" ] - }, - "profiles": [ - "host" - ] + } } \ No newline at end of file diff --git a/events/discovery/software_info.json b/events/discovery/software_info.json index 6c7898ebd..b163060f3 100644 --- a/events/discovery/software_info.json +++ b/events/discovery/software_info.json @@ -33,8 +33,5 @@ "group": "context", "requirement": "optional" } - }, - "profiles": [ - "host" - ] + } } \ No newline at end of file diff --git a/events/findings/data_security_finding.json b/events/findings/data_security_finding.json index 1612a9e81..258b06d7a 100644 --- a/events/findings/data_security_finding.json +++ b/events/findings/data_security_finding.json @@ -5,9 +5,6 @@ "extends": "finding", "name": "data_security_finding", "attributes": { - "$include": [ - "profiles/security_control.json" - ], "activity_id": { "description": "The normalized identifier of the Data Security Finding activity.", "requirement": "required", @@ -141,8 +138,5 @@ "group": "primary", "requirement": "recommended" } - }, - "profiles": [ - "security_control" - ] + } } \ No newline at end of file diff --git a/events/findings/detection_finding.json b/events/findings/detection_finding.json index bd5e1f887..370cc8f1a 100644 --- a/events/findings/detection_finding.json +++ b/events/findings/detection_finding.json @@ -5,9 +5,6 @@ "extends": "finding", "name": "detection_finding", "attributes": { - "$include": [ - "profiles/security_control.json" - ], "confidence": { "profile": null, "group": "context", @@ -81,8 +78,5 @@ "group": "context", "requirement": "optional" } - }, - "profiles": [ - "security_control" - ] + } } \ No newline at end of file diff --git a/events/findings/finding.json b/events/findings/finding.json index cf0417739..369ef83d6 100644 --- a/events/findings/finding.json +++ b/events/findings/finding.json @@ -5,9 +5,6 @@ "extends": "base_event", "name": "finding", "attributes": { - "$include": [ - "profiles/host.json" - ], "activity_id": { "description": "The normalized identifier of the finding activity.", "enum": { @@ -97,8 +94,5 @@ "vendor_attributes": { "requirement": "optional" } - }, - "profiles": [ - "host" - ] + } } \ No newline at end of file diff --git a/events/iam/iam.json b/events/iam/iam.json index e075a79bb..1f03d7af3 100644 --- a/events/iam/iam.json +++ b/events/iam/iam.json @@ -5,9 +5,6 @@ "extends": "base_event", "name": "iam", "attributes": { - "$include": [ - "profiles/host.json" - ], "http_request": { "description": "Details about the underlying HTTP request.", "group": "context", @@ -23,8 +20,5 @@ "group": "primary", "requirement": "recommended" } - }, - "profiles": [ - "host" - ] + } } \ No newline at end of file diff --git a/events/network/dhcp_activity.json b/events/network/dhcp_activity.json index b60715b05..e24d54ca2 100644 --- a/events/network/dhcp_activity.json +++ b/events/network/dhcp_activity.json @@ -5,10 +5,6 @@ "extends": "network", "name": "dhcp_activity", "attributes": { - "$include": [ - "profiles/cloud.json", - "profiles/host.json" - ], "activity_id": { "requirement": "required", "enum": { @@ -77,8 +73,5 @@ "group": "primary", "requirement": "recommended" } - }, - "profiles": [ - "host" - ] + } } \ No newline at end of file diff --git a/events/network/email_activity.json b/events/network/email_activity.json index 34303173d..bcb7debd1 100644 --- a/events/network/email_activity.json +++ b/events/network/email_activity.json @@ -6,10 +6,6 @@ "extends": "base_event", "name": "email_activity", "attributes": { - "$include": [ - "profiles/host.json", - "profiles/security_control.json" - ], "activity_id": { "requirement": "optional", "enum": { @@ -100,9 +96,5 @@ "group": "primary", "requirement": "recommended" } - }, - "profiles": [ - "host", - "security_control" - ] + } } \ No newline at end of file diff --git a/events/network/email_file_activity.json b/events/network/email_file_activity.json index daf7a4cf8..71214fce3 100644 --- a/events/network/email_file_activity.json +++ b/events/network/email_file_activity.json @@ -10,10 +10,6 @@ "since": "1.3.0" }, "attributes": { - "$include": [ - "profiles/host.json", - "profiles/security_control.json" - ], "activity_id": { "requirement": "optional", "enum": { @@ -38,9 +34,5 @@ "group": "primary", "requirement": "required" } - }, - "profiles": [ - "host", - "security_control" - ] + } } \ No newline at end of file diff --git a/events/network/email_url_activity.json b/events/network/email_url_activity.json index 7386eef07..c5e72da1f 100644 --- a/events/network/email_url_activity.json +++ b/events/network/email_url_activity.json @@ -10,10 +10,6 @@ "since": "1.3.0" }, "attributes": { - "$include": [ - "profiles/host.json", - "profiles/security_control.json" - ], "activity_id": { "requirement": "optional", "enum": { @@ -38,9 +34,5 @@ "group": "primary", "requirement": "required" } - }, - "profiles": [ - "host", - "security_control" - ] + } } \ No newline at end of file diff --git a/events/network/network.json b/events/network/network.json index 89b0c1782..2c4d2a190 100644 --- a/events/network/network.json +++ b/events/network/network.json @@ -6,9 +6,7 @@ "name": "network", "attributes": { "$include": [ - "profiles/host.json", "profiles/network_proxy.json", - "profiles/security_control.json", "profiles/load_balancer.json" ], "app_name": { @@ -47,9 +45,7 @@ } }, "profiles": [ - "host", "network_proxy", - "security_control", "load_balancer" ] } \ No newline at end of file diff --git a/events/remediation/remediation_activity.json b/events/remediation/remediation_activity.json index 0f4995db5..f53b48f2c 100644 --- a/events/remediation/remediation_activity.json +++ b/events/remediation/remediation_activity.json @@ -6,9 +6,6 @@ "extends": "base_event", "name": "remediation_activity", "attributes": { - "$include": [ - "profiles/host.json" - ], "activity_id": { "description": "Matches the MITRE D3FEND™ Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class.", "enum": { @@ -68,8 +65,5 @@ } } } - }, - "profiles": [ - "host" - ] + } } \ No newline at end of file diff --git a/events/system/system.json b/events/system/system.json index f62d79025..f0f9c1f9d 100644 --- a/events/system/system.json +++ b/events/system/system.json @@ -13,9 +13,6 @@ ] }, "attributes": { - "$include": [ - "profiles/security_control.json" - ], "actor": { "group": "primary", "requirement": "required" @@ -24,9 +21,5 @@ "group": "primary", "requirement": "required" } - }, - "profiles": [ - "host", - "security_control" - ] + } } \ No newline at end of file diff --git a/events/unmanned_systems/unmanned_systems.json b/events/unmanned_systems/unmanned_systems.json index 3853aa917..49cda4b4c 100644 --- a/events/unmanned_systems/unmanned_systems.json +++ b/events/unmanned_systems/unmanned_systems.json @@ -5,9 +5,6 @@ "extends": "base_event", "name": "unmanned_systems", "attributes": { - "$include": [ - "profiles/host.json" - ], "connection_info": { "group": "context", "requirement": "recommended" @@ -34,8 +31,5 @@ "group": "context", "requirement": "recommended" } - }, - "profiles": [ - "host" - ] + } } \ No newline at end of file diff --git a/profiles/security_control.json b/profiles/security_control.json index d97683ea1..818d7eee8 100644 --- a/profiles/security_control.json +++ b/profiles/security_control.json @@ -41,7 +41,7 @@ "description": "The action is not mapped. See the action attribute which contains a data source specific value." } }, - "requirement": "required" + "requirement": "recommended" }, "attacks": { "requirement": "optional"