example.user@usersdomain.com.",
+ "type": "email_t",
"references": [
{
- "url": "https://www.rfc-editor.org/rfc/rfc5322",
- "description": "RFC 5322"
+ "description": "RFC 5322",
+ "url": "https://www.rfc-editor.org/rfc/rfc5322"
}
],
- "type": "email_t",
"is_array": true
},
"cc_mailboxes": {
"caption": "Cc Mailboxes",
"description": "The human-readable email header Cc Mailbox values. For example 'Example User <example.user@usersdomain.com>'.",
+ "type": "string_t",
"references": [
{
- "url": "https://www.rfc-editor.org/rfc/rfc5322#section-3.4",
- "description": "RFC 5322"
+ "description": "RFC 5322",
+ "url": "https://www.rfc-editor.org/rfc/rfc5322#section-3.4"
}
],
- "type": "string_t",
"is_array": true
},
"cell_name": {
@@ -1035,15 +1035,15 @@
},
"community_uid": {
"caption": "Community ID",
+ "description": "The Community ID of the network connection.",
"source": "community_id",
+ "type": "string_t",
"references": [
{
- "url": "https://github.com/corelight/community-id-spec",
- "description": "Community ID definition."
+ "description": "Community ID definition.",
+ "url": "https://github.com/corelight/community-id-spec"
}
- ],
- "description": "The Community ID of the network connection.",
- "type": "string_t"
+ ]
},
"company_name": {
"caption": "Company Name",
@@ -1227,13 +1227,18 @@
"country": {
"observable": 14,
"caption": "Country",
+ "description": "The ISO 3166-1 Alpha-2 country code.Note: The two letter country code should be capitalized. For example: US or CA.
Note: The two letter country code should be capitalized. For example: US or CA.
cpe:/a:apple:safari:16.2.",
"type": "string_t"
},
"cpu_architecture": {
@@ -1269,11 +1274,6 @@
}
}
},
- "cpe_name": {
- "caption": "The product CPE identifier",
- "description": "The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.",
- "type": "string_t"
- },
"cpu_bits": {
"caption": "CPU Bits",
"description": "The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.",
@@ -1459,17 +1459,17 @@
"description": "The DCE/RPC object describes the remote procedure call system for distributed computing environments.",
"type": "dce_rpc"
},
- "decision": {
- "caption": "Authorization Decision/Outcome",
- "description": "Decision/outcome of the authorization mechanism (e.g. Approved, Denied)",
- "type": "string_t"
- },
"debug": {
"caption": "Debug Information",
"description": "Debug information about non-fatal issues with this OCSF event. Each issue is a line in this string array.",
"type": "string_t",
"is_array": true
},
+ "decision": {
+ "caption": "Authorization Decision/Outcome",
+ "description": "Decision/outcome of the authorization mechanism (e.g. Approved, Denied)",
+ "type": "string_t"
+ },
"delay": {
"caption": "Root Delay",
"description": "The total round-trip delay to the reference clock in milliseconds.",
@@ -1492,20 +1492,15 @@
"delivered_to_list": {
"caption": "Delivered To",
"description": "The machine-readable Delivered-To email header values. For example example.user@usersdomain.com",
+ "type": "email_t",
"references": [
{
- "url": "https://www.rfc-editor.org/rfc/rfc9228",
- "description": "RFC 9228"
+ "description": "RFC 9228",
+ "url": "https://www.rfc-editor.org/rfc/rfc9228"
}
],
- "type": "email_t",
"is_array": true
},
- "related_component": {
- "caption": "Related Component",
- "description": "The package URL (PURL) of the component that this software component has a relationship with.",
- "type": "string_t"
- },
"depth": {
"caption": "CVSS Depth",
"description": "The CVSS depth represents a depth of the equation used to calculate CVSS score.",
@@ -2302,13 +2297,13 @@
"flag_history": {
"caption": "Connection Flag History",
"description": "The Connection Flag History summarizes events in a network connection. For example flags ShAD representing SYN, SYN/ACK, ACK and Data exchange.",
+ "type": "string_t",
"references": [
{
"description": "Zeek History",
"url": "https://docs.zeek.org/en/master/scripts/base/protocols/conn/main.zeek.html#detailed-interface:~:text=Records%20the%20state%20history%20of%20connections%20as%20a%20string%20of%20letters.%20The%20meaning%20of%20those%20letters%20is"
}
- ],
- "type": "string_t"
+ ]
},
"flag_ids": {
"caption": "Communication Flag IDs",
@@ -2346,24 +2341,24 @@
"from": {
"caption": "From",
"description": "The machine-readable email header From values, as defined by RFC 5322. For example example.user@usersdomain.com",
+ "type": "email_t",
"references": [
{
- "url": "https://www.rfc-editor.org/rfc/rfc5322",
- "description": "RFC 5322"
+ "description": "RFC 5322",
+ "url": "https://www.rfc-editor.org/rfc/rfc5322"
}
- ],
- "type": "email_t"
+ ]
},
"from_mailbox": {
"caption": "From Mailbox",
"description": "The human-readable email header From Mailbox value. For example 'Example User <example.user@usersdomain.com>'.",
+ "type": "string_t",
"references": [
{
- "url": "https://www.rfc-editor.org/rfc/rfc5322#section-3.4",
- "description": "RFC 5322"
+ "description": "RFC 5322",
+ "url": "https://www.rfc-editor.org/rfc/rfc5322#section-3.4"
}
- ],
- "type": "string_t"
+ ]
},
"full_name": {
"caption": "Full Name",
@@ -2548,8 +2543,8 @@
"imei_list": {
"caption": "IMEI List",
"description": "The International Mobile Equipment Identity values that are associated with the device.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"impact": {
"caption": "Impact",
@@ -2560,18 +2555,8 @@
"caption": "Impact ID",
"description": "The normalized impact of the incident or finding. Per NIST, this is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure, modification, destruction, or loss of information or information system availability.",
"sibling": "impact",
- "type": "integer_t",
"source": "impact value; impact level",
- "references": [
- {
- "description": "NIST SP 800-172 from FIPS 199",
- "url": "https://doi.org/10.6028/NIST.FIPS.199"
- },
- {
- "description": "NIST Computer Security Resource Center",
- "url": "https://doi.org/10.6028/NIST.FIPS.199"
- }
- ],
+ "type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
@@ -2597,7 +2582,17 @@
"caption": "Other",
"description": "The impact is not mapped. See the impact attribute, which contains a data source specific value."
}
- }
+ },
+ "references": [
+ {
+ "description": "NIST SP 800-172 from FIPS 199",
+ "url": "https://doi.org/10.6028/NIST.FIPS.199"
+ },
+ {
+ "description": "NIST Computer Security Resource Center",
+ "url": "https://doi.org/10.6028/NIST.FIPS.199"
+ }
+ ]
},
"impact_score": {
"caption": "Impact Score",
@@ -3112,8 +3107,8 @@
"locations": {
"caption": "Geo Locations",
"description": "A list of detailed geographical locations.",
- "is_array": true,
- "type": "location"
+ "type": "location",
+ "is_array": true
},
"log_level": {
"caption": "Log Level",
@@ -3175,6 +3170,11 @@
"type": "logger",
"is_array": true
},
+ "login_endpoint": {
+ "caption": "Login Endpoint",
+ "description": "URL for initiating a login request. See specific usage.",
+ "type": "url_t"
+ },
"logon_process": {
"caption": "Logon Process",
"description": "The trusted process that validated the authentication credentials.",
@@ -3249,11 +3249,6 @@
}
}
},
- "login_endpoint": {
- "caption": "Login Endpoint",
- "description": "URL for initiating a login request. See specific usage.",
- "type": "url_t"
- },
"logout_endpoint": {
"caption": "Logout Endpoint",
"description": "URL for initiating a logout request. See specific usage.",
@@ -3299,25 +3294,25 @@
"message_trace_uid": {
"caption": "Message Trace UID",
"description": "The identifier that tracks a message that travels through multiple points of a messaging service.",
+ "type": "string_t",
"references": [
{
- "url": "https://learn.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984335(v=office.15)",
- "description": "For example Office 365 Message Trace Report."
+ "description": "For example Office 365 Message Trace Report.",
+ "url": "https://learn.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984335(v=office.15)"
}
- ],
- "type": "string_t"
+ ]
},
"message_uid": {
"caption": "Message UID",
"description": "The email header Message-ID value, as defined by RFC 5322.",
+ "source": "Message-ID",
+ "type": "string_t",
"references": [
{
- "url": "https://www.rfc-editor.org/rfc/rfc5322",
- "description": "RFC 5322"
+ "description": "RFC 5322",
+ "url": "https://www.rfc-editor.org/rfc/rfc5322"
}
- ],
- "source": "Message-ID",
- "type": "string_t"
+ ]
},
"metadata": {
"caption": "Metadata",
@@ -3466,13 +3461,13 @@
"observables": {
"caption": "Observables",
"description": "The observables associated with the event or a finding.",
+ "type": "observable",
"references": [
{
- "url": "https://github.com/ocsf/ocsf-docs/blob/main/Articles/Defining and Using Observables.md",
- "description": "OCSF Observables FAQ"
+ "description": "OCSF Observables FAQ",
+ "url": "https://github.com/ocsf/ocsf-docs/blob/main/Articles/Defining and Using Observables.md"
}
],
- "type": "observable",
"is_array": true
},
"occurrence_details": {
@@ -3572,17 +3567,17 @@
"description": "The endpoint operating system.",
"type": "os"
},
+ "os_machine_uuid": {
+ "caption": "OS Machine UUID",
+ "description": "The operating system assigned Machine ID. In Windows, this is the value stored at the registry path: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid. In Linux, this is stored in the file: /etc/machine-id.",
+ "type": "uuid_t"
+ },
"osint": {
"caption": "OSINT",
"description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
"type": "osint",
"is_array": true
},
- "os_machine_uuid": {
- "caption": "OS Machine UUID",
- "description": "The operating system assigned Machine ID. In Windows, this is the value stored at the registry path: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid. In Linux, this is stored in the file: /etc/machine-id.",
- "type": "uuid_t"
- },
"ou_name": {
"caption": "Org Unit Name",
"description": "The name of the organizational unit, within an organization. For example, Finance, IT, R&D",
@@ -3605,14 +3600,14 @@
},
"package": {
"caption": "Software Package",
+ "description": "The Software Package object describes details about a software package.",
+ "type": "package",
"references": [
{
- "url": "https://d3fend.mitre.org/dao/artifact/d3f:SoftwarePackage/",
- "description": "D3FEND™ Ontology d3f:SoftwarePackage."
+ "description": "D3FEND™ Ontology d3f:SoftwarePackage.",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:SoftwarePackage/"
}
- ],
- "description": "The Software Package object describes details about a software package.",
- "type": "package"
+ ]
},
"package_manager": {
"caption": "Package Manager",
@@ -3936,13 +3931,13 @@
"protocol_num": {
"caption": "Protocol Number",
"description": "The IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). For example: 6 for TCP and 17 for UDP.",
+ "type": "integer_t",
"references": [
{
- "url": "https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml",
- "description": "IANA Protocol Numbers"
+ "description": "IANA Protocol Numbers",
+ "url": "https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml"
}
- ],
- "type": "integer_t"
+ ]
},
"protocol_ver": {
"caption": "Protocol Version",
@@ -4158,6 +4153,11 @@
"type": "analytic",
"is_array": true
},
+ "related_component": {
+ "caption": "Related Component",
+ "description": "The package URL (PURL) of the component that this software component has a relationship with.",
+ "type": "string_t"
+ },
"related_cves": {
"caption": "Related CVEs",
"description": "Describes Common Vulnerabilities and Exposures (CVE) entries that are related to an entity. See specific usage.",
@@ -4235,28 +4235,28 @@
"reply_to": {
"caption": "Reply To",
"description": "The machine-readable email header Reply-To values, as defined by RFC 5322. For example example.user@usersdomain.com",
- "references": [
- {
- "url": "https://www.rfc-editor.org/rfc/rfc5322",
- "description": "RFC 5322"
- }
- ],
"type": "email_t",
"@deprecated": {
"message": "Use the reply_to_mailboxes attribute instead.",
"since": "1.4.0"
- }
+ },
+ "references": [
+ {
+ "description": "RFC 5322",
+ "url": "https://www.rfc-editor.org/rfc/rfc5322"
+ }
+ ]
},
"reply_to_mailboxes": {
"caption": "Reply To Mailboxes",
"description": "The human-readable email header Reply To Mailbox values. For example 'Example User <example.user@usersdomain.com>'.",
+ "type": "string_t",
"references": [
{
- "url": "https://www.rfc-editor.org/rfc/rfc5322#section-3.4",
- "description": "RFC 5322"
+ "description": "RFC 5322",
+ "url": "https://www.rfc-editor.org/rfc/rfc5322#section-3.4"
}
],
- "type": "string_t",
"is_array": true
},
"reputation": {
@@ -4447,12 +4447,6 @@
"description": "The Software Bill of Materials (SBOM) object describes the characteristics of a generated SBOM for a software package.",
"type": "sbom"
},
- "software_components": {
- "caption": "Software Components",
- "description": "The list of software components used in the software package.",
- "type": "software_component",
- "is_array": true
- },
"scale_factor": {
"caption": "Scale Factor",
"description": "The numeric scale factor of display.",
@@ -4468,49 +4462,49 @@
"description": "The unique identifier of the schedule associated with a scan job.",
"type": "string_t"
},
+ "scheme": {
+ "caption": "Scheme",
+ "description": "The scheme portion of the URL. For example: http, https, ftp, or sftp.",
+ "type": "string_t"
+ },
"scim": {
"caption": "SCIM",
"description": "The System for Cross-domain Identity Management (SCIM) resource object provides a structured set of attributes related to SCIM protocols used for identity provisioning and management across cloud-based platforms. It standardizes user and group provisioning details, enabling identity synchronization and lifecycle management with compatible Identity Providers (IdPs) and applications. SCIM is defined in RFC-7634",
+ "type": "scim",
"references": [
{
- "url": "https://datatracker.ietf.org/doc/html/rfc7643",
- "description": "System for Cross-domain Identity Management (SCIM) RFC."
+ "description": "System for Cross-domain Identity Management (SCIM) RFC.",
+ "url": "https://datatracker.ietf.org/doc/html/rfc7643"
}
- ],
- "type": "scim"
+ ]
},
"scim_group_schema": {
"caption": "SCIM Group Schema",
"description": "SCIM provides a schema for representing groups, identified using the following schema URI: urn:ietf:params:scim:schemas:core:2.0:Group as defined in RFC-7634. This attribute will capture key-value pairs for the scheme implemented in a SCIM resource.",
+ "type": "json_t",
"references": [
{
- "url": "https://datatracker.ietf.org/doc/html/rfc7643",
- "description": "System for Cross-domain Identity Management (SCIM) RFC spec."
+ "description": "System for Cross-domain Identity Management (SCIM) RFC spec.",
+ "url": "https://datatracker.ietf.org/doc/html/rfc7643"
}
- ],
- "type": "json_t"
+ ]
},
"scim_user_schema": {
"caption": "SCIM User Schema",
"description": "SCIM provides a resource type for user resources. The core schema for user is identified using the following schema URI: urn:ietf:params:scim:schemas:core:2.0:User as defined in RFC-7634. his attribute will capture key-value pairs for the scheme implemented in a SCIM resource. This object is inclusive of both the basic and Enterprise User Schema Extension.",
+ "type": "json_t",
"references": [
{
- "url": "https://datatracker.ietf.org/doc/html/rfc7643",
- "description": "System for Cross-domain Identity Management (SCIM) RFC spec."
