From a6724b24e2bffae0e890c7c0e624f2b39a90a295 Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Fri, 7 Feb 2025 12:53:00 -0500
Subject: [PATCH 01/13] Create assessment.json
---
objects/assessment.json | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
create mode 100644 objects/assessment.json
diff --git a/objects/assessment.json b/objects/assessment.json
new file mode 100644
index 000000000..e37e22206
--- /dev/null
+++ b/objects/assessment.json
@@ -0,0 +1,24 @@
+{
+ "caption": "Assessment",
+ "description": "The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate os_signals from CrowdStrike Falcon Zero Trust Assessments, or account for Datastore configurations from Cyera.",
+ "extends": "_entity",
+ "name": "assessment",
+ "attributes": {
+ "category": {
+ "description": "The category that the assessment is part of. For example: Prevention or Windows 10.",
+ "requirement": "optional"
+ },
+ "desc": {
+ "description": "The description of the assessment criteria, or a description of the specific configuration or signal the assessment is targeting.",
+ "requirement": "optional"
+ },
+ "name": {
+ "description": "The name of the configuration or signal being assessed. For example: Kernel Mode Code Integrity (KMCI) or publicAccessibilityState.",
+ "requirement": "recommended"
+ },
+ "uid": {
+ "description": "The unique identifier of the configuration or signal being assessed. For example: the signal_id.",
+ "requirement": "recommended"
+ }
+ }
+}
\ No newline at end of file
From 04664593ed6c05d6ddaccb211e797bb93b4170eb Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Fri, 7 Feb 2025 12:57:18 -0500
Subject: [PATCH 02/13] add `meets_criteria` to dictionary & assessment
---
dictionary.json | 5 +++++
objects/assessment.json | 8 ++++++--
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/dictionary.json b/dictionary.json
index 4cf6e6b53..299bb0236 100644
--- a/dictionary.json
+++ b/dictionary.json
@@ -3325,6 +3325,11 @@
}
]
},
+ "meets_criteria": {
+ "caption": "Meets Criteria",
+ "description": "Determines if an assessment, control, policy, or otherwise meets its assessment criteria. See specific usage.",
+ "type": "boolean_t"
+ },
"metadata": {
"caption": "Metadata",
"description": "The metadata associated with the event or a finding.",
diff --git a/objects/assessment.json b/objects/assessment.json
index e37e22206..29b9b6d9d 100644
--- a/objects/assessment.json
+++ b/objects/assessment.json
@@ -10,7 +10,11 @@
},
"desc": {
"description": "The description of the assessment criteria, or a description of the specific configuration or signal the assessment is targeting.",
- "requirement": "optional"
+ "requirement": "recommended"
+ },
+ "meets_criteria": {
+ "description": "Determines whether the assessment against the specific configuration or signal meets the assessments criteria. For example, if the assessment checks if a Datastore is encrypted or not, having encryption would be evaluated as true.",
+ "requirement": "required"
},
"name": {
"description": "The name of the configuration or signal being assessed. For example: Kernel Mode Code Integrity (KMCI) or publicAccessibilityState.",
@@ -18,7 +22,7 @@
},
"uid": {
"description": "The unique identifier of the configuration or signal being assessed. For example: the signal_id.",
- "requirement": "recommended"
+ "requirement": "optional"
}
}
}
\ No newline at end of file
From 04d28465b024c1453b8a3877b8384be130dcf6e6 Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Fri, 7 Feb 2025 12:57:31 -0500
Subject: [PATCH 03/13] adds `policy` to `assessment`
---
objects/assessment.json | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/objects/assessment.json b/objects/assessment.json
index 29b9b6d9d..10f421316 100644
--- a/objects/assessment.json
+++ b/objects/assessment.json
@@ -20,6 +20,11 @@
"description": "The name of the configuration or signal being assessed. For example: Kernel Mode Code Integrity (KMCI) or publicAccessibilityState.",
"requirement": "recommended"
},
+ "policy": {
+ "caption": "Assessment Policy",
+ "description": "The details of any policy associated with an assessment.",
+ "requirement": "optional"
+ },
"uid": {
"description": "The unique identifier of the configuration or signal being assessed. For example: the signal_id.",
"requirement": "optional"
From 38fcd62a9f54350881276d286cf243a2a7f15735 Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Fri, 7 Feb 2025 13:01:44 -0500
Subject: [PATCH 04/13] add plural `assessments`
---
dictionary.json | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/dictionary.json b/dictionary.json
