Add assessments to OCSF

CHANGELOG.md

@@ -44,10 +44,21 @@ Thankyou! -->
 ### Added
 * #### Dictionary Attributes 
   1. Added `boot_uid` as a `string_t`. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
+  1. Added `assessments` as an array of `assessment` objects. #1343
+  1. Added `meets_criteria` as a `boolean_t`. #1343
+* #### Objects
+  1. Added `assessment` object to capture evaluations/assessments of configurations/signals. #1343
 
 ### Improved
+* #### Event Classes
+  1. Added `assessments` to `cloud_resources_inventory_info` and `config_state`. #1343
 * #### Objects
   1. Added `boot_uid` to `device` object. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
+  1. Added `meets_criteria` and `policy` to `assessment` object. #1343
+  1. Added `assessments` to `compliance` object. #1343
+
+### Misc
+1. Updated description of `cloud_resources_inventory_info` and `config_state` to reflect the addition of the `assessments` object. #1343
 
 ## [v1.4.0] - January 31st, 2025
 

dictionary.json

@@ -238,6 +238,17 @@
       "description": "The details of the group assigned to an Incident.",
       "type": "group"
     },
+    "assessment": {
+      "caption": "Assessment",
+      "description": "The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate <code>os_signals</code> from CrowdStrike Falcon Zero Trust Assessments, or account for <code>Datastore</code> configurations from Cyera.",
+      "type": "assessment"
+    },
+    "assessments": {
+      "caption": "Assessments",
+      "description": "A list of <code>assessment</code> objects.",
+      "type": "assessment",
+      "is_array": true
+    },
     "attacks": {
       "caption": "MITRE ATT&CK® Details",
       "description": "An array of <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> objects describing identified tactics, techniques & sub-techniques.",
@@ -3325,6 +3336,11 @@
         }
       ]
     },
+    "meets_criteria": {
+      "caption": "Meets Criteria",
+      "description": "Determines if an assessment, control, policy, or otherwise meets its assessment criteria. See specific usage.",
+      "type": "boolean_t"
+    },
     "metadata": {
       "caption": "Metadata",
       "description": "The metadata associated with the event or a finding.",

events/discovery/cloud_resources_inventory_info.json

@@ -1,10 +1,16 @@
 {
   "uid": 23,
   "caption": "Cloud Resources Inventory Info",
-  "description": "Cloud Resources Inventory Info events report cloud asset inventory data that is either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.",
+  "description": "Cloud Resources Inventory Info events report cloud asset inventory data or cloud asset assessment data. This data can be either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.",
   "extends": "discovery",
   "name": "cloud_resources_inventory_info",
   "attributes": {
+    "assessments": {
+      "caption": "Related Assessments",
+      "description": "A list of assessments associated with the cloud resource(s).",
+      "group": "context",
+      "requirement": "optional"
+    },
     "cloud": {
       "description": "Cloud service provider or SaaS platform metadata about the cloud resource(s) that are being discovered by an inventory process.",
       "group": "primary",

events/discovery/config_state.json

@@ -1,7 +1,7 @@
 {
   "uid": 2,
   "caption": "Device Config State",
-  "description": "Device Config State events report device configuration data and CIS Benchmark results.",
+  "description": "Device Config State events report device configuration data, device assessments, and/or CIS Benchmark results.",
   "extends": "discovery",
   "name": "config_state",
   "attributes": {
@@ -10,6 +10,12 @@
       "requirement": "optional",
       "profile": null
     },
+    "assessments": {
+      "caption": "Related Assessments",
+      "description": "A list of assessments associated with the device.",
+      "group": "context",
+      "requirement": "optional"
+    },
     "cis_benchmark_result": {
       "group": "primary",
       "requirement": "recommended"

objects/assessment.json

@@ -0,0 +1,33 @@
+{
+	"caption": "Assessment",
+	"description": "The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate <code>os_signals</code> from CrowdStrike Falcon Zero Trust Assessments, or account for <code>Datastore</code> configurations from Cyera.",
+	"extends": "_entity",
+	"name": "assessment",
+	"attributes": {
+		"category": {
+			"description": "The category that the assessment is part of. For example: <code>Prevention</code> or <code>Windows 10</code>.",
+			"requirement": "optional"
+		},
+		"desc": {
+			"description": "The description of the assessment criteria, or a description of the specific configuration or signal the assessment is targeting.",
+			"requirement": "recommended"
+		},
+		"meets_criteria": {
+			"description": "Determines whether the assessment against the specific configuration or signal meets the assessments criteria. For example, if the assessment checks if a <code>Datastore</code> is encrypted or not, having encryption would be evaluated as <code>true</code>.",
+			"requirement": "required"
+		},
+		"name": {
+			"description": "The name of the configuration or signal being assessed. For example: <code>Kernel Mode Code Integrity (KMCI)</code> or <code>publicAccessibilityState</code>.",
+			"requirement": "recommended"
+		},
+		"policy": {
+			"caption": "Assessment Policy",
+			"description": "The details of any policy associated with an assessment.",
+			"requirement": "optional"
+		},
+		"uid": {
+			"description": "The unique identifier of the configuration or signal being assessed. For example: the <code>signal_id</code>.",
+			"requirement": "optional"
+		}
+	}
+}

objects/compliance.json

@@ -4,6 +4,11 @@
   "extends": "object",
   "name": "compliance",
   "attributes": {
+    "assessments": {
+      "caption": "Related Assessments",
+      "description": "A list of assessments associated with the compliance requirements evaluation",
+      "requirement": "optional"
+    },
     "compliance_references": {
       "requirement": "optional"
     },