+ "description": "System for Cross-domain Identity Management (SCIM) RFC spec.",
+ "url": "https://datatracker.ietf.org/doc/html/rfc7643"
}
- ],
- "type": "json_t"
- },
- "scheme": {
- "caption": "Scheme",
- "description": "The scheme portion of the URL. For example: http, https, ftp, or sftp.",
- "type": "string_t"
+ ]
},
"scopes": {
"caption": "Scopes",
"description": "Scopes define the specific permissions or actions that the client is allowed to perform on behalf of the user. Each scope represents a different set of permissions, and the user can selectively grant or deny access to specific scopes during the authorization process.",
- "is_array": true,
- "type": "string_t"
+ "type": "string_t",
+ "is_array": true
},
"score": {
"caption": "Reputation Score",
@@ -4670,10 +4664,10 @@
"type": "integer_t"
},
"serial_number": {
+ "observable": 37,
"caption": "Serial Number",
"description": "The serial number that pertains to the object. See specific usage.",
- "type": "string_t",
- "observable": 37
+ "type": "string_t"
},
"server_ciphers": {
"caption": "Server Cipher Suites",
@@ -4819,17 +4813,23 @@
"caption": "SMTP To",
"description": "The value of the SMTP envelope RCPT TO command.",
"type": "email_t",
- "is_array": true,
"@deprecated": {
"message": "Use the to attribute instead.",
"since": "1.4.0"
- }
+ },
+ "is_array": true
},
"sni": {
"caption": "Server Name Indication",
"description": " The Server Name Indication (SNI) extension sent by the client.",
"type": "string_t"
},
+ "software_components": {
+ "caption": "Software Components",
+ "description": "The list of software components used in the software package.",
+ "type": "software_component",
+ "is_array": true
+ },
"sp_name": {
"caption": "OS Service Pack",
"description": "The name of the latest Service Pack.",
@@ -5219,25 +5219,25 @@
"to": {
"caption": "To",
"description": "The machine-readable email header To values, as defined by RFC 5322. For example example.user@usersdomain.com",
+ "type": "email_t",
"references": [
{
- "url": "https://www.rfc-editor.org/rfc/rfc5322",
- "description": "RFC 5322"
+ "description": "RFC 5322",
+ "url": "https://www.rfc-editor.org/rfc/rfc5322"
}
],
- "type": "email_t",
"is_array": true
},
"to_mailboxes": {
"caption": "To Mailboxes",
"description": "The human-readable email header To Mailbox values. For example 'Example User <example.user@usersdomain.com>'.",
+ "type": "string_t",
"references": [
{
- "url": "https://www.rfc-editor.org/rfc/rfc5322#section-3.4",
- "description": "RFC 5322"
+ "description": "RFC 5322",
+ "url": "https://www.rfc-editor.org/rfc/rfc5322#section-3.4"
}
],
- "type": "string_t",
"is_array": true
},
"total": {
@@ -5245,6 +5245,11 @@
"description": "The total number of items. See specific usage.",
"type": "integer_t"
},
+ "trace": {
+ "caption": "Trace",
+ "description": "The information about the trace. See specific usage.",
+ "type": "trace"
+ },
"track_direction": {
"caption": "Track Direction",
"description": "Direction of flight expressed as a “True North-based” ground track angle. This value is provided in clockwise degrees with a minimum resolution of 1 degree. If aircraft is not moving horizontally, use the “Unknown” value",
@@ -5265,11 +5270,6 @@
"description": "The event transmission time from one device to another. See specific usage.",
"type": "timestamp_t"
},
- "trace": {
- "caption": "Trace",
- "description": "The information about the trace. See specific usage.",
- "type": "trace"
- },
"tree_uid": {
"caption": "Tree UID",
"description": "The tree id is a unique SMB identifier which represents an open connection to a share.",
@@ -5334,30 +5334,30 @@
"type": "string_t",
"is_array": true
},
+ "uid": {
+ "caption": "Unique ID",
+ "description": "The unique identifier. See specific usage.",
+ "type": "string_t"
+ },
+ "uid_alt": {
+ "caption": "Alternate ID",
+ "description": "The alternate unique identifier. See specific usage.",
+ "type": "string_t"
+ },
"unmanned_aerial_system": {
"caption": "Unmanned Aerial System",
"description": "The Unmanned Aerial System object describes the characteristics, Position Location Information (PLI), and other metadata of Unmanned Aerial Systems (UAS) and other unmanned and drone systems used in Remote ID. Remote ID is defined in the Standard Specification for Remote ID and Tracking (ASTM Designation: F3411-22a) ASTM F3411-22a.",
"type": "unmanned_aerial_system"
},
- "unmanned_system_operator": {
- "caption": "Unmanned Systems Operator",
- "description": "The human or machine operator of an Unmanned System.",
- "type": "user"
- },
"unmanned_system_operating_area": {
"caption": "UAS Operating Area",
"description": "The UAS Operating Area object describes details about a precise area of operations for a UAS flight or mission.",
"type": "unmanned_system_operating_area"
},
- "uid": {
- "caption": "Unique ID",
- "description": "The unique identifier. See specific usage.",
- "type": "string_t"
- },
- "uid_alt": {
- "caption": "Alternate ID",
- "description": "The alternate unique identifier. See specific usage.",
- "type": "string_t"
+ "unmanned_system_operator": {
+ "caption": "Unmanned Systems Operator",
+ "description": "The human or machine operator of an Unmanned System.",
+ "type": "user"
},
"unmapped": {
"caption": "Unmapped Data",
diff --git a/events/application/api_activity.json b/events/application/api_activity.json
index 493c27e5e..ec1dbb427 100644
--- a/events/application/api_activity.json
+++ b/events/application/api_activity.json
@@ -1,69 +1,69 @@
{
- "uid": 3,
- "caption": "API Activity",
- "description": "API events describe general CRUD (Create, Read, Update, Delete) API activities, e.g. (AWS Cloudtrail)",
- "extends": "application",
- "name": "api_activity",
- "attributes": {
- "$include": [
- "profiles/trace.json"
- ],
- "activity_id": {
- "enum": {
- "1": {
- "caption": "Create",
- "description": "The API call in the event pertains to a 'create' activity."
- },
- "2": {
- "caption": "Read",
- "description": "The API call in the event pertains to a 'read' activity."
- },
- "3": {
- "caption": "Update",
- "description": "The API call in the event pertains to a 'update' activity."
- },
- "4": {
- "caption": "Delete",
- "description": "The API call in the event pertains to a 'delete' activity."
- }
- }
+ "uid": 3,
+ "caption": "API Activity",
+ "description": "API events describe general CRUD (Create, Read, Update, Delete) API activities, e.g. (AWS Cloudtrail)",
+ "extends": "application",
+ "name": "api_activity",
+ "attributes": {
+ "$include": [
+ "profiles/trace.json"
+ ],
+ "activity_id": {
+ "enum": {
+ "1": {
+ "caption": "Create",
+ "description": "The API call in the event pertains to a 'create' activity."
},
- "actor": {
- "group": "primary",
- "requirement": "required",
- "profile": null
+ "2": {
+ "caption": "Read",
+ "description": "The API call in the event pertains to a 'read' activity."
},
- "api": {
- "group": "primary",
- "requirement": "required",
- "profile": null
+ "3": {
+ "caption": "Update",
+ "description": "The API call in the event pertains to a 'update' activity."
},
- "dst_endpoint": {
- "group": "primary",
- "requirement": "recommended"
- },
- "http_request": {
- "description": "Details about the underlying http request.",
- "group": "primary",
- "requirement": "recommended"
- },
- "http_response": {
- "description": "Details about the underlying http response.",
- "group": "primary",
- "requirement": "recommended"
- },
- "resources": {
- "description": "Details about resources that were affected by the activity/event.",
- "group": "primary",
- "requirement": "recommended"
- },
- "src_endpoint": {
- "description": "Details about the source of the activity.",
- "group": "primary",
- "requirement": "required"
+ "4": {
+ "caption": "Delete",
+ "description": "The API call in the event pertains to a 'delete' activity."
}
+ }
+ },
+ "actor": {
+ "group": "primary",
+ "requirement": "required",
+ "profile": null
+ },
+ "api": {
+ "group": "primary",
+ "requirement": "required",
+ "profile": null
+ },
+ "dst_endpoint": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "http_request": {
+ "description": "Details about the underlying http request.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "http_response": {
+ "description": "Details about the underlying http response.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "resources": {
+ "description": "Details about resources that were affected by the activity/event.",
+ "group": "primary",
+ "requirement": "recommended"
},
- "profiles": [
- "trace"
+ "src_endpoint": {
+ "description": "Details about the source of the activity.",
+ "group": "primary",
+ "requirement": "required"
+ }
+ },
+ "profiles": [
+ "trace"
]
-}
+}
\ No newline at end of file
diff --git a/events/application/application_error.json b/events/application/application_error.json
index 9e4af9da2..5c2fe51d6 100644
--- a/events/application/application_error.json
+++ b/events/application/application_error.json
@@ -21,4 +21,4 @@
"description": "The error message as reported by the application."
}
}
-}
+}
\ No newline at end of file
diff --git a/events/application/datastore_activity.json b/events/application/datastore_activity.json
index 922adb4e2..031a8c0be 100644
--- a/events/application/datastore_activity.json
+++ b/events/application/datastore_activity.json
@@ -1,130 +1,130 @@
{
- "uid": 5,
- "caption": "Datastore Activity",
- "description": "Datastore events describe general activities (Read, Update, Query, Delete, etc.) which affect datastores or data within those datastores, e.g. (AWS RDS, AWS S3).",
- "extends": "application",
- "name": "datastore_activity",
- "attributes": {
- "activity_id": {
- "enum": {
- "1": {
- "caption": "Read",
- "description": "The 'Read' activity involves accessing specific data record details."
- },
- "2": {
- "caption": "Update",
- "description": "The 'Update' activity pertains to modifying specific data record details."
- },
- "3": {
- "caption": "Connect",
- "description": "The 'Connect' activity involves establishing a connection to the datastore."
- },
- "4": {
- "caption": "Query",
- "description": "The 'Query' activity involves retrieving a filtered subset of data based on specific criteria."
- },
- "5": {
- "caption": "Write",
- "description": "The 'Write' activity involves writing specific data record details."
- },
- "6": {
- "caption": "Create",
- "description": "The 'Create' activity involves generating new data record details."
- },
- "7": {
- "caption": "Delete",
- "description": "The 'Delete' activity involves removing specific data record details."
- },
- "8": {
- "caption": "List",
- "description": "The 'List' activity provides an overview of existing data records."
- },
- "9": {
- "caption": "Encrypt",
- "description": "The 'Encrypt' activity involves securing data by encrypting a specific data record."
- },
- "10": {
- "caption": "Decrypt",
- "description": "The 'Decrypt' activity involves converting encrypted data back to its original format."
- }
- }
+ "uid": 5,
+ "caption": "Datastore Activity",
+ "description": "Datastore events describe general activities (Read, Update, Query, Delete, etc.) which affect datastores or data within those datastores, e.g. (AWS RDS, AWS S3).",
+ "extends": "application",
+ "name": "datastore_activity",
+ "attributes": {
+ "activity_id": {
+ "enum": {
+ "1": {
+ "caption": "Read",
+ "description": "The 'Read' activity involves accessing specific data record details."
},
- "actor": {
- "group": "primary",
- "requirement": "required",
- "profile": null
+ "2": {
+ "caption": "Update",
+ "description": "The 'Update' activity pertains to modifying specific data record details."
},
- "database": {
- "group": "primary",
- "requirement": "recommended"
+ "3": {
+ "caption": "Connect",
+ "description": "The 'Connect' activity involves establishing a connection to the datastore."
},
- "databucket": {
- "group": "primary",
- "requirement": "recommended"
+ "4": {
+ "caption": "Query",
+ "description": "The 'Query' activity involves retrieving a filtered subset of data based on specific criteria."
},
- "dst_endpoint": {
- "description": "Details about the endpoint hosting the datastore application or service.",
- "group": "primary",
- "requirement": "recommended"
+ "5": {
+ "caption": "Write",
+ "description": "The 'Write' activity involves writing specific data record details."
},
- "http_request": {
- "description": "Details about the underlying http request.",
- "group": "primary",
- "requirement": "recommended"
+ "6": {
+ "caption": "Create",
+ "description": "The 'Create' activity involves generating new data record details."
},
- "http_response": {
- "description": "Details about the underlying http response.",
- "group": "primary",
- "requirement": "recommended"
+ "7": {
+ "caption": "Delete",
+ "description": "The 'Delete' activity involves removing specific data record details."
},
- "query_info": {
- "group": "primary",
- "requirement": "recommended"
+ "8": {
+ "caption": "List",
+ "description": "The 'List' activity provides an overview of existing data records."
},
- "src_endpoint": {
- "description": "Details about the source of the activity.",
- "group": "primary",
- "requirement": "required"
+ "9": {
+ "caption": "Encrypt",
+ "description": "The 'Encrypt' activity involves securing data by encrypting a specific data record."
},
- "table": {
- "group": "primary",
- "requirement": "recommended"
+ "10": {
+ "caption": "Decrypt",
+ "description": "The 'Decrypt' activity involves converting encrypted data back to its original format."
+ }
+ }
+ },
+ "actor": {
+ "group": "primary",
+ "requirement": "required",
+ "profile": null
+ },
+ "database": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "databucket": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "dst_endpoint": {
+ "description": "Details about the endpoint hosting the datastore application or service.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "http_request": {
+ "description": "Details about the underlying http request.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "http_response": {
+ "description": "Details about the underlying http response.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "query_info": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "src_endpoint": {
+ "description": "Details about the source of the activity.",
+ "group": "primary",
+ "requirement": "required"
+ },
+ "table": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "type": {
+ "caption": "Datastore Type",
+ "description": "The datastore resource type (e.g. database, datastore, or table).",
+ "requirement": "optional"
+ },
+ "type_id": {
+ "caption": "Datastore Type ID",
+ "description": "The normalized datastore resource type identifier.",
+ "requirement": "recommended",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The datastore resource type is unknown."
},
- "type": {
- "caption": "Datastore Type",
- "description": "The datastore resource type (e.g. database, datastore, or table).",
- "requirement": "optional"
+ "1": {
+ "caption": "Database"
},
- "type_id": {
- "caption": "Datastore Type ID",
- "description": "The normalized datastore resource type identifier.",
- "requirement": "recommended",
- "enum": {
- "0": {
- "caption": "Unknown",
- "description": "The datastore resource type is unknown."
- },
- "1": {
- "caption": "Database"
- },
- "2": {
- "caption": "Databucket"
- },
- "3": {
- "caption": "Table"
- },
- "99": {
- "caption": "Other",
- "description": "The datastore resource type is not mapped."
- }
- }
+ "2": {
+ "caption": "Databucket"
+ },
+ "3": {
+ "caption": "Table"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The datastore resource type is not mapped."
}
- },
- "constraints": {
- "at_least_one": [
- "database",
- "databucket",
- "table"
- ]
+ }
}
+ },
+ "constraints": {
+ "at_least_one": [
+ "database",
+ "databucket",
+ "table"
+ ]
+ }
}
\ No newline at end of file
diff --git a/events/application/web_resources_activity.json b/events/application/web_resources_activity.json
index 3bb2ec3b4..1fd9dec23 100644
--- a/events/application/web_resources_activity.json
+++ b/events/application/web_resources_activity.json
@@ -1,84 +1,84 @@
{
- "uid": 1,
- "caption": "Web Resources Activity",
- "description": "Web Resources Activity events describe actions executed on a set of Web Resources.",
- "extends": "application",
- "name": "web_resources_activity",
- "attributes": {
- "$include": [
- "profiles/network_proxy.json"
- ],
- "activity_id": {
- "enum": {
- "1": {
- "caption": "Create",
- "description": "One or more web resources were created."
- },
- "2": {
- "caption": "Read",
- "description": "One or more web resources were read / viewed."
- },
- "3": {
- "caption": "Update",
- "description": "One or more web resources were updated."
- },
- "4": {
- "caption": "Delete",
- "description": "One or more web resources were deleted."
- },
- "5": {
- "caption": "Search",
- "description": "A search was performed on one or more web resources."
- },
- "6": {
- "caption": "Import",
- "description": "One or more web resources were imported into an Application."
- },
- "7": {
- "caption": "Export",
- "description": "One or more web resources were exported from an Application."
- },
- "8": {
- "caption": "Share",
- "description": "One or more web resources were shared."
- }
- }
+ "uid": 1,
+ "caption": "Web Resources Activity",
+ "description": "Web Resources Activity events describe actions executed on a set of Web Resources.",
+ "extends": "application",
+ "name": "web_resources_activity",
+ "attributes": {
+ "$include": [
+ "profiles/network_proxy.json"
+ ],
+ "activity_id": {
+ "enum": {
+ "1": {
+ "caption": "Create",
+ "description": "One or more web resources were created."
},
- "dst_endpoint": {
- "description": "Details about server providing the web resources.",
- "group": "primary",
- "requirement": "recommended"
+ "2": {
+ "caption": "Read",
+ "description": "One or more web resources were read / viewed."