index 299bb0236..78006226b 100644
--- a/dictionary.json
+++ b/dictionary.json
@@ -238,6 +238,17 @@
"description": "The details of the group assigned to an Incident.",
"type": "group"
},
+ "assessment": {
+ "caption": "Assessment",
+ "description": "The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate os_signals from CrowdStrike Falcon Zero Trust Assessments, or account for Datastore configurations from Cyera.",
+ "type": "assessment"
+ },
+ "assessments": {
+ "caption": "Assessments",
+ "description": "A list of assessment objects.",
+ "type": "assessment",
+ "is_array": true
+ },
"attacks": {
"caption": "MITRE ATT&CK® Details",
"description": "An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques.",
From 7573cde0fa1436852ca69c721deffdac21944a86 Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Fri, 7 Feb 2025 13:04:11 -0500
Subject: [PATCH 05/13] add `assessments` to `compliance` and `config_state`
---
events/discovery/config_state.json | 6 ++++++
objects/compliance.json | 5 +++++
2 files changed, 11 insertions(+)
diff --git a/events/discovery/config_state.json b/events/discovery/config_state.json
index dd2d03273..00b4b195e 100644
--- a/events/discovery/config_state.json
+++ b/events/discovery/config_state.json
@@ -10,6 +10,12 @@
"requirement": "optional",
"profile": null
},
+ "assessments": {
+ "caption": "Related Assessments",
+ "description": "A list of assessments associated with the device.",
+ "group": "context",
+ "requirement": "optional"
+ },
"cis_benchmark_result": {
"group": "primary",
"requirement": "recommended"
diff --git a/objects/compliance.json b/objects/compliance.json
index a2ebdcdd0..33e1acf41 100644
--- a/objects/compliance.json
+++ b/objects/compliance.json
@@ -4,6 +4,11 @@
"extends": "object",
"name": "compliance",
"attributes": {
+ "assessments": {
+ "caption": "Related Assessments",
+ "description": "A list of assessments associated with the compliance requirements evaluation",
+ "requirement": "optional"
+ },
"compliance_references": {
"requirement": "optional"
},
From 9357b87cbb0324ac96a3a450842f09ec89accbeb Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Fri, 7 Feb 2025 13:04:45 -0500
Subject: [PATCH 06/13] update `config_state` description
---
events/discovery/config_state.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/events/discovery/config_state.json b/events/discovery/config_state.json
index 00b4b195e..e52a68d9d 100644
--- a/events/discovery/config_state.json
+++ b/events/discovery/config_state.json
@@ -1,7 +1,7 @@
{
"uid": 2,
"caption": "Device Config State",
- "description": "Device Config State events report device configuration data and CIS Benchmark results.",
+ "description": "Device Config State events report device configuration data, device assessments, and/or CIS Benchmark results.",
"extends": "discovery",
"name": "config_state",
"attributes": {
From fe3cf1c3e955cf7748715436db7a9a6fa746065e Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Fri, 7 Feb 2025 14:14:20 -0500
Subject: [PATCH 07/13] add `assessments` to cloud inventory
---
events/discovery/cloud_resources_inventory_info.json | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/events/discovery/cloud_resources_inventory_info.json b/events/discovery/cloud_resources_inventory_info.json
index b399be30f..62a8ffc69 100644
--- a/events/discovery/cloud_resources_inventory_info.json
+++ b/events/discovery/cloud_resources_inventory_info.json
@@ -5,6 +5,12 @@
"extends": "discovery",
"name": "cloud_resources_inventory_info",
"attributes": {
+ "assessments": {
+ "caption": "Related Assessments",
+ "description": "A list of assessments associated with the cloud resource(s).",
+ "group": "context",
+ "requirement": "optional"
+ },
"cloud": {
"description": "Cloud service provider or SaaS platform metadata about the cloud resource(s) that are being discovered by an inventory process.",
"group": "primary",
From 2c4b2316eba8d8ee9e40da180e2124edb2f7fa5c Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Fri, 7 Feb 2025 14:21:44 -0500
Subject: [PATCH 08/13] update changelog
---
CHANGELOG.md | 11 +++++++++++
events/discovery/cloud_resources_inventory_info.json | 2 +-
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6b1b59f66..468d7e28b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -44,10 +44,21 @@ Thankyou! -->
### Added
* #### Dictionary Attributes
1. Added `boot_uid` as a `string_t`. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
+ 1. Added `assessments` as an array of `assessment` objects.