},
- "http_request": {
- "description": "Details about the underlying HTTP request.",
- "group": "context",
- "requirement": "recommended"
+ "3": {
+ "caption": "Update",
+ "description": "One or more web resources were updated."
},
- "http_response": {
- "description": "Details about the HTTP response, if available.",
- "group": "context",
- "requirement": "optional"
+ "4": {
+ "caption": "Delete",
+ "description": "One or more web resources were deleted."
},
- "src_endpoint": {
- "description": "Details about the endpoint from which the request originated.",
- "group": "primary",
- "requirement": "recommended"
+ "5": {
+ "caption": "Search",
+ "description": "A search was performed on one or more web resources."
},
- "tls": {
- "description": "The Transport Layer Security (TLS) attributes, if available.",
- "group": "context",
- "requirement": "optional"
+ "6": {
+ "caption": "Import",
+ "description": "One or more web resources were imported into an Application."
},
- "web_resources": {
- "group": "primary",
- "requirement": "required"
+ "7": {
+ "caption": "Export",
+ "description": "One or more web resources were exported from an Application."
},
- "web_resources_result": {
- "group": "primary",
- "requirement": "recommended"
+ "8": {
+ "caption": "Share",
+ "description": "One or more web resources were shared."
}
+ }
},
- "profiles": [
- "network_proxy"
- ]
+ "dst_endpoint": {
+ "description": "Details about server providing the web resources.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "http_request": {
+ "description": "Details about the underlying HTTP request.",
+ "group": "context",
+ "requirement": "recommended"
+ },
+ "http_response": {
+ "description": "Details about the HTTP response, if available.",
+ "group": "context",
+ "requirement": "optional"
+ },
+ "src_endpoint": {
+ "description": "Details about the endpoint from which the request originated.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "tls": {
+ "description": "The Transport Layer Security (TLS) attributes, if available.",
+ "group": "context",
+ "requirement": "optional"
+ },
+ "web_resources": {
+ "group": "primary",
+ "requirement": "required"
+ },
+ "web_resources_result": {
+ "group": "primary",
+ "requirement": "recommended"
+ }
+ },
+ "profiles": [
+ "network_proxy"
+ ]
}
\ No newline at end of file
diff --git a/events/discovery/cloud_resources_inventory_info.json b/events/discovery/cloud_resources_inventory_info.json
index 0b2c241e2..b399be30f 100644
--- a/events/discovery/cloud_resources_inventory_info.json
+++ b/events/discovery/cloud_resources_inventory_info.json
@@ -6,16 +6,16 @@
"name": "cloud_resources_inventory_info",
"attributes": {
"cloud": {
- "profile": null,
"description": "Cloud service provider or SaaS platform metadata about the cloud resource(s) that are being discovered by an inventory process.",
"group": "primary",
- "requirement": "recommended"
+ "requirement": "recommended",
+ "profile": null
},
"container": {
- "profile": null,
"description": "A cloud-based container image or running container discovered by an inventory process.",
"group": "primary",
- "requirement": "recommended"
+ "requirement": "recommended",
+ "profile": null
},
"database": {
"description": "A cloud-based database discovered by an inventory process.",
@@ -33,10 +33,10 @@
"requirement": "recommended"
},
"region": {
- "profile": null,
"description": "The cloud region where the resource is located, e.g., us-isof-south-1, eastus2, us-central1, etc.",
"group": "context",
- "requirement": "recommended"
+ "requirement": "recommended",
+ "profile": null
},
"resources": {
"caption": "Cloud Resources",
diff --git a/events/discovery/device_config_state_change.json b/events/discovery/device_config_state_change.json
index 3710e2673..1a92aaf07 100644
--- a/events/discovery/device_config_state_change.json
+++ b/events/discovery/device_config_state_change.json
@@ -1,74 +1,74 @@
{
- "uid": 19,
- "caption": "Device Config State Change",
- "description": "Device Config State Change events report state changes that impact the security of the device.",
- "extends": "discovery",
- "name": "device_config_state_change",
- "attributes": {
- "actor": {
- "group": "context",
- "requirement": "optional",
- "profile": null
+ "uid": 19,
+ "caption": "Device Config State Change",
+ "description": "Device Config State Change events report state changes that impact the security of the device.",
+ "extends": "discovery",
+ "name": "device_config_state_change",
+ "attributes": {
+ "actor": {
+ "group": "context",
+ "requirement": "optional",
+ "profile": null
+ },
+ "device": {
+ "description": "The device that is impacted by the state change.",
+ "group": "primary",
+ "requirement": "required",
+ "profile": null
+ },
+ "prev_security_level": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "prev_security_level_id": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "prev_security_states": {
+ "description": "The previous security states of the device.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "security_level": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "security_level_id": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "security_states": {
+ "description": "The current security states of the device.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "state": {
+ "caption": "Config Change State",
+ "description": "The Config Change Stat, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the source.",
+ "requirement": "optional"
+ },
+ "state_id": {
+ "caption": "Config Change State ID",
+ "description": "The Config Change State of the managed entity.",
+ "requirement": "recommended",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The Config Change state is unknown."
},
- "device": {
- "description": "The device that is impacted by the state change.",
- "group": "primary",
- "requirement": "required",
- "profile": null
+ "1": {
+ "caption": "Disabled",
+ "description": "Config State Changed to Disabled."
},
- "prev_security_level": {
- "group": "primary",
- "requirement": "recommended"
+ "2": {
+ "caption": "Enabled",
+ "description": "Config State Changed to Enabled."
},
- "prev_security_level_id": {
- "group": "primary",
- "requirement": "recommended"
- },
- "prev_security_states": {
- "description": "The previous security states of the device.",
- "group": "primary",
- "requirement": "recommended"
- },
- "security_level": {
- "group": "primary",
- "requirement": "recommended"
- },
- "security_level_id": {
- "group": "primary",
- "requirement": "recommended"
- },
- "security_states": {
- "description": "The current security states of the device.",
- "group": "primary",
- "requirement": "recommended"
- },
- "state": {
- "caption": "Config Change State",
- "description": "The Config Change Stat, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the source.",
- "requirement": "optional"
- },
- "state_id": {
- "caption": "Config Change State ID",
- "description": "The Config Change State of the managed entity.",
- "requirement": "recommended",
- "enum": {
- "0": {
- "caption": "Unknown",
- "description": "The Config Change state is unknown."
- },
- "1": {
- "caption": "Disabled",
- "description": "Config State Changed to Disabled."
- },
- "2": {
- "caption": "Enabled",
- "description": "Config State Changed to Enabled."
- },
- "99": {
- "caption": "Other",
- "description": "The Config Change is not mapped. See the state attribute, which contains data source specific values."
- }
- }
+ "99": {
+ "caption": "Other",
+ "description": "The Config Change is not mapped. See the state attribute, which contains data source specific values."
}
+ }
}
+ }
}
\ No newline at end of file
diff --git a/events/discovery/osint_inventory_info.json b/events/discovery/osint_inventory_info.json
index 98e70ff01..485b4d2f8 100644
--- a/events/discovery/osint_inventory_info.json
+++ b/events/discovery/osint_inventory_info.json
@@ -1,21 +1,21 @@
{
- "uid": 21,
- "caption": "OSINT Inventory Info",
- "description": "OSINT Inventory Info events report open source intelligence or threat intelligence inventory data that is either logged or proactively collected. For example, when collecting OSINT information from Threat Intelligence Platforms (TIPs) or Extended Detection and Response (XDR) platforms, or collecting data from OSINT or other generic threat intelligence and enrichment feeds such as APIs and datastores.",
- "extends": "discovery",
- "name": "osint_inventory_info",
- "attributes": {
- "actor": {
- "description": "The actor describes the process that was the source of the inventory activity. In the case of OSINT inventory data, that could be a particular process or script that is run to scrape the OSINT or threat intelligence data. For example, it could be a Python process that runs to pull data from a MISP or Shodan API.",
- "group": "context",
- "requirement": "optional",
- "profile": null
- },
- "osint": {
- "profile": null,
- "description": "The OSINT that is being discovered by an inventory process.",
- "group": "primary",
- "requirement": "required"
- }
+ "uid": 21,
+ "caption": "OSINT Inventory Info",
+ "description": "OSINT Inventory Info events report open source intelligence or threat intelligence inventory data that is either logged or proactively collected. For example, when collecting OSINT information from Threat Intelligence Platforms (TIPs) or Extended Detection and Response (XDR) platforms, or collecting data from OSINT or other generic threat intelligence and enrichment feeds such as APIs and datastores.",
+ "extends": "discovery",
+ "name": "osint_inventory_info",
+ "attributes": {
+ "actor": {
+ "description": "The actor describes the process that was the source of the inventory activity. In the case of OSINT inventory data, that could be a particular process or script that is run to scrape the OSINT or threat intelligence data. For example, it could be a Python process that runs to pull data from a MISP or Shodan API.",
+ "group": "context",
+ "requirement": "optional",
+ "profile": null
+ },
+ "osint": {
+ "description": "The OSINT that is being discovered by an inventory process.",
+ "group": "primary",
+ "requirement": "required",
+ "profile": null
}
+ }
}
\ No newline at end of file
diff --git a/events/discovery/software_info.json b/events/discovery/software_info.json
index ea1e887ab..9d6a38fdc 100644
--- a/events/discovery/software_info.json
+++ b/events/discovery/software_info.json
@@ -25,15 +25,15 @@
"since": "1.4.0"
}
},
- "sbom": {
- "description": "The Software Bill of Materials (SBOM) of the device software that is being discovered by an inventory process.",
- "group": "primary",
- "requirement": "recommended"
- },
"product": {
"description": "Additional product attributes that have been discovered or enriched from a catalog or other external source.",
"group": "context",
"requirement": "optional"
+ },
+ "sbom": {
+ "description": "The Software Bill of Materials (SBOM) of the device software that is being discovered by an inventory process.",
+ "group": "primary",
+ "requirement": "recommended"
}
}
}
\ No newline at end of file
diff --git a/events/discovery/startup_item_query.json b/events/discovery/startup_item_query.json
index 78e50ef43..99acb0f1c 100644
--- a/events/discovery/startup_item_query.json
+++ b/events/discovery/startup_item_query.json
@@ -1,9 +1,9 @@
{
+ "uid": 22,
"caption": "Startup Item Query",
"description": "Startup Item Query events report information about discovered items, e.g., application components that are generally configured to run automatically.",
"extends": "discovery_result",
"name": "startup_item_query",
- "uid": 22,
"attributes": {
"startup_item": {
"group": "primary",
diff --git a/events/discovery/user_inventory.json b/events/discovery/user_inventory.json
index ab2161e31..d172e855f 100644
--- a/events/discovery/user_inventory.json
+++ b/events/discovery/user_inventory.json
@@ -1,20 +1,20 @@
{
- "uid": 3,
- "caption": "User Inventory Info",
- "description": "User Inventory Info events report user inventory data that is either logged or proactively collected. For example, when collecting user information from Active Directory entries.",
- "extends": "discovery",
- "name": "user_inventory",
- "attributes": {
- "actor": {
- "description": "The actor describes the process that was the source of the inventory activity. In the case of user inventory data, that could be a particular process or script that is run to scrape the user data. For example, it could be a powershell process that runs to pull data from the Azure AD graph API.",
- "group": "context",
- "requirement": "optional",
- "profile": null
- },
- "user": {
- "description": "The user that is being discovered by an inventory process.",
- "group": "primary",
- "requirement": "required"
- }
+ "uid": 3,
+ "caption": "User Inventory Info",
+ "description": "User Inventory Info events report user inventory data that is either logged or proactively collected. For example, when collecting user information from Active Directory entries.",
+ "extends": "discovery",
+ "name": "user_inventory",
+ "attributes": {
+ "actor": {
+ "description": "The actor describes the process that was the source of the inventory activity. In the case of user inventory data, that could be a particular process or script that is run to scrape the user data. For example, it could be a powershell process that runs to pull data from the Azure AD graph API.",
+ "group": "context",
+ "requirement": "optional",
+ "profile": null
+ },
+ "user": {
+ "description": "The user that is being discovered by an inventory process.",
+ "group": "primary",
+ "requirement": "required"
}
+ }
}
\ No newline at end of file
diff --git a/events/findings/compliance_finding.json b/events/findings/compliance_finding.json
index 0885817b6..312c5e7e1 100644
--- a/events/findings/compliance_finding.json
+++ b/events/findings/compliance_finding.json
@@ -10,8 +10,8 @@
"requirement": "required"
},
"evidences": {
- "group": "context",
"description": "Describes various evidence artifacts associated with the compliance finding.",
+ "group": "context",
"requirement": "optional"
},
"remediation": {
diff --git a/events/findings/data_security_finding.json b/events/findings/data_security_finding.json
index e230b7cba..e6368523d 100644
--- a/events/findings/data_security_finding.json
+++ b/events/findings/data_security_finding.json
@@ -1,147 +1,147 @@
{
- "uid": 6,
- "caption": "Data Security Finding",
- "description": "A Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools. These detections or alerts can be created using fingerprinting, statistical analysis, machine learning or other methodologies. The finding describes the actors and endpoints who accessed or own the sensitive data, as well as the resources which store the sensitive data. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object. incident profile or aggregate this finding into an Incident Finding.",
- "extends": "finding",
- "name": "data_security_finding",
- "attributes": {
- "activity_id": {
- "description": "The normalized identifier of the Data Security Finding activity.",
- "requirement": "required",
- "enum": {
- "1": {
- "caption": "Create",
- "description": "A new Data Security finding is created."
- },
- "2": {
- "caption": "Update",
- "description": "An existing Data Security finding is updated with more information."
- },
- "3": {
- "caption": "Close",
- "description": "An existing Data Security finding is closed, this can be due to any resolution (e.g., True Positive, False Positive, etc.)."
- },
- "4": {
- "caption": "Suppressed",
- "description": "An existing Data Security finding is suppressed due to inaccurate detection techniques or a known true negative.",
- "@deprecated": {
- "message": "Use status_id attribute instead.",
- "since": "1.4.0"
- }
- }
- }
- },
- "activity_name": {
- "description": "The Data Security finding activity name, as defined by the activity_id.",
- "requirement": "optional"
- },
- "actor": {
- "description": "Describes details about the actor implicated in the data security finding. Either an actor that owns a particular digital file or information store, or an actor which accessed classified or sensitive data.",
- "group": "context",
- "requirement": "recommended",
- "profile": null
- },
- "confidence": {
- "profile": null,
- "group": "context",
- "requirement": "optional"
- },
- "confidence_id": {
- "profile": null,
- "group": "context",
- "requirement": "recommended"
- },
- "confidence_score": {
- "profile": null,
- "group": "context",
- "requirement": "optional"
- },
- "data_security": {
- "group": "context",
- "requirement": "recommended"
- },
- "database": {
- "description": "Describes the database where classified or sensitive data is stored in, or was accessed from. Databases are typically datastore services that contain an organized collection of structured and/or semi-structured data.",
- "group": "primary",
- "requirement": "recommended"
- },
- "databucket": {
- "description": "Describes the databucket where classified or sensitive data is stored in, or was accessed from. The data bucket object is a basic container that holds data, typically organized through the use of data partitions.",
- "group": "primary",
- "requirement": "recommended"
- },
- "device": {
- "description": "Describes the device where classified or sensitive data is stored in, or was accessed from.",
- "group": "context",
- "requirement": "recommended",
- "profile": null
- },
- "dst_endpoint": {
- "description": "Describes the endpoint where classified or sensitive data is stored in, or was accessed from.",
- "group": "context",
- "requirement": "recommended"
- },
- "file": {
- "description": "Describes a file that contains classified or sensitive data.",
- "group": "primary",
- "requirement": "recommended"
- },
- "impact": {
- "group": "context",
- "requirement": "optional",
- "profile": null
- },
- "impact_id": {
- "group": "context",
- "requirement": "optional",
- "profile": null
- },
- "impact_score": {
- "group": "context",
- "requirement": "optional",
- "profile": null
- },
- "is_alert": {
- "profile": null,
- "group": "primary",
- "description": "Indicates that the event is considered to be an alertable signal. For example, an activity_id of 'Create' could constitute an alertable signal and the value would be true, while 'Close' likely would not and either omit the attribute or set its value to false. Note that other events with the security_control profile may also be deemed alertable signals and may also carry is_alert = true attributes.",
- "requirement": "recommended"
- },
- "resources": {
- "caption": "Additional Resources",
- "description": "Describes details about additional resources, where classified or sensitive data is stored in, or was accessed from. You can populate this object, if the specific resource type objects available in the class (database, databucket, table, file) aren't sufficient; OR
You can also choose to duplicate uid, name of the specific resources objects, for a consistent access to resource uids across all findings.",
- "group": "primary",
- "requirement": "recommended"
- },
- "risk_details": {
- "profile": null,
- "group": "context",
- "requirement": "optional"
- },
- "risk_level": {
- "profile": null,
- "group": "context",
- "requirement": "optional"
- },
- "risk_level_id": {
- "profile": null,
- "group": "context",
- "requirement": "optional"
- },
- "risk_score": {
- "profile": null,
- "group": "context",
- "requirement": "optional"
- },
- "src_endpoint": {
- "description": "Details about the source endpoint where classified or sensitive data was accessed from.",
- "group": "context",
- "requirement": "recommended"
- },
- "table": {
- "description": "Describes the table where classified or sensitive data is stored in, or was accessed from. The table object represents a table within a structured relational database, warehouse, lake, or similar.",
- "group": "primary",
- "requirement": "recommended"
+ "uid": 6,
+ "caption": "Data Security Finding",
+ "description": "A Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools. These detections or alerts can be created using fingerprinting, statistical analysis, machine learning or other methodologies. The finding describes the actors and endpoints who accessed or own the sensitive data, as well as the resources which store the sensitive data. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object.