+ 1. Added `meets_criteria` as a `boolean_t`.
+* #### Objects
+ 1. Added `assessment` object to capture evaluations/assessments of configurations/signals.
### Improved
+* #### Event Classes
+ 1. Added `assessments` to `cloud_resources_inventory_info` and `config_state`.
* #### Objects
1. Added `boot_uid` to `device` object. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
+ 1. Added `meets_criteria` and `policy` to `assessment` object.
+ 1. Added `assessments` to `compliance` object.
+
+### Misc
+1. Updated description of `cloud_resources_inventory_info` and `config_state` to reflect the addition of the `assessments` object.
## [v1.4.0] - January 31st, 2025
diff --git a/events/discovery/cloud_resources_inventory_info.json b/events/discovery/cloud_resources_inventory_info.json
index 62a8ffc69..db18ff684 100644
--- a/events/discovery/cloud_resources_inventory_info.json
+++ b/events/discovery/cloud_resources_inventory_info.json
@@ -1,7 +1,7 @@
{
"uid": 23,
"caption": "Cloud Resources Inventory Info",
- "description": "Cloud Resources Inventory Info events report cloud asset inventory data that is either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.",
+ "description": "Cloud Resources Inventory Info events report cloud asset inventory data or cloud asset assessment data. This data can be either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.",
"extends": "discovery",
"name": "cloud_resources_inventory_info",
"attributes": {
From 7648ec2df2fc261f814c01373f77c24570d2caf8 Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Fri, 7 Feb 2025 14:38:23 -0500
Subject: [PATCH 09/13] Update CHANGELOG.md
---
CHANGELOG.md | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 468d7e28b..307210cb0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -44,21 +44,21 @@ Thankyou! -->
### Added
* #### Dictionary Attributes
1. Added `boot_uid` as a `string_t`. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
- 1. Added `assessments` as an array of `assessment` objects.
- 1. Added `meets_criteria` as a `boolean_t`.
+ 1. Added `assessments` as an array of `assessment` objects. #1343
+ 1. Added `meets_criteria` as a `boolean_t`. #1343
* #### Objects
- 1. Added `assessment` object to capture evaluations/assessments of configurations/signals.
+ 1. Added `assessment` object to capture evaluations/assessments of configurations/signals. #1343
### Improved
* #### Event Classes
- 1. Added `assessments` to `cloud_resources_inventory_info` and `config_state`.
+ 1. Added `assessments` to `cloud_resources_inventory_info` and `config_state`. #1343
* #### Objects
1. Added `boot_uid` to `device` object. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
- 1. Added `meets_criteria` and `policy` to `assessment` object.
- 1. Added `assessments` to `compliance` object.
+ 1. Added `meets_criteria` and `policy` to `assessment` object. #1343
+ 1. Added `assessments` to `compliance` object. #1343
### Misc
-1. Updated description of `cloud_resources_inventory_info` and `config_state` to reflect the addition of the `assessments` object.