Note: If the Finding is an incident, i.e. requires incident workflow, also apply the incident profile or aggregate this finding into an Incident Finding.",
+ "extends": "finding",
+ "name": "data_security_finding",
+ "attributes": {
+ "activity_id": {
+ "description": "The normalized identifier of the Data Security Finding activity.",
+ "requirement": "required",
+ "enum": {
+ "1": {
+ "caption": "Create",
+ "description": "A new Data Security finding is created."
+ },
+ "2": {
+ "caption": "Update",
+ "description": "An existing Data Security finding is updated with more information."
+ },
+ "3": {
+ "caption": "Close",
+ "description": "An existing Data Security finding is closed, this can be due to any resolution (e.g., True Positive, False Positive, etc.)."
+ },
+ "4": {
+ "caption": "Suppressed",
+ "description": "An existing Data Security finding is suppressed due to inaccurate detection techniques or a known true negative.",
+ "@deprecated": {
+ "message": "Use status_id attribute instead.",
+ "since": "1.4.0"
+ }
}
+ }
+ },
+ "activity_name": {
+ "description": "The Data Security finding activity name, as defined by the activity_id.",
+ "requirement": "optional"
+ },
+ "actor": {
+ "description": "Describes details about the actor implicated in the data security finding. Either an actor that owns a particular digital file or information store, or an actor which accessed classified or sensitive data.",
+ "group": "context",
+ "requirement": "recommended",
+ "profile": null
+ },
+ "confidence": {
+ "group": "context",
+ "requirement": "optional",
+ "profile": null
+ },
+ "confidence_id": {
+ "group": "context",
+ "requirement": "recommended",
+ "profile": null
+ },
+ "confidence_score": {
+ "group": "context",
+ "requirement": "optional",
+ "profile": null
+ },
+ "data_security": {
+ "group": "context",
+ "requirement": "recommended"
+ },
+ "database": {
+ "description": "Describes the database where classified or sensitive data is stored in, or was accessed from. Databases are typically datastore services that contain an organized collection of structured and/or semi-structured data.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "databucket": {
+ "description": "Describes the databucket where classified or sensitive data is stored in, or was accessed from. The data bucket object is a basic container that holds data, typically organized through the use of data partitions.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "device": {
+ "description": "Describes the device where classified or sensitive data is stored in, or was accessed from.",
+ "group": "context",
+ "requirement": "recommended",
+ "profile": null
+ },
+ "dst_endpoint": {
+ "description": "Describes the endpoint where classified or sensitive data is stored in, or was accessed from.",
+ "group": "context",
+ "requirement": "recommended"
+ },
+ "file": {
+ "description": "Describes a file that contains classified or sensitive data.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "impact": {
+ "group": "context",
+ "requirement": "optional",
+ "profile": null
+ },
+ "impact_id": {
+ "group": "context",
+ "requirement": "optional",
+ "profile": null
+ },
+ "impact_score": {
+ "group": "context",
+ "requirement": "optional",
+ "profile": null
+ },
+ "is_alert": {
+ "description": "Indicates that the event is considered to be an alertable signal. For example, an activity_id of 'Create' could constitute an alertable signal and the value would be true, while 'Close' likely would not and either omit the attribute or set its value to false. Note that other events with the security_control profile may also be deemed alertable signals and may also carry is_alert = true attributes.",
+ "group": "primary",
+ "requirement": "recommended",
+ "profile": null
+ },
+ "resources": {
+ "caption": "Additional Resources",
+ "description": "Describes details about additional resources, where classified or sensitive data is stored in, or was accessed from.
You can populate this object, if the specific resource type objects available in the class (database, databucket, table, file) aren't sufficient; OR
You can also choose to duplicate uid, name of the specific resources objects, for a consistent access to resource uids across all findings.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "risk_details": {
+ "group": "context",
+ "requirement": "optional",
+ "profile": null
+ },
+ "risk_level": {
+ "group": "context",
+ "requirement": "optional",
+ "profile": null
+ },
+ "risk_level_id": {
+ "group": "context",
+ "requirement": "optional",
+ "profile": null
+ },
+ "risk_score": {
+ "group": "context",
+ "requirement": "optional",
+ "profile": null
+ },
+ "src_endpoint": {
+ "description": "Details about the source endpoint where classified or sensitive data was accessed from.",
+ "group": "context",
+ "requirement": "recommended"
+ },
+ "table": {
+ "description": "Describes the table where classified or sensitive data is stored in, or was accessed from. The table object represents a table within a structured relational database, warehouse, lake, or similar.",
+ "group": "primary",
+ "requirement": "recommended"
}
+ }
}
\ No newline at end of file
diff --git a/events/findings/detection_finding.json b/events/findings/detection_finding.json
index c4a3a5e8b..e95a7aeea 100644
--- a/events/findings/detection_finding.json
+++ b/events/findings/detection_finding.json
@@ -6,23 +6,23 @@
"name": "detection_finding",
"attributes": {
"confidence": {
- "profile": null,
"group": "context",
- "requirement": "optional"
+ "requirement": "optional",
+ "profile": null
},
"confidence_id": {
- "profile": null,
"group": "context",
- "requirement": "recommended"
+ "requirement": "recommended",
+ "profile": null
},
"confidence_score": {
- "profile": null,
"group": "context",
- "requirement": "optional"
+ "requirement": "optional",
+ "profile": null
},
"evidences": {
- "group": "primary",
"description": "Describes various evidence artifacts associated to the activity/activities that triggered a security detection.",
+ "group": "primary",
"requirement": "recommended"
},
"impact": {
@@ -41,10 +41,10 @@
"profile": null
},
"is_alert": {
- "profile": null,
- "group": "primary",
"description": "Indicates that the event is considered to be an alertable signal. For example, an activity_id of 'Create' could constitute an alertable signal and the value would be true, while 'Close' likely would not and either omit the attribute or set its value to false. Note that other events with the security_control profile may also be deemed alertable signals and may also carry is_alert = true attributes.",
- "requirement": "recommended"
+ "group": "primary",
+ "requirement": "recommended",
+ "profile": null
},
"remediation": {
"group": "context",
@@ -57,24 +57,24 @@
"requirement": "recommended"
},
"risk_details": {
- "profile": null,
"group": "context",
- "requirement": "optional"
+ "requirement": "optional",
+ "profile": null
},
"risk_level": {
- "profile": null,
"group": "context",
- "requirement": "optional"
+ "requirement": "optional",
+ "profile": null
},
"risk_level_id": {
- "profile": null,
"group": "context",
- "requirement": "optional"
+ "requirement": "optional",
+ "profile": null
},
"risk_score": {
- "profile": null,
"group": "context",
- "requirement": "optional"
+ "requirement": "optional",
+ "profile": null
},
"vulnerabilities": {
"description": "Describes vulnerabilities reported in a Detection Finding.",
diff --git a/events/findings/finding.json b/events/findings/finding.json
index 7c165a00c..f799af8c7 100644
--- a/events/findings/finding.json
+++ b/events/findings/finding.json
@@ -4,9 +4,6 @@
"description": "The Finding event is a generic event that defines a set of attributes available in the Findings category.",
"extends": "base_event",
"name": "finding",
- "profiles": [
- "incident"
- ],
"attributes": {
"$include": [
"profiles/incident.json"
@@ -105,5 +102,8 @@
"group": "context",
"requirement": "optional"
}
- }
+ },
+ "profiles": [
+ "incident"
+ ]
}
\ No newline at end of file
diff --git a/events/findings/incident_finding.json b/events/findings/incident_finding.json
index 2c8f0b5cc..2b8ee298f 100644
--- a/events/findings/incident_finding.json
+++ b/events/findings/incident_finding.json
@@ -5,9 +5,6 @@
"description": "An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics.
Note: Incident Finding implicitly includes the incident profile and it should be added to the metadata.profiles[] array.",
"extends": "base_event",
"name": "incident_finding",
- "profiles": [
- "incident"
- ],
"attributes": {
"activity_id": {
"description": "The normalized identifier of the Incident activity.",
@@ -164,5 +161,8 @@
"assignee",
"assignee_group"
]
- }
+ },
+ "profiles": [
+ "incident"
+ ]
}
\ No newline at end of file
diff --git a/events/iam/account_change.json b/events/iam/account_change.json
index 733f6fbf4..edf5f8bfa 100644
--- a/events/iam/account_change.json
+++ b/events/iam/account_change.json
@@ -82,4 +82,4 @@
"requirement": "recommended"
}
}
-}
+}
\ No newline at end of file
diff --git a/events/network/email_activity.json b/events/network/email_activity.json
index c7f29f1b2..5434ba4b2 100644
--- a/events/network/email_activity.json
+++ b/events/network/email_activity.json
@@ -22,7 +22,12 @@
"4": {
"caption": "Trace",
"description": "Follow an email message as it travels through an organization. The message_trace_uid should be populated when selected.",
- "references": [{"url": "href='https://learn.microsoft.com/en-us/Exchange/monitoring/trace-an-email-message/message-trace-modern-eac", "description": "For example Office 365 Email Message Trace"}]
+ "references": [
+ {
+ "description": "For example Office 365 Email Message Trace",
+ "url": "href='https://learn.microsoft.com/en-us/Exchange/monitoring/trace-an-email-message/message-trace-modern-eac"
+ }
+ ]
}
}
},
@@ -36,9 +41,9 @@
"requirement": "optional"
},
"command": {
- "description": "The command issued by the initiator (client), such as SMTP HELO or EHLO.",
- "group": "primary",
- "requirement": "recommended"
+ "description": "The command issued by the initiator (client), such as SMTP HELO or EHLO.",
+ "group": "primary",
+ "requirement": "recommended"
},
"direction": {
"description": "The direction of the email, as defined by the direction_id value.",
diff --git a/events/network/http_activity.json b/events/network/http_activity.json
index 865a1e773..90bd67251 100644
--- a/events/network/http_activity.json
+++ b/events/network/http_activity.json
@@ -75,4 +75,4 @@
"profiles": [
"trace"
]
-}
+}
\ No newline at end of file
diff --git a/events/remediation/file_remediation_activity.json b/events/remediation/file_remediation_activity.json
index 9b8d3ca17..eb18258b3 100644
--- a/events/remediation/file_remediation_activity.json
+++ b/events/remediation/file_remediation_activity.json
@@ -1,14 +1,14 @@
{
- "uid": 2,
- "caption": "File Remediation Activity",
- "description": "File Remediation Activity events report on attempts at remediating files. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Sub-techniques will include File, such as File Removal or Restore File.",
- "extends": "remediation_activity",
- "name": "file_remediation_activity",
- "attributes": {
- "file": {
- "description": "The file that pertains to the remediation event.",
- "group": "primary",
- "requirement": "required"
- }
+ "uid": 2,
+ "caption": "File Remediation Activity",
+ "description": "File Remediation Activity events report on attempts at remediating files. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Sub-techniques will include File, such as File Removal or Restore File.",
+ "extends": "remediation_activity",
+ "name": "file_remediation_activity",
+ "attributes": {
+ "file": {
+ "description": "The file that pertains to the remediation event.",
+ "group": "primary",
+ "requirement": "required"
}
+ }
}
\ No newline at end of file
diff --git a/events/remediation/network_remediation_activity.json b/events/remediation/network_remediation_activity.json
index 70fac73a7..ebb41829d 100644
--- a/events/remediation/network_remediation_activity.json
+++ b/events/remediation/network_remediation_activity.json
@@ -1,14 +1,14 @@
{
- "uid": 4,
- "caption": "Network Remediation Activity",
- "description": "Network Remediation Activity events report on attempts at remediating computer networks. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Techniques and Sub-techniques will include Network, such as Network Isolation or Network Traffic Filtering.",
- "extends": "remediation_activity",
- "name": "network_remediation_activity",
- "attributes": {
- "connection_info": {
- "description": "The network connection that pertains to the remediation event.",
- "group": "primary",
- "requirement": "required"
- }
+ "uid": 4,
+ "caption": "Network Remediation Activity",
+ "description": "Network Remediation Activity events report on attempts at remediating computer networks. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Techniques and Sub-techniques will include Network, such as Network Isolation or Network Traffic Filtering.",
+ "extends": "remediation_activity",
+ "name": "network_remediation_activity",
+ "attributes": {
+ "connection_info": {
+ "description": "The network connection that pertains to the remediation event.",
+ "group": "primary",
+ "requirement": "required"
}
+ }
}
\ No newline at end of file
diff --git a/events/remediation/process_remediation_activity.json b/events/remediation/process_remediation_activity.json
index 24930ca8b..dc9936b96 100644
--- a/events/remediation/process_remediation_activity.json
+++ b/events/remediation/process_remediation_activity.json
@@ -1,14 +1,14 @@
{
- "uid": 3,
- "caption": "Process Remediation Activity",
- "description": "Process Remediation Activity events report on attempts at remediating processes. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Sub-techniques will include Process, such as Process Termination or Kernel-based Process Isolation.",
- "extends": "remediation_activity",
- "name": "process_remediation_activity",
- "attributes": {
- "process": {
- "description": "The process that pertains to the remediation event.",
- "group": "primary",
- "requirement": "required"
- }
+ "uid": 3,
+ "caption": "Process Remediation Activity",
+ "description": "Process Remediation Activity events report on attempts at remediating processes. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Sub-techniques will include Process, such as Process Termination or Kernel-based Process Isolation.",
+ "extends": "remediation_activity",
+ "name": "process_remediation_activity",
+ "attributes": {
+ "process": {
+ "description": "The process that pertains to the remediation event.",
+ "group": "primary",
+ "requirement": "required"
}
+ }
}
\ No newline at end of file
diff --git a/events/remediation/remediation_activity.json b/events/remediation/remediation_activity.json
index f53b48f2c..dd2929f35 100644
--- a/events/remediation/remediation_activity.json
+++ b/events/remediation/remediation_activity.json
@@ -1,69 +1,69 @@
{
- "uid": 1,
- "caption": "Remediation Activity",
- "category": "remediation",
- "description": "Remediation Activity events report on attempts at remediating a compromised device or computer network. It follows the MITRE countermeasures defined by the D3FEND™ Matrix.",
- "extends": "base_event",
- "name": "remediation_activity",
- "attributes": {
- "activity_id": {
- "description": "Matches the MITRE D3FEND™ Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class.",
- "enum": {
- "1": {
- "caption": "Isolate",
- "description": "Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND™ d3f:Isolate."
- },
- "2": {
- "caption": "Evict",
- "description": "Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND™ d3f:Evict."
- },
- "3": {
- "caption": "Restore",
- "description": "Returns the system to a better state. Defined by D3FEND™ d3f:Restore."
- },
- "4": {
- "caption": "Harden",
- "description": " Increases the opportunity cost of computer network exploitation. Defined by D3FEND™ d3f:Harden."