+1. Updated description of `cloud_resources_inventory_info` and `config_state` to reflect the addition of the `assessments` object. #1343
## [v1.4.0] - January 31st, 2025
From 3dab44ecc3bd624b9b47dd3439f1e3b1c06d0acb Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Tue, 11 Feb 2025 10:25:28 -0500
Subject: [PATCH 10/13] add `data` to `policy`
---
objects/assessment.json | 2 +-
objects/policy.json | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/objects/assessment.json b/objects/assessment.json
index 10f421316..1bd420f33 100644
--- a/objects/assessment.json
+++ b/objects/assessment.json
@@ -1,6 +1,6 @@
{
"caption": "Assessment",
- "description": "The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate os_signals from CrowdStrike Falcon Zero Trust Assessments, or account for Datastore configurations from Cyera.",
+ "description": "The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate os_signals from CrowdStrike Falcon Zero Trust Assessments, or account for Datastore configurations from Cyera, or capture details of Microsoft Intune configuration policies.",
"extends": "_entity",
"name": "assessment",
"attributes": {
diff --git a/objects/policy.json b/objects/policy.json
index e259a20b6..48a9973a6 100644
--- a/objects/policy.json
+++ b/objects/policy.json
@@ -4,6 +4,10 @@
"extends": "_entity",
"name": "policy",
"attributes": {
+ "data": {
+ "description": "Additional data about the policy such as the underlying JSON policy itself or other details.",
+ "requirement": "optional"
+ },
"desc": {
"description": "The description of the policy.",
"requirement": "optional"
From c9f4675e547a2ad44eaf6ac8a36da2188f8dd0f3 Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Tue, 11 Feb 2025 12:40:32 -0500
Subject: [PATCH 11/13] Update CHANGELOG.md
---
CHANGELOG.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 936af1350..972fd3128 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -56,6 +56,7 @@ Thankyou! -->
1. Added `boot_uid` to `device` object. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
1. Added `meets_criteria` and `policy` to `assessment` object. #1343
1. Added `assessments` to `compliance` object. #1343
+ 1. Added `data` to `policy` object. #1343
### Misc
1. Relaxed constraint to provide `email_addr`, `phone_number`, or `security_questions` on `auth_factor`. [#1339](https://github.com/ocsf/ocsf-schema/pull/1339)
From b56f5312b1588ae446d7be17708a718b99e27d5a Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Tue, 11 Feb 2025 15:04:04 -0500
Subject: [PATCH 12/13] move `assessments` to `resources`
---
events/discovery/cloud_resources_inventory_info.json | 6 ------
objects/resource_details.json | 5 +++++
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/events/discovery/cloud_resources_inventory_info.json b/events/discovery/cloud_resources_inventory_info.json
index db18ff684..f0b917719 100644
--- a/events/discovery/cloud_resources_inventory_info.json
+++ b/events/discovery/cloud_resources_inventory_info.json
@@ -5,12 +5,6 @@
"extends": "discovery",
"name": "cloud_resources_inventory_info",
"attributes": {
- "assessments": {
- "caption": "Related Assessments",
- "description": "A list of assessments associated with the cloud resource(s).",
- "group": "context",
- "requirement": "optional"
- },
"cloud": {
"description": "Cloud service provider or SaaS platform metadata about the cloud resource(s) that are being discovered by an inventory process.",
"group": "primary",
diff --git a/objects/resource_details.json b/objects/resource_details.json
index f3b1c8ac8..b5ba9a0b1 100644
--- a/objects/resource_details.json
+++ b/objects/resource_details.json
@@ -7,6 +7,11 @@
"agent_list": {
"requirement": "optional"
},
+ "assessments": {
+ "caption": "Related Assessments",
+ "description": "A list of assessments associated with the resource.",
+ "requirement": "optional"
+ },
"cloud_partition": {
"profile": "cloud",
"requirement": "optional"
From 7d7d61e4b8992d717b262a5c38401a609e0b9b4d Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Thu, 13 Feb 2025 16:35:48 -0500
Subject: [PATCH 13/13] Update cloud_resources_inventory_info.json
---
events/discovery/cloud_resources_inventory_info.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/events/discovery/cloud_resources_inventory_info.json b/events/discovery/cloud_resources_inventory_info.json
index f0b917719..8c1d38908 100644
--- a/events/discovery/cloud_resources_inventory_info.json
+++ b/events/discovery/cloud_resources_inventory_info.json
@@ -1,7 +1,7 @@
{
"uid": 23,
"caption": "Cloud Resources Inventory Info",
- "description": "Cloud Resources Inventory Info events report cloud asset inventory data or cloud asset assessment data. This data can be either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.",
+ "description": "Cloud Resources Inventory Info events report cloud asset inventory data. This data can be either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.",
"extends": "discovery",
"name": "cloud_resources_inventory_info",
"attributes": {