- }
- }
+ "uid": 1,
+ "caption": "Remediation Activity",
+ "category": "remediation",
+ "description": "Remediation Activity events report on attempts at remediating a compromised device or computer network. It follows the MITRE countermeasures defined by the D3FEND™ Matrix.",
+ "extends": "base_event",
+ "name": "remediation_activity",
+ "attributes": {
+ "activity_id": {
+ "description": "Matches the MITRE D3FEND™ Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class.",
+ "enum": {
+ "1": {
+ "caption": "Isolate",
+ "description": "Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND™ d3f:Isolate."
},
- "command_uid": {
- "description": "The unique identifier of the remediation command that pertains to this event.",
- "group": "primary",
- "requirement": "required"
+ "2": {
+ "caption": "Evict",
+ "description": "Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND™ d3f:Evict."
},
- "countermeasures": {
- "group": "primary",
- "requirement": "recommended"
+ "3": {
+ "caption": "Restore",
+ "description": "Returns the system to a better state. Defined by D3FEND™ d3f:Restore."
},
- "remediation": {
- "group": "context",
- "requirement": "optional"
+ "4": {
+ "caption": "Harden",
+ "description": " Increases the opportunity cost of computer network exploitation. Defined by D3FEND™ d3f:Harden."
+ }
+ }
+ },
+ "command_uid": {
+ "description": "The unique identifier of the remediation command that pertains to this event.",
+ "group": "primary",
+ "requirement": "required"
+ },
+ "countermeasures": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "remediation": {
+ "group": "context",
+ "requirement": "optional"
+ },
+ "scan": {
+ "description": "The remediation scan that pertains to this event.",
+ "group": "context",
+ "requirement": "optional"
+ },
+ "status_id": {
+ "enum": {
+ "3": {
+ "caption": "Does Not Exist",
+ "description": "The target of the remediation does not exist."
+ },
+ "4": {
+ "caption": "Partial",
+ "description": "The remediation was partially completed."
},
- "scan": {
- "description": "The remediation scan that pertains to this event.",
- "group": "context",
- "requirement": "optional"
+ "5": {
+ "caption": "Unsupported",
+ "description": "The remediation was not supported."
},
- "status_id": {
- "enum": {
- "3": {
- "caption": "Does Not Exist",
- "description": "The target of the remediation does not exist."
- },
- "4": {
- "caption": "Partial",
- "description": "The remediation was partially completed."
- },
- "5": {
- "caption": "Unsupported",
- "description": "The remediation was not supported."
- },
- "6": {
- "caption": "Error",
- "description": "There was an error during the remediation process."
- }
- }
+ "6": {
+ "caption": "Error",
+ "description": "There was an error during the remediation process."
}
+ }
}
+ }
}
\ No newline at end of file
diff --git a/events/system/event_log.json b/events/system/event_log_activity.json
similarity index 99%
rename from events/system/event_log.json
rename to events/system/event_log_activity.json
index be867c8ad..2d4adbe65 100644
--- a/events/system/event_log.json
+++ b/events/system/event_log_activity.json
@@ -3,7 +3,7 @@
"caption": "Event Log Activity",
"description": "Event Log Activity events report actions pertaining to the system's event logging service(s), such as disabling logging or clearing the log data.",
"extends": "system",
- "name": "event_log",
+ "name": "event_log_actvity",
"attributes": {
"activity_id": {
"enum": {
diff --git a/events/system/kernel_extension.json b/events/system/kernel_extension_activity.json
similarity index 95%
rename from events/system/kernel_extension.json
rename to events/system/kernel_extension_activity.json
index beb95ed52..ef279899a 100644
--- a/events/system/kernel_extension.json
+++ b/events/system/kernel_extension_activity.json
@@ -3,7 +3,7 @@
"caption": "Kernel Extension Activity",
"description": "Kernel Extension events report when a driver/extension is loaded or unloaded into the kernel",
"extends": "system",
- "name": "kernel_extension",
+ "name": "kernel_extension_activity",
"attributes": {
"activity_id": {
"enum": {
diff --git a/events/unmanned_systems/airborne_broadcast_activity.json b/events/unmanned_systems/airborne_broadcast_activity.json
index aae562da3..9cd2cd341 100644
--- a/events/unmanned_systems/airborne_broadcast_activity.json
+++ b/events/unmanned_systems/airborne_broadcast_activity.json
@@ -1,80 +1,80 @@
{
- "caption": "Airborne Broadcast Activity",
- "description": "Airborne Broadcast Activity events report the activity of any aircraft or unmanned system as reported and tracked by Automatic Dependent Surveillance - Broadcast (ADS-B) receivers. Based on the ADS-B standards described in Code of Federal Regulations (CFR) Title 14 Chapter I Subchapter F Part 91 and in other general Federal Aviation Administration (FAA) supplemental orders and guidance described here.",
- "extends": "unmanned_systems",
- "name": "airborne_broadcast_activity",
- "uid": 2,
- "attributes": {
- "activity_id": {
- "enum": {
- "0": {
- "caption": "Unknown",
- "description": "The event activity is unknown."
- },
- "1": {
- "caption": "Capture",
- "description": "ADS-B information is being captured (collected)."
- },
- "2": {
- "caption": "Record",
- "description": "ADS-B information is being recorded, for example by a standalone transceiver."
- },
- "99": {
- "caption": "Other",
- "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value."
- }
- },
- "requirement": "required",
- "group": "primary"
- },
- "aircraft": {
- "group": "primary",
- "requirement": "recommended"
- },
- "dst_endpoint": {
- "description": "The destination network endpoint for the ADS-B system, if telemetry is being remotely broadcasted.",
- "group": "context",
- "requirement": "optional"
- },
- "protocol_name": {
- "caption": "ADS-B Protocol",
- "description": "The specific protocol associated with the ADS-B system. E.g. ADS-B UAT or ADS-B ES.",
- "group": "primary",
- "requirement": "recommended"
- },
- "rssi": {
- "description": "Recent average RSSI (signal power) measured in dbFS. This value will always be negative, e.g., -87.13.",
- "group": "context",
- "requirement": "optional"
- },
- "src_endpoint": {
- "description": "The source network endpoint for the ADS-B system.",
- "group": "context",
- "requirement": "optional"
- },
- "traffic": {
- "description": "Traffic refers to the amount of data transmitted from a ADS-B remote monitoring system at a given point of time. Ex: bytes_in and bytes_out.",
- "group": "context",
- "requirement": "optional"
- },
- "unmanned_aerial_system": {
- "group": "primary",
- "requirement": "required"
- },
- "unmanned_system_operator": {
- "requirement": "required",
- "group": "primary"
- },
- "unmanned_system_operating_area": {
- "requirement": "recommended",
- "group": "primary"
- }
- },
- "constraints": {
- "at_least_one": [
- "aircraft",
- "unmanned_aerial_system",
- "unmanned_system_operating_area"
- ]
- }
+ "uid": 2,
+ "caption": "Airborne Broadcast Activity",
+ "description": "Airborne Broadcast Activity events report the activity of any aircraft or unmanned system as reported and tracked by Automatic Dependent Surveillance - Broadcast (ADS-B) receivers. Based on the ADS-B standards described in Code of Federal Regulations (CFR) Title 14 Chapter I Subchapter F Part 91 and in other general Federal Aviation Administration (FAA) supplemental orders and guidance described here.",
+ "extends": "unmanned_systems",
+ "name": "airborne_broadcast_activity",
+ "attributes": {
+ "activity_id": {
+ "group": "primary",
+ "requirement": "required",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The event activity is unknown."
+ },
+ "1": {
+ "caption": "Capture",
+ "description": "ADS-B information is being captured (collected)."
+ },
+ "2": {
+ "caption": "Record",
+ "description": "ADS-B information is being recorded, for example by a standalone transceiver."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value."
+ }
+ }
+ },
+ "aircraft": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "dst_endpoint": {
+ "description": "The destination network endpoint for the ADS-B system, if telemetry is being remotely broadcasted.",
+ "group": "context",
+ "requirement": "optional"
+ },
+ "protocol_name": {
+ "caption": "ADS-B Protocol",
+ "description": "The specific protocol associated with the ADS-B system. E.g. ADS-B UAT or ADS-B ES.",
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "rssi": {
+ "description": "Recent average RSSI (signal power) measured in dbFS. This value will always be negative, e.g., -87.13.",
+ "group": "context",
+ "requirement": "optional"
+ },
+ "src_endpoint": {
+ "description": "The source network endpoint for the ADS-B system.",
+ "group": "context",
+ "requirement": "optional"
+ },
+ "traffic": {
+ "description": "Traffic refers to the amount of data transmitted from a ADS-B remote monitoring system at a given point of time. Ex: bytes_in and bytes_out.",
+ "group": "context",
+ "requirement": "optional"
+ },
+ "unmanned_aerial_system": {
+ "group": "primary",
+ "requirement": "required"
+ },
+ "unmanned_system_operating_area": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "unmanned_system_operator": {
+ "group": "primary",
+ "requirement": "required"
+ }
+ },
+ "constraints": {
+ "at_least_one": [
+ "aircraft",
+ "unmanned_aerial_system",
+ "unmanned_system_operating_area"
+ ]
+ }
}
\ No newline at end of file
diff --git a/events/unmanned_systems/drone_flights_activity.json b/events/unmanned_systems/drone_flights_activity.json
index 6ba4e3ede..00ecb44cf 100644
--- a/events/unmanned_systems/drone_flights_activity.json
+++ b/events/unmanned_systems/drone_flights_activity.json
@@ -1,11 +1,13 @@
{
+ "uid": 1,
"caption": "Drone Flights Activity",
"description": "Drone Flights Activity events report the activity of Unmanned Aerial Systems (UAS), their Operators, and mission-planning and authorization metadata as reported by the UAS platforms themselves, by Counter-UAS (CUAS) systems, or other remote monitoring or sensing infrastructure. Based on the Remote ID defined in Standard Specification for Remote ID and Tracking (ASTM Designation: F3411-22a) ASTM F3411-22a",
"extends": "unmanned_systems",
"name": "drone_flights_activity",
- "uid": 1,
"attributes": {
"activity_id": {
+ "group": "primary",
+ "requirement": "required",
"enum": {
"0": {
"caption": "Unknown",
@@ -23,23 +25,21 @@
"caption": "Other",
"description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value."
}
- },
- "requirement": "required",
- "group": "primary"
+ }
},
"auth_protocol": {
"caption": "Authentication Type",
"description": "The authentication type as defined by the caption of auth_protocol_id. In the case of 'Other', it is defined by the event source.",
- "requirement": "optional",
- "group": "context"
+ "group": "context",
+ "requirement": "optional"
},
"auth_protocol_id": {
"caption": "Authentication Type ID",
"description": "The normalized identifier of the authentication type used to authorize a flight plan or mission.",
- "sibling": "auth_protocol",
"group": "context",
- "type": "integer_t",
"requirement": "optional",
+ "sibling": "auth_protocol",
+ "type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
@@ -78,8 +78,8 @@
"classification": {
"caption": "Classification Type",
"description": "UA Classification - Allows a region to classify UAS in a regional specific manner. The format may differ from region to region.",
- "requirement": "optional",
- "group": "context"
+ "group": "context",
+ "requirement": "optional"
},
"comment": {
"caption": "Operation Description",
@@ -144,13 +144,13 @@
"group": "primary",
"requirement": "required"
},
- "unmanned_system_operator": {
- "requirement": "required",
- "group": "primary"
- },
"unmanned_system_operating_area": {
- "requirement": "recommended",
- "group": "primary"
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "unmanned_system_operator": {
+ "group": "primary",
+ "requirement": "required"
}
},
"constraints": {
@@ -159,6 +159,6 @@
"unmanned_aerial_system",
"unmanned_system_operator",
"unmanned_system_operating_area"
- ]
- }
-}
+ ]
+ }
+}
\ No newline at end of file
diff --git a/extensions/linux/dictionary.json b/extensions/linux/dictionary.json
index 5dd2ffaa2..634c55d28 100644
--- a/extensions/linux/dictionary.json
+++ b/extensions/linux/dictionary.json
@@ -8,15 +8,15 @@
"description": "The audit user assigned at login by the audit subsystem.",
"type": "integer_t"
},
- "euid": {
- "caption": "Effective User ID",
- "description": "The effective user under which this process is running.",
- "type": "integer_t"
- },
"egid": {
"caption": "Effective Group ID",
"description": "The effective group under which this process is running.",
"type": "integer_t"
+ },
+ "euid": {
+ "caption": "Effective User ID",
+ "description": "The effective user under which this process is running.",
+ "type": "integer_t"
}
}
-}
+}
\ No newline at end of file
diff --git a/extensions/linux/extension.json b/extensions/linux/extension.json
index 7cfba3f21..4ffb1292e 100644
--- a/extensions/linux/extension.json
+++ b/extensions/linux/extension.json
@@ -1,7 +1,7 @@
{
+ "uid": 1,
"caption": "Linux",
"description": "The Linux extension defines Linux specific attributes, objects and classes.",
"name": "linux",
- "uid": 1,
"version": "1.4.0-dev"
-}
+}
\ No newline at end of file
diff --git a/extensions/linux/objects/process.json b/extensions/linux/objects/process.json
index 52e408f2e..c8da9cf61 100644
--- a/extensions/linux/objects/process.json
+++ b/extensions/linux/objects/process.json
@@ -2,12 +2,12 @@
"caption": "Linux Process",
"description": "Extends the process object to add Linux specific fields",
"extends": "process",
- "profiles": [
- "linux/linux_users"
- ],
"attributes": {
"$include": [
"profiles/linux_users.json"
]
- }
-}
+ },
+ "profiles": [
+ "linux/linux_users"
+ ]
+}
\ No newline at end of file
diff --git a/extensions/linux/profiles/linux_users.json b/extensions/linux/profiles/linux_users.json
index 3b171a5cd..941ddbcb4 100644
--- a/extensions/linux/profiles/linux_users.json
+++ b/extensions/linux/profiles/linux_users.json
@@ -18,4 +18,4 @@
"requirement": "recommended"
}
}
-}
+}
\ No newline at end of file
diff --git a/extensions/windows/dictionary.json b/extensions/windows/dictionary.json
index cccb44c6a..55f3b119b 100644
--- a/extensions/windows/dictionary.json
+++ b/extensions/windows/dictionary.json
@@ -3,16 +3,26 @@
"description": "The Attribute Dictionary defines schema attributes and includes references to the events and objects in which they are used.",
"name": "dictionary",
"attributes": {
- "reg_key": {
- "caption": "Registry Key",
- "description": "The registry key.",
- "type": "reg_key"
+ "load_order_group": {
+ "caption": "Load Order Group",
+ "description": "The name of the load ordering group of which this service is a member.",
+ "type": "string_t"
},
"prev_reg_key": {
"caption": "Previous Registry Key",
"description": "The registry key before the mutation",
"type": "reg_key"
},
+ "prev_reg_value": {
+ "caption": "Previous Registry Value",
+ "description": "The registry value before the mutation",
+ "type": "reg_value"
+ },
+ "reg_key": {
+ "caption": "Registry Key",
+ "description": "The registry key.",
+ "type": "reg_key"
+ },
"reg_value": {
"caption": "Registry Value",
"description": "The registry value.",
@@ -23,21 +33,6 @@
"description": "The prefetch file run count.",
"type": "integer_t"
},
- "prev_reg_value": {
- "caption": "Previous Registry Value",
- "description": "The registry value before the mutation",
- "type": "reg_value"
- },
- "win_resource": {
- "caption": "Windows Resource",
- "description": "The Windows resource object that was accessed, such as a mutant or timer.",
- "type": "win_resource"
- },
- "load_order_group": {
- "caption": "Load Order Group",
- "description": "The name of the load ordering group of which this service is a member.",
- "type": "string_t"
- },
"service_category": {
"caption": "Service Category",
"description": "The service category, normalized to the caption of the service_category_id value. In the case of 'Other', it is defined by the event source.",
@@ -48,7 +43,7 @@
"description": "The normalized identifier of the service category.",
"sibling": "service_category",
"type": "integer_t",
- "enum":{
+ "enum": {
"0": {
"caption": "Unknown",
"description": "The service category is unknown."
@@ -83,7 +78,7 @@
"description": "The normalized identifier of the service error control.",
"sibling": "service_error_control",
"type": "integer_t",
- "enum":{
+ "enum": {
"0": {
"caption": "Unknown",
"description": "The service error control is unknown."
@@ -110,6 +105,11 @@
}
}
},
+ "service_start_name": {
+ "caption": "Service Start Name",
+ "description": "For a user mode service, this attribute represents the name of the account under which the service is run. For a kernel mode driver, this attribute represents the object name used to load the driver.",
+ "type": "string_t"
+ },
"service_start_type": {
"caption": "Service Start Type",
"description": "The service start type, normalized to the caption of the service_start_type_id value. In the case of 'Other', it is defined by the event source.",
@@ -120,7 +120,7 @@
"description": "The normalized identifier of the service start type.",
"sibling": "service_start_type",
"type": "integer_t",
- "enum":{
+ "enum": {
"0": {
"caption": "Unknown",
"description": "The service start type is unknown."
@@ -151,11 +151,6 @@
}
}
},
- "service_start_name": {
- "caption": "Service Start Name",
- "description": "For a user mode service, this attribute represents the name of the account under which the service is run. For a kernel mode driver, this attribute represents the object name used to load the driver.",
- "type": "string_t"
- },
"service_type": {
"caption": "Service Type",
"description": "The service type, normalized to the caption of the service_type_id value. In the case of 'Other', it is defined by the event source.",
@@ -166,7 +161,7 @@
"description": "The normalized identifier of the service type.",
"sibling": "service_type",
"type": "integer_t",
- "enum":{
+ "enum": {
"0": {
"caption": "Unknown",
"description": "The service type is unknown."
@@ -193,10 +188,15 @@
}
}
},
+ "win_resource": {
+ "caption": "Windows Resource",
+ "description": "The Windows resource object that was accessed, such as a mutant or timer.",
+ "type": "win_resource"
+ },
"win_service": {
"caption": "Windows Service",
"description": "The Windows service.",
"type": "win_service"
}
}
-}
+}
\ No newline at end of file
diff --git a/extensions/windows/events/prefetch_query.json b/extensions/windows/events/prefetch_query.json
index 28995e779..a01a2cf41 100644
--- a/extensions/windows/events/prefetch_query.json
+++ b/extensions/windows/events/prefetch_query.json
@@ -1,9 +1,9 @@
{
+ "uid": 19,
"caption": "Prefetch Query",
"description": "Prefetch Query events report information about Windows prefetch files.",
"extends": "discovery_result",
"name": "prefetch_query",
- "uid": 19,
"attributes": {
"last_run_time": {
"description": "The prefetch file last run time.",
diff --git a/extensions/windows/events/registry_key.json b/extensions/windows/events/registry_key_activity.json
similarity index 99%
rename from extensions/windows/events/registry_key.json
rename to extensions/windows/events/registry_key_activity.json
index 3cf9a5a6c..1a28b1e10 100644
--- a/extensions/windows/events/registry_key.json
+++ b/extensions/windows/events/registry_key_activity.json
@@ -1,9 +1,9 @@
{
+ "uid": 1,
"caption": "Registry Key Activity",
"description": "Registry Key Activity events report when a process performs an action on a Windows registry key.",
"extends": "system",
"name": "registry_key_activity",
- "uid": 1,
"attributes": {
"access_mask": {
"group": "primary",
@@ -53,13 +53,13 @@
"group": "primary",
"requirement": "recommended"
},
- "reg_key": {
- "group": "primary",
- "requirement": "required"
- },
"prev_reg_key": {
"group": "primary",
"requirement": "recommended"
+ },
+ "reg_key": {
+ "group": "primary",
+ "requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/extensions/windows/events/registry_key_query.json b/extensions/windows/events/registry_key_query.json
index b73bcc1cc..e9473448a 100644
--- a/extensions/windows/events/registry_key_query.json
+++ b/extensions/windows/events/registry_key_query.json
@@ -1,9 +1,9 @@
{
+ "uid": 4,
"caption": "Registry Key Query",
"description": "Registry Key Query events report information about discovered Windows registry keys.",
"extends": "discovery_result",
"name": "registry_key_query",
- "uid": 4,
"attributes": {
"reg_key": {
"description": "The registry key that pertains to the event.",
@@ -11,4 +11,4 @@
"requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/extensions/windows/events/registry_value.json b/extensions/windows/events/registry_value_activity.json
similarity index 99%
rename from extensions/windows/events/registry_value.json
rename to extensions/windows/events/registry_value_activity.json
index a588fe345..08fd1b2af 100644
--- a/extensions/windows/events/registry_value.json
+++ b/extensions/windows/events/registry_value_activity.json
@@ -1,9 +1,9 @@
{
+ "uid": 2,
"caption": "Registry Value Activity",
"description": "Registry Value Activity events reports when a process performs an action on a Windows registry value.",
"extends": "system",
"name": "registry_value_activity",
- "uid": 2,
"attributes": {
"activity_id": {
"enum": {
@@ -26,11 +26,11 @@
"requirement": "required",
"profile": null
},
- "reg_value": {
- "requirement": "required"
- },
"prev_reg_value": {
"requirement": "optional"
+ },
+ "reg_value": {
+ "requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/extensions/windows/events/registry_value_query.json b/extensions/windows/events/registry_value_query.json
index f194ed92b..b1d0d0c64 100644
--- a/extensions/windows/events/registry_value_query.json
+++ b/extensions/windows/events/registry_value_query.json
@@ -1,9 +1,9 @@
{
+ "uid": 5,
"caption": "Registry Value Query",
"description": "Registry Value Query events report information about discovered Windows registry values.",
"extends": "discovery_result",
"name": "registry_value_query",
- "uid": 5,
"attributes": {
"reg_value": {
"description": "The registry value that pertains to the event.",
@@ -11,4 +11,4 @@
"requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/extensions/windows/events/resource.json b/extensions/windows/events/windows_resource_activity.json
similarity index 91%
rename from extensions/windows/events/resource.json
rename to extensions/windows/events/windows_resource_activity.json
index 959d1369b..0a8149fe5 100644
--- a/extensions/windows/events/resource.json
+++ b/extensions/windows/events/windows_resource_activity.json
@@ -1,9 +1,9 @@
{
+ "uid": 3,
"caption": "Windows Resource Activity",
"description": "Windows Resource Activity events report when a process accesses a Windows managed resource object, successful or otherwise.",
"extends": "system",
- "name": "resource_activity",
- "uid": 3,
+ "name": "windows_resource_activity",
"attributes": {
"activity_id": {
"enum": {
diff --git a/extensions/windows/events/win_service.json b/extensions/windows/events/windows_service_activity.json
similarity index 98%
rename from extensions/windows/events/win_service.json
rename to extensions/windows/events/windows_service_activity.json
index 72e272fb3..372840c10 100644
--- a/extensions/windows/events/win_service.json
+++ b/extensions/windows/events/windows_service_activity.json
@@ -1,9 +1,9 @@
{
+ "uid": 4,
"caption": "Windows Service Activity",
"description": "Windows Service Activity events report when a process interacts with the Service Control Manager.",
"extends": "system",
- "name": "win_service_activity",
- "uid": 4,
+ "name": "windows_service_activity",
"attributes": {
"activity_id": {
"enum": {
@@ -41,4 +41,4 @@
"requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/extensions/windows/extension.json b/extensions/windows/extension.json
index c329f66f1..2c8e2b332 100644
--- a/extensions/windows/extension.json
+++ b/extensions/windows/extension.json
@@ -1,7 +1,7 @@
{
+ "uid": 2,
"caption": "Windows",
"description": "The Windows extension defines Windows specific attributes, objects and classes.",
"name": "win",
- "uid": 2,
"version": "1.4.0-dev"
-}
+}
\ No newline at end of file
diff --git a/extensions/windows/objects/evidences.json b/extensions/windows/objects/evidences.json
index e8086b8e8..2c00c8570 100644
--- a/extensions/windows/objects/evidences.json
+++ b/extensions/windows/objects/evidences.json
@@ -40,4 +40,4 @@
"win_service"
]
}
-}
+}
\ No newline at end of file
diff --git a/extensions/windows/objects/registry_key.json b/extensions/windows/objects/registry_key.json
index 1f4b89244..cae01c0a5 100644
--- a/extensions/windows/objects/registry_key.json
+++ b/extensions/windows/objects/registry_key.json
@@ -1,10 +1,9 @@
{
- "caption": "Registry Key",
"observable": 28,
- "name": "reg_key",
+ "caption": "Registry Key",
"description": "The registry key object describes a Windows registry key.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:WindowsRegistryKey/", "description": "D3FEND™ Ontology d3f:WindowsRegistryKey."}],
"extends": "object",
+ "name": "reg_key",
"attributes": {
"is_system": {
"requirement": "optional"
@@ -23,5 +22,11 @@
"description": "The security descriptor of the registry key.",
"requirement": "optional"
}
- }
-}
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:WindowsRegistryKey.",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:WindowsRegistryKey/"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/extensions/windows/objects/registry_value.json b/extensions/windows/objects/registry_value.json
index 50119354a..1d48aa48e 100644
--- a/extensions/windows/objects/registry_value.json
+++ b/extensions/windows/objects/registry_value.json
@@ -1,10 +1,9 @@
{
+ "observable": 29,
"caption": "Registry Value",
"description": "The registry value object describes a Windows registry value.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:WindowsRegistryValue/", "description": "D3FEND™ Ontology d3f:WindowsRegistryValue."}],
"extends": "object",
"name": "reg_value",
- "observable": 29,
"attributes": {
"data": {
"description": "The data of the registry value.",
@@ -34,13 +33,11 @@
},
"type_id": {
"description": "The value type ID.",
+ "requirement": "recommended",
"enum": {
"1": {
"caption": "REG_BINARY"
},
- "10": {
- "caption": "REG_SZ"
- },
"2": {
"caption": "REG_DWORD"
},
@@ -64,9 +61,17 @@
},
"9": {
"caption": "REG_QWORD_LITTLE_ENDIAN"
+ },
+ "10": {
+ "caption": "REG_SZ"
}
- },
- "requirement": "recommended"
+ }
+ }
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:WindowsRegistryValue.",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:WindowsRegistryValue/"
}
- }
-}
+ ]
+}
\ No newline at end of file
diff --git a/extensions/windows/objects/win_resource.json b/extensions/windows/objects/win_resource.json
index 20d016fa1..bb9d9ddcb 100644
--- a/extensions/windows/objects/win_resource.json
+++ b/extensions/windows/objects/win_resource.json
@@ -1,16 +1,16 @@
{
- "description": "The Windows resource object describes a resource object managed by Windows, such as mutant or timer.",
"caption": "Windows Resource",
- "name": "win_resource",
+ "description": "The Windows resource object describes a resource object managed by Windows, such as mutant or timer.",
"extends": "_resource",
+ "name": "win_resource",
"attributes": {
- "name": {
- "description": "The name of the resource object."
- },
"details": {
"description": "The string detailing the attributes of the resource object.",
"requirement": "optional"
},
+ "name": {
+ "description": "The name of the resource object."
+ },
"svc_name": {
"description": "The Windows service acting as the object server for the resource object, such as Security or Security Account Manager.",
"requirement": "optional"
@@ -21,11 +21,10 @@
},
"type_id": {
"description": "The normalized type identifier of the Windows resource object accessed.",
+ "requirement": "required",
+ "sibling": "type",
+ "type": "integer_t",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The resource object type is not mapped. See the type attribute, which may contain a data source specific value."
- },
"0": {
"caption": "Unknown",
"description": "The resource object type is unknown."
@@ -140,11 +139,12 @@
},
"37": {
"caption": "SAM_SERVER"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The resource object type is not mapped. See the type attribute, which may contain a data source specific value."
}
- },
- "sibling": "type",
- "requirement": "required",
- "type": "integer_t"
+ }
},
"uid": {
"description": "The Windows provided handle identifier for the resource object"
diff --git a/extensions/windows/objects/win_service.json b/extensions/windows/objects/win_service.json
index c66bf4ddd..59ff54678 100644
--- a/extensions/windows/objects/win_service.json
+++ b/extensions/windows/objects/win_service.json
@@ -4,16 +4,16 @@
"extends": "service",
"name": "win_service",
"attributes": {
- "name": {
- "description": "The unique name of the service.",
- "requirement": "required"
- },
"cmd_line": {
"description": "The full command line used to launch the service.",
"requirement": "recommended"
},
"load_order_group": {
- "requirement": "recommended"
+ "requirement": "recommended"
+ },
+ "name": {
+ "description": "The unique name of the service.",
+ "requirement": "required"
},
"service_category": {
"requirement": "optional"
@@ -48,14 +48,13 @@
},
"constraints": {
"at_least_one": [
- "cmd_line",
- "service_category_id",
- "service_dependencies",
- "service_error_control_id",
- "service_start_name",
- "service_start_type_id",
- "service_type_id"
+ "cmd_line",
+ "service_category_id",
+ "service_dependencies",
+ "service_error_control_id",
+ "service_start_name",
+ "service_start_type_id",
+ "service_type_id"
]
}
-}
-
+}
\ No newline at end of file
diff --git a/objects/_dns.json b/objects/_dns.json
index fd8a834ee..143ae39e6 100644
--- a/objects/_dns.json
+++ b/objects/_dns.json
@@ -1,12 +1,12 @@
{
"caption": "DNS",
- "name": "_dns",
"description": "The Domain Name System (DNS) object represents the shared information associated with the DNS query and answer objects.",
"extends": "object",
+ "name": "_dns",
"attributes": {
"class": {
- "description": "The class of resource records being queried. See RFC1035. For example: IN.",
"caption": "Resource Record Class",
+ "description": "The class of resource records being queried. See RFC1035. For example: IN.",
"requirement": "recommended"
},
"packet_uid": {
@@ -14,9 +14,9 @@
"requirement": "recommended"
},
"type": {
- "description": "The type of resource records being queried. See RFC1035. For example: A, AAAA, CNAME, MX, and NS.",
"caption": "Resource Record Type",
+ "description": "The type of resource records being queried. See RFC1035. For example: A, AAAA, CNAME, MX, and NS.",
"requirement": "recommended"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/_entity.json b/objects/_entity.json
index 23ab56f58..c87eac09f 100644
--- a/objects/_entity.json
+++ b/objects/_entity.json
@@ -1,8 +1,8 @@
{
"caption": "Entity",
- "name": "_entity",
"description": "The Entity object is an unordered collection of attributes, with a name and unique identifier. It serves as a base object that defines a set of attributes and default constraints available in all objects that extend it.",
"extends": "object",
+ "name": "_entity",
"attributes": {
"name": {
"description": "The name of the entity.",
@@ -19,4 +19,4 @@
"uid"
]
}
-}
+}
\ No newline at end of file
diff --git a/objects/account.json b/objects/account.json
index 8ae73c46f..a4020ad59 100644
--- a/objects/account.json
+++ b/objects/account.json
@@ -1,7 +1,6 @@
{
"caption": "Account",
"description": "The Account object contains details about the account that initiated or performed a specific activity within a system or application. Additionally, the Account object refers to logical Cloud and Software-as-a-Service (SaaS) based containers such as AWS Accounts, Azure Subscriptions, Oracle Cloud Compartments, Google Cloud Projects, and otherwise.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/", "description": "D3FEND™ Ontology d3f:UserAccount."}, {"url": "https://d3fend.mitre.org/dao/artifact/d3f:CloudUserAccount/", "description": "D3FEND™ Ontology d3f:CloudUserAccount."}],
"extends": "_entity",
"name": "account",
"attributes": {
@@ -10,8 +9,8 @@
"requirement": "optional"
},
"name": {
- "observable": 34,
- "description": "The name of the account (e.g. GCP Project name , Linux Account name or AWS Account name)."
+ "description": "The name of the account (e.g. GCP Project name , Linux Account name or AWS Account name).",
+ "observable": 34
},
"tags": {
"description": "The list of tags; {key:value} pairs associated to the account.",
@@ -25,7 +24,6 @@
"type_id": {
"caption": "Type ID",
"description": "The normalized account type identifier.",
- "requirement": "recommended",
"enum": {
"0": {
"caption": "Unknown",
@@ -34,30 +32,6 @@
"1": {
"caption": "LDAP Account"
},
- "2": {
- "caption": "Windows Account"
- },
- "3": {
- "caption": "AWS IAM User"
- },
- "4": {
- "caption": "AWS IAM Role"
- },
- "5": {
- "caption": "GCP Account"
- },
- "6": {
- "caption": "Azure AD Account"
- },
- "7": {
- "caption": "Mac OS Account"
- },
- "8": {
- "caption": "Apple Account"
- },
- "9": {
- "caption": "Linux Account"
- },
"10": {
"caption": "AWS Account"
},
@@ -85,15 +59,50 @@
"18": {
"caption": "Email Account"
},
+ "2": {
+ "caption": "Windows Account"
+ },
+ "3": {
+ "caption": "AWS IAM User"
+ },
+ "4": {
+ "caption": "AWS IAM Role"
+ },
+ "5": {
+ "caption": "GCP Account"
+ },
+ "6": {
+ "caption": "Azure AD Account"
+ },
+ "7": {
+ "caption": "Mac OS Account"
+ },
+ "8": {
+ "caption": "Apple Account"
+ },
+ "9": {
+ "caption": "Linux Account"
+ },
"99": {
"caption": "Other",
"description": "The account type is not mapped."
}
- }
+ },
+ "requirement": "recommended"
},
"uid": {
- "observable": 35,
- "description": "The unique identifier of the account (e.g. AWS Account ID , OCID , GCP Project ID , Azure Subscription ID , Google Workspace Customer ID , or M365 Tenant UID)."
+ "description": "The unique identifier of the account (e.g. AWS Account ID , OCID , GCP Project ID , Azure Subscription ID , Google Workspace Customer ID , or M365 Tenant UID).",
+ "observable": 35
+ }
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:UserAccount.",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/"
+ },
+ {
+ "description": "D3FEND™ Ontology d3f:CloudUserAccount.",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:CloudUserAccount/"
}
- }
+ ]
}
\ No newline at end of file
diff --git a/objects/actor.json b/objects/actor.json
index 6016412de..65dcdf559 100644
--- a/objects/actor.json
+++ b/objects/actor.json
@@ -1,8 +1,8 @@
{
"caption": "Actor",
"description": "The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity. Note that Actor is not the threat actor of a campaign but may be part of a campaign.",
- "name": "actor",
"extends": "object",
+ "name": "actor",
"attributes": {
"app_name": {
"description": "The client application or service that initiated the activity. This can be in conjunction with the user if present. Note that app_name is distinct from the process if present.",
@@ -48,4 +48,4 @@
"app_uid"
]
}
-}
+}
\ No newline at end of file
diff --git a/objects/agent.json b/objects/agent.json
index 6c7223c6d..6fa344ac7 100644
--- a/objects/agent.json
+++ b/objects/agent.json
@@ -1,92 +1,91 @@
{
- "caption": "Agent",
- "description": "An Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action. These activities and possible actions are defined by the upstream system controlling the Agent and its intended purpose. For instance, an Agent can include Endpoint Detection & Response (EDR) agents, backup/disaster recovery sensors, Application Performance Monitoring or profiling sensors, and similar software.",
- "extends": "object",
- "name": "agent",
- "attributes": {
- "type_id": {
- "caption": "Type ID",
- "description": "The normalized representation of an agent or sensor. E.g., EDR, vulnerability management, APM, backup & recovery, etc.",
- "enum": {
- "1": {
- "caption": "Endpoint Detection and Response",
- "description": "Any EDR sensor or agent. Or any tool that provides similar threat detection, anti-malware, anti-ransomware, or similar capabilities. E.g., Crowdstrike Falcon, Microsoft Defender for Endpoint, Wazuh."
- },
- "2": {
- "caption": "Data Loss Prevention",
- "description": "Any DLP sensor or agent. Or any tool that provides similar data classification, data loss detection, and/or data loss prevention capabilities. E.g., Forcepoint DLP, Microsoft Purview, Symantec DLP."
- },
- "3": {
- "caption": "Backup & Recovery",
- "description": "Any agent or sensor that provides backups, archival, or recovery capabilities. E.g., Azure Backup, AWS Backint Agent."
- },
- "4": {
- "caption": "Performance Monitoring & Observability",
- "description": "Any agent or sensor that provides Application Performance Monitoring (APM), active tracing, profiling, or other observability use cases and optionally forwards the logs. E.g., New Relic Agent, Datadog Agent, Azure Monitor Agent."
- },
- "5": {
- "caption": "Vulnerability Management",
- "description": "Any agent or sensor that provides vulnerability management or scanning capabilities. E.g., Qualys VMDR, Microsoft Defender for Endpoint, Crowdstrike Spotlight, Amazon Inspector Agent."
- },
- "6": {
- "caption": "Log Forwarding",
- "description": "Any agent or sensor that forwards logs to a 3rd party storage system such as a data lake or SIEM. E.g., Splunk Universal Forwarder, Tenzir, FluentBit, Amazon CloudWatch Agent, Amazon Kinesis Agent."
- },
- "7": {
- "caption": "Mobile Device Management",
- "description": "Any agent or sensor responsible for providing Mobile Device Management (MDM) or Mobile Enterprise Management (MEM) capabilities. E.g., JumpCloud Agent, Esper Agent, Jamf Pro binary."
- },
- "8": {
- "caption": "Configuration Management",
- "description": "Any agent or sensor that provides configuration management of a device, such as scanning for software, license management, or applying configurations. E.g., AWS Systems Manager Agent, Flexera, ServiceNow MID Server."
- },
- "9": {
- "caption": "Remote Access",
- "description": "Any agent or sensor that provides remote access capabilities to a device. E.g., BeyondTrust, Amazon Systems Manager Agent, Verkada Agent."
- }
- },
- "requirement": "recommended"
+ "caption": "Agent",
+ "description": "An Agent (also known as a Sensor) is typically installed on an Operating System (OS) and serves as a specialized software component that can be designed to monitor, detect, collect, archive, or take action. These activities and possible actions are defined by the upstream system controlling the Agent and its intended purpose. For instance, an Agent can include Endpoint Detection & Response (EDR) agents, backup/disaster recovery sensors, Application Performance Monitoring or profiling sensors, and similar software.",
+ "extends": "object",
+ "name": "agent",
+ "attributes": {
+ "name": {
+ "caption": "Agent Name",
+ "description": "The name of the agent or sensor. For example: AWS SSM Agent.",
+ "requirement": "recommended"
+ },
+ "policies": {
+ "caption": "Agent Policies",
+ "description": "Describes the various policies that may be applied or enforced by an agent or sensor. E.g., Conditional Access, prevention, auto-update, tamper protection, destination configuration, etc.",
+ "requirement": "optional"
+ },
+ "type": {
+ "caption": "Agent Type",
+ "description": "The normalized caption of the type_id value for the agent or sensor. In the case of 'Other' or 'Unknown', it is defined by the event source.",
+ "requirement": "optional"
+ },
+ "type_id": {
+ "caption": "Type ID",
+ "description": "The normalized representation of an agent or sensor. E.g., EDR, vulnerability management, APM, backup & recovery, etc.",
+ "enum": {
+ "1": {
+ "caption": "Endpoint Detection and Response",
+ "description": "Any EDR sensor or agent. Or any tool that provides similar threat detection, anti-malware, anti-ransomware, or similar capabilities. E.g., Crowdstrike Falcon, Microsoft Defender for Endpoint, Wazuh."
+ },
+ "2": {
+ "caption": "Data Loss Prevention",
+ "description": "Any DLP sensor or agent. Or any tool that provides similar data classification, data loss detection, and/or data loss prevention capabilities. E.g., Forcepoint DLP, Microsoft Purview, Symantec DLP."
},
- "type": {
- "caption": "Agent Type",
- "description": "The normalized caption of the type_id value for the agent or sensor. In the case of 'Other' or 'Unknown', it is defined by the event source.",
- "requirement": "optional"
+ "3": {
+ "caption": "Backup & Recovery",
+ "description": "Any agent or sensor that provides backups, archival, or recovery capabilities. E.g., Azure Backup, AWS Backint Agent."
},
- "uid": {
- "caption": "Agent ID",
- "description": "The UID of the agent or sensor, sometimes known as a Sensor ID or aid.",
- "requirement": "recommended"
+ "4": {
+ "caption": "Performance Monitoring & Observability",
+ "description": "Any agent or sensor that provides Application Performance Monitoring (APM), active tracing, profiling, or other observability use cases and optionally forwards the logs. E.g., New Relic Agent, Datadog Agent, Azure Monitor Agent."
},
- "uid_alt": {
- "caption": "Alternate Agent ID",
- "description": "An alternative or contextual identifier for the agent or sensor, such as a configuration, organization, or license UID.",
- "requirement": "optional"
+ "5": {
+ "caption": "Vulnerability Management",
+ "description": "Any agent or sensor that provides vulnerability management or scanning capabilities. E.g., Qualys VMDR, Microsoft Defender for Endpoint, Crowdstrike Spotlight, Amazon Inspector Agent."
},
- "version": {
- "caption": "Agent Version",
- "description": "The semantic version of the agent or sensor, e.g., 7.101.50.0.",
- "requirement": "optional"
+ "6": {
+ "caption": "Log Forwarding",
+ "description": "Any agent or sensor that forwards logs to a 3rd party storage system such as a data lake or SIEM. E.g., Splunk Universal Forwarder, Tenzir, FluentBit, Amazon CloudWatch Agent, Amazon Kinesis Agent."
},
- "vendor_name": {
- "description": "The company or author who created the agent or sensor. For example: Crowdstrike.",
- "requirement": "optional"
+ "7": {
+ "caption": "Mobile Device Management",
+ "description": "Any agent or sensor responsible for providing Mobile Device Management (MDM) or Mobile Enterprise Management (MEM) capabilities. E.g., JumpCloud Agent, Esper Agent, Jamf Pro binary."
},
- "name": {
- "caption": "Agent Name",
- "description": "The name of the agent or sensor. For example: AWS SSM Agent.",
- "requirement": "recommended"
+ "8": {
+ "caption": "Configuration Management",
+ "description": "Any agent or sensor that provides configuration management of a device, such as scanning for software, license management, or applying configurations. E.g., AWS Systems Manager Agent, Flexera, ServiceNow MID Server."
},
- "policies": {
- "caption": "Agent Policies",
- "description": "Describes the various policies that may be applied or enforced by an agent or sensor. E.g., Conditional Access, prevention, auto-update, tamper protection, destination configuration, etc.",
- "requirement": "optional"
+ "9": {
+ "caption": "Remote Access",
+ "description": "Any agent or sensor that provides remote access capabilities to a device. E.g., BeyondTrust, Amazon Systems Manager Agent, Verkada Agent."
}
+ },
+ "requirement": "recommended"
+ },
+ "uid": {
+ "caption": "Agent ID",
+ "description": "The UID of the agent or sensor, sometimes known as a Sensor ID or aid.",
+ "requirement": "recommended"
+ },
+ "uid_alt": {
+ "caption": "Alternate Agent ID",
+ "description": "An alternative or contextual identifier for the agent or sensor, such as a configuration, organization, or license UID.",
+ "requirement": "optional"
+ },
+ "vendor_name": {
+ "description": "The company or author who created the agent or sensor. For example: Crowdstrike.",
+ "requirement": "optional"
},
- "constraints": {
- "at_least_one": [
- "uid",
- "name"
- ]
+ "version": {
+ "caption": "Agent Version",
+ "description": "The semantic version of the agent or sensor, e.g., 7.101.50.0.",
+ "requirement": "optional"
}
+ },
+ "constraints": {
+ "at_least_one": [
+ "uid",
+ "name"
+ ]
}
-
\ No newline at end of file
+}
\ No newline at end of file
diff --git a/objects/aircraft.json b/objects/aircraft.json
index 5aada5ab1..1d5eb751d 100644
--- a/objects/aircraft.json
+++ b/objects/aircraft.json
@@ -1,51 +1,51 @@
{
- "caption": "Aircraft",
- "description": "The Aircraft object represents any aircraft or otherwise airborne asset such as an unmanned system, airplane, balloon, spacecraft, or otherwise. The Aircraft object is intended to normalized data captured or otherwise logged from active radar, passive radar, multi-spectral systems, or the Automatic Dependant Broadcast - Surveillance (ADS-B), and/or Mode S systems.",
- "extends": "_entity",
- "name": "aircraft",
- "attributes": {
- "location": {
- "requirement": "recommended"
- },
- "model": {
- "description": "The model name of the aircraft or unmanned system.",
- "requirement": "optional"
- },
- "name": {
- "description": "The name of the aircraft, such as the such as the flight name or callsign.",
- "requirement": "recommended"
- },
- "serial_number": {
- "description": "The serial number of the aircraft.",
- "requirement": "optional"
- },
- "speed": {
- "requirement": "optional"
- },
- "speed_accuracy": {
- "requirement": "optional"
- },
- "track_direction": {
- "requirement": "optional"
- },
- "uid": {
- "description": "The primary identification identifier for an aircraft, such as the 24-bit International Civil Aviation Organization (ICAO) identifier of the aircraft, as 6 hex digits.",
- "requirement": "recommended"
- },
- "uid_alt": {
- "description": "A secondary identification identifier for an aircraft, such as the 4-digit squawk (octal representation).",
- "requirement": "optional"
- },
- "vertical_speed": {
- "requirement": "optional"
- }
- },
- "constraints": {
- "at_least_one": [
- "name",
- "serial_number",
- "uid",
- "uid_alt"
- ]
+ "caption": "Aircraft",
+ "description": "The Aircraft object represents any aircraft or otherwise airborne asset such as an unmanned system, airplane, balloon, spacecraft, or otherwise. The Aircraft object is intended to normalized data captured or otherwise logged from active radar, passive radar, multi-spectral systems, or the Automatic Dependant Broadcast - Surveillance (ADS-B), and/or Mode S systems.",
+ "extends": "_entity",
+ "name": "aircraft",
+ "attributes": {
+ "location": {
+ "requirement": "recommended"
+ },
+ "model": {
+ "description": "The model name of the aircraft or unmanned system.",
+ "requirement": "optional"
+ },
+ "name": {
+ "description": "The name of the aircraft, such as the such as the flight name or callsign.",
+ "requirement": "recommended"
+ },
+ "serial_number": {
+ "description": "The serial number of the aircraft.",
+ "requirement": "optional"
+ },
+ "speed": {
+ "requirement": "optional"
+ },
+ "speed_accuracy": {
+ "requirement": "optional"
+ },
+ "track_direction": {
+ "requirement": "optional"
+ },
+ "uid": {
+ "description": "The primary identification identifier for an aircraft, such as the 24-bit International Civil Aviation Organization (ICAO) identifier of the aircraft, as 6 hex digits.",
+ "requirement": "recommended"
+ },
+ "uid_alt": {
+ "description": "A secondary identification identifier for an aircraft, such as the 4-digit squawk (octal representation).",
+ "requirement": "optional"
+ },
+ "vertical_speed": {
+ "requirement": "optional"
}
- }
\ No newline at end of file
+ },
+ "constraints": {
+ "at_least_one": [
+ "name",
+ "serial_number",
+ "uid",
+ "uid_alt"
+ ]
+ }
+}
\ No newline at end of file
diff --git a/objects/analytic.json b/objects/analytic.json
index ecbf50c24..16e69593d 100644
--- a/objects/analytic.json
+++ b/objects/analytic.json
@@ -1,94 +1,94 @@
{
- "caption": "Analytic",
- "name": "analytic",
- "description": "The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.",
- "extends": "_entity",
- "attributes": {
- "category": {
- "description": "The analytic category.",
- "requirement": "optional"
+ "caption": "Analytic",
+ "description": "The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.",
+ "extends": "_entity",
+ "name": "analytic",
+ "attributes": {
+ "category": {
+ "description": "The analytic category.",
+ "requirement": "optional"
+ },
+ "desc": {
+ "description": "The description of the analytic that generated the finding.",
+ "requirement": "optional"
+ },
+ "name": {
+ "description": "The name of the analytic that generated the finding."
+ },
+ "related_analytics": {
+ "@deprecated": {
+ "message": "Related Analytics has been decoupled from this object, instead use finding_info.related_analytics.",
+ "since": "1.0.0"
},
- "desc": {
- "description": "The description of the analytic that generated the finding.",
- "requirement": "optional"
- },
- "name": {
- "description": "The name of the analytic that generated the finding."
- },
- "related_analytics": {
- "@deprecated": {
- "message": "Related Analytics has been decoupled from this object, instead use finding_info.related_analytics.",
- "since": "1.0.0"
+ "description": "Other analytics related to this analytic.",
+ "requirement": "optional"
+ },
+ "type": {
+ "description": "The analytic type.",
+ "requirement": "optional"
+ },
+ "type_id": {
+ "description": "The analytic type ID.",
+ "enum": {
+ "0": {
+ "caption": "Unknown"
},
- "description": "Other analytics related to this analytic.",
- "requirement": "optional"
- },
- "type": {
- "description": "The analytic type.",
- "requirement": "optional"
- },
- "type_id": {
- "description": "The analytic type ID.",
- "requirement": "required",
- "enum": {
- "0": {
- "caption": "Unknown"
- },
- "1": {
- "caption": "Rule",
- "description": "A Rule in security analytics refers to predefined criteria or conditions set to monitor, alert, or enforce policies, playing a crucial role in access control, threat detection, and regulatory compliance across security systems."
- },
- "2": {
- "caption": "Behavioral",
- "description": "Behavioral analytics focus on monitoring and analyzing user or system actions to identify deviations from established patterns, aiding in the detection of insider threats, fraud, and advanced persistent threats (APTs)."
- },
- "3": {
- "caption": "Statistical",
- "description": "Statistical analytics pertains to analyzing data patterns and anomalies using statistical models to predict, detect, and respond to potential threats, enhancing overall security posture through informed decision-making."
- },
- "4": {
- "caption": "Learning (ML/DL)",
- "description": "Learning (ML/DL) encompasses techniques that can \"learn\" from known data to create analytics that generalize to new data. There may be a statistical component to these techniques, but it is not a requirement."
- },
- "5": {
- "caption": "Fingerprinting",
- "description": "Fingerprinting is the technique of collecting detailed system data, including software versions and configurations, to enhance threat detection, data loss prevention (DLP), and endpoint detection and response (EDR) capabilities."
- },
- "6": {
- "caption": "Tagging",
- "description": "Tagging refers to the practice of assigning labels or identifiers to data, users, assets, or activities to monitor, control access, and facilitate incident response across various security domains such as DLP and EDR."
- },
- "7": {
- "caption": "Keyword Match",
- "description": "Keyword Match involves scanning content for specific terms to identify sensitive information, potential threats, or policy violations, aiding in DLP and compliance monitoring."
- },
- "8": {
- "caption": "Regular Expressions",
- "description": "Regular Expressions are used to define complex search patterns for identifying, validating, and extracting specific data sets or threats within digital content, enhancing DLP, EDR, and threat detection mechanisms."
- },
- "9": {
- "caption": "Exact Data Match",
- "description": "Exact Data Match is a precise comparison technique used to detect the unauthorized use or exposure of specific, sensitive information, crucial for enforcing DLP policies and protecting against data breaches."
- },
- "10": {
- "caption": "Partial Data Match",
- "description": "Partial Data Match involves identifying instances where segments of sensitive information or patterns match, facilitating nuanced DLP and threat detection without requiring complete data conformity."
- },
- "11": {
- "caption": "Indexed Data Match",
- "description": "Indexed Data Match refers to comparing content against a pre-compiled index of sensitive information to efficiently detect and prevent unauthorized access or breaches, streamlining DLP and compliance efforts."
- },
- "99": {
- "caption": "Other"
- }
+ "1": {
+ "caption": "Rule",
+ "description": "A Rule in security analytics refers to predefined criteria or conditions set to monitor, alert, or enforce policies, playing a crucial role in access control, threat detection, and regulatory compliance across security systems."
+ },
+ "10": {
+ "caption": "Partial Data Match",
+ "description": "Partial Data Match involves identifying instances where segments of sensitive information or patterns match, facilitating nuanced DLP and threat detection without requiring complete data conformity."
+ },
+ "11": {
+ "caption": "Indexed Data Match",
+ "description": "Indexed Data Match refers to comparing content against a pre-compiled index of sensitive information to efficiently detect and prevent unauthorized access or breaches, streamlining DLP and compliance efforts."
+ },
+ "2": {
+ "caption": "Behavioral",
+ "description": "Behavioral analytics focus on monitoring and analyzing user or system actions to identify deviations from established patterns, aiding in the detection of insider threats, fraud, and advanced persistent threats (APTs)."
+ },
+ "3": {
+ "caption": "Statistical",
+ "description": "Statistical analytics pertains to analyzing data patterns and anomalies using statistical models to predict, detect, and respond to potential threats, enhancing overall security posture through informed decision-making."
+ },
+ "4": {
+ "caption": "Learning (ML/DL)",
+ "description": "Learning (ML/DL) encompasses techniques that can \"learn\" from known data to create analytics that generalize to new data. There may be a statistical component to these techniques, but it is not a requirement."
+ },
+ "5": {
+ "caption": "Fingerprinting",
+ "description": "Fingerprinting is the technique of collecting detailed system data, including software versions and configurations, to enhance threat detection, data loss prevention (DLP), and endpoint detection and response (EDR) capabilities."
+ },
+ "6": {
+ "caption": "Tagging",
+ "description": "Tagging refers to the practice of assigning labels or identifiers to data, users, assets, or activities to monitor, control access, and facilitate incident response across various security domains such as DLP and EDR."
+ },
+ "7": {
+ "caption": "Keyword Match",
+ "description": "Keyword Match involves scanning content for specific terms to identify sensitive information, potential threats, or policy violations, aiding in DLP and compliance monitoring."
+ },
+ "8": {
+ "caption": "Regular Expressions",
+ "description": "Regular Expressions are used to define complex search patterns for identifying, validating, and extracting specific data sets or threats within digital content, enhancing DLP, EDR, and threat detection mechanisms."
+ },
+ "9": {
+ "caption": "Exact Data Match",
+ "description": "Exact Data Match is a precise comparison technique used to detect the unauthorized use or exposure of specific, sensitive information, crucial for enforcing DLP policies and protecting against data breaches."
+ },
+ "99": {
+ "caption": "Other"
}
},
- "uid": {
- "description": "The unique identifier of the analytic that generated the finding."
- },
- "version": {
- "description": "The analytic version. For example: 1.1.",
- "requirement": "optional"
- }
+ "requirement": "required"
+ },
+ "uid": {
+ "description": "The unique identifier of the analytic that generated the finding."
+ },
+ "version": {
+ "description": "The analytic version. For example: 1.1.",
+ "requirement": "optional"
}
}
+}
\ No newline at end of file
diff --git a/objects/api.json b/objects/api.json
index cc8545f13..fa4cd5abf 100644
--- a/objects/api.json
+++ b/objects/api.json
@@ -28,4 +28,4 @@
"requirement": "optional"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/attack.json b/objects/attack.json
index afbe27ad2..5971160e2 100644
--- a/objects/attack.json
+++ b/objects/attack.json
@@ -1,9 +1,12 @@
{
"caption": "MITRE ATT&CK®",
- "name": "attack",
"description": "The MITRE ATT&CK® object describes the tactic, technique & sub-technique associated to an attack as defined in ATT&CK® Matrix.",
"extends": "object",
+ "name": "attack",
"attributes": {
+ "sub_technique": {
+ "requirement": "optional"
+ },
"tactic": {
"requirement": "optional"
},
@@ -13,9 +16,6 @@
"technique": {
"requirement": "optional"
},
- "sub_technique": {
- "requirement": "optional"
- },
"version": {
"description": "The ATT&CK® Matrix version.",
"requirement": "recommended"
@@ -28,4 +28,4 @@
"sub_technique"
]
}
-}
+}
\ No newline at end of file
diff --git a/objects/auth_factor.json b/objects/auth_factor.json
index c9273efb0..eefa087a7 100644
--- a/objects/auth_factor.json
+++ b/objects/auth_factor.json
@@ -1,48 +1,48 @@
{
"caption": "Authentication Factor",
"description": "An Authentication Factor object describes a category of methods used for identity verification in an authentication attempt.",
- "name": "auth_factor",
"extends": "object",
+ "name": "auth_factor",
"attributes": {
- "factor_type": {
- "requirement": "recommended",
- "group": "primary"
- },
- "factor_type_id": {
- "requirement": "required",
- "group": "primary"
- },
"device": {
"description": "Device used to complete an authentication request.",
- "requirement": "recommended",
- "group": "primary"
+ "group": "primary",
+ "requirement": "recommended"
},
- "provider": {
- "description": "The name of provider for an authentication factor.",
- "requirement": "recommended",
- "group": "context"
+ "email_addr": {
+ "description": "The email address used in an email-based authentication factor.",
+ "group": "context",
+ "requirement": "optional"
},
- "is_totp": {
- "requirement": "recommended",
- "group": "context"
+ "factor_type": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "factor_type_id": {
+ "group": "primary",
+ "requirement": "required"
},
"is_hotp": {
- "requirement": "recommended",
- "group": "context"
+ "group": "context",
+ "requirement": "recommended"
},
- "security_questions": {
- "requirement": "optional",
- "group": "context"
+ "is_totp": {
+ "group": "context",
+ "requirement": "recommended"
},
"phone_number": {
"description": "The phone number used for a telephony-based authentication request.",
- "requirement": "optional",
- "group": "context"
+ "group": "context",
+ "requirement": "optional"
},
- "email_addr": {
- "description": "The email address used in an email-based authentication factor.",
- "requirement": "optional",
- "group": "context"
+ "provider": {
+ "description": "The name of provider for an authentication factor.",
+ "group": "context",
+ "requirement": "recommended"
+ },
+ "security_questions": {
+ "group": "context",
+ "requirement": "optional"
}
},
"constraints": {
@@ -52,4 +52,4 @@
"security_questions"
]
}
-}
+}
\ No newline at end of file
diff --git a/objects/autonomous_system.json b/objects/autonomous_system.json
index 73a45b59a..59ded4ed5 100644
--- a/objects/autonomous_system.json
+++ b/objects/autonomous_system.json
@@ -4,16 +4,16 @@
"extends": "object",
"name": "autonomous_system",
"attributes": {
+ "name": {
+ "description": "Organization name for the Autonomous System.",
+ "group": "context",
+ "requirement": "recommended"
+ },
"number": {
"description": "Unique number that the AS is identified by.",
- "requirement": "recommended",
"group": "context",
- "type": "integer_t"
- },
- "name": {
- "description": "Organization name for the Autonomous System.",
"requirement": "recommended",
- "group": "context"
+ "type": "integer_t"
}
},
"constraints": {
@@ -22,4 +22,4 @@
"name"
]
}
-}
+}
\ No newline at end of file
diff --git a/objects/certificate.json b/objects/certificate.json
index 03d33ef38..c375e4fb6 100644
--- a/objects/certificate.json
+++ b/objects/certificate.json
@@ -1,9 +1,8 @@
{
"caption": "Digital Certificate",
- "name": "certificate",
"description": "The Digital Certificate, also known as a Public Key Certificate, object contains information about the ownership and usage of a public key. It serves as a means to establish trust in the authenticity and integrity of the public key and the associated entity.",
"extends": "object",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Certificate/", "description": "D3FEND™ Ontology d3f:Certificate."}],
+ "name": "certificate",
"attributes": {
"created_time": {
"description": "The time when the certificate was created.",
@@ -17,22 +16,22 @@
"description": "The fingerprint list of the certificate.",
"requirement": "recommended"
},
+ "is_self_signed": {
+ "requirement": "recommended"
+ },
"issuer": {
"caption": "Issuer Distinguished Name",
"description": "The certificate issuer distinguished name.",
"requirement": "required"
},
- "is_self_signed": {
- "requirement": "recommended"
- },
"sans": {
- "description": "The list of subject alternative names that are secured by a specific certificate.",
"caption": "Subject Alternative Names",
+ "description": "The list of subject alternative names that are secured by a specific certificate.",
"requirement": "optional"
},
"serial_number": {
- "description": "The serial number of the certificate used to create the digital signature.",
"caption": "Certificate Serial Number",
+ "description": "The serial number of the certificate used to create the digital signature.",
"requirement": "required"
},
"subject": {
@@ -48,5 +47,11 @@
"description": "The certificate version.",
"requirement": "recommended"
}
- }
-}
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:Certificate.",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:Certificate/"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/objects/cis_benchmark.json b/objects/cis_benchmark.json
index d5abe1acd..39be8af39 100644
--- a/objects/cis_benchmark.json
+++ b/objects/cis_benchmark.json
@@ -16,4 +16,4 @@
"requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/cis_benchmark_result.json b/objects/cis_benchmark_result.json
index 5019026ba..3b9b757ff 100644
--- a/objects/cis_benchmark_result.json
+++ b/objects/cis_benchmark_result.json
@@ -20,4 +20,4 @@
"requirement": "optional"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/cis_control.json b/objects/cis_control.json
index 4a40611a0..cb2642ebf 100644
--- a/objects/cis_control.json
+++ b/objects/cis_control.json
@@ -1,20 +1,20 @@
{
- "caption": "CIS Control",
- "description": "The CIS Control (aka Critical Security Control) object describes a prioritized set of actions to protect your organization and data from cyber-attack vectors. The CIS Controls are defined by the Center for Internet Security.",
- "extends": "object",
- "name": "cis_control",
- "attributes": {
- "desc": {
- "description": "The CIS Control description. For example: Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
- "requirement": "optional"
- },
- "name": {
- "description": "The CIS Control name. For example: 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software.",
- "requirement": "required"
- },
- "version": {
- "description": "The CIS Control version. For example: v8.",
- "requirement": "recommended"
- }
+ "caption": "CIS Control",
+ "description": "The CIS Control (aka Critical Security Control) object describes a prioritized set of actions to protect your organization and data from cyber-attack vectors. The CIS Controls are defined by the Center for Internet Security.",
+ "extends": "object",
+ "name": "cis_control",
+ "attributes": {
+ "desc": {
+ "description": "The CIS Control description. For example: Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
+ "requirement": "optional"
+ },
+ "name": {
+ "description": "The CIS Control name. For example: 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software.",
+ "requirement": "required"
+ },
+ "version": {
+ "description": "The CIS Control version. For example: v8.",
+ "requirement": "recommended"
}
- }
\ No newline at end of file
+ }
+}
\ No newline at end of file
diff --git a/objects/cis_csc.json b/objects/cis_csc.json
index d812d9363..b44f4a542 100644
--- a/objects/cis_csc.json
+++ b/objects/cis_csc.json
@@ -1,15 +1,15 @@
{
- "caption": "CIS CSC",
- "description": "The CIS Critical Security Control (CSC) contains information as defined by the Center for Internet Security Critical Security Control (CIS CSC). Prioritized set of actions to protect your organization and data from cyber-attack vectors.",
- "extends": "object",
- "name": "cis_csc",
- "attributes": {
- "control": {
- "requirement": "required"
- },
- "version": {
- "description": "The CIS critical security control version.",
- "requirement": "recommended"
- }
+ "caption": "CIS CSC",
+ "description": "The CIS Critical Security Control (CSC) contains information as defined by the Center for Internet Security Critical Security Control (CIS CSC). Prioritized set of actions to protect your organization and data from cyber-attack vectors.",
+ "extends": "object",
+ "name": "cis_csc",
+ "attributes": {
+ "control": {
+ "requirement": "required"
+ },
+ "version": {
+ "description": "The CIS critical security control version.",
+ "requirement": "recommended"
}
- }
\ No newline at end of file
+ }
+}
\ No newline at end of file
diff --git a/objects/cloud.json b/objects/cloud.json
index 7aac1a72e..85665c2a6 100644
--- a/objects/cloud.json
+++ b/objects/cloud.json
@@ -7,7 +7,7 @@
"account": {
"requirement": "optional"
},
- "cloud_partition":{
+ "cloud_partition": {
"requirement": "optional"
},
"org": {
diff --git a/objects/compliance.json b/objects/compliance.json
index 349d08078..a2ebdcdd0 100644
--- a/objects/compliance.json
+++ b/objects/compliance.json
@@ -31,12 +31,12 @@
"requirement": "optional"
},
"status_detail": {
- "description": "The contextual description of the status, status_code values.",
- "requirement": "optional",
"@deprecated": {
"message": "Use the status_details attribute instead.",
"since": "1.4.0"
- }
+ },
+ "description": "The contextual description of the status, status_code values.",
+ "requirement": "optional"
},
"status_details": {
"description": "A list of contextual descriptions of the status, status_code values.",
diff --git a/objects/container.json b/objects/container.json
index 76d6cf614..8fae15593 100644
--- a/objects/container.json
+++ b/objects/container.json
@@ -2,7 +2,6 @@
"observable": 27,
"caption": "Container",
"description": "The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:ContainerProcess/", "description": "D3FEND™ Ontology d3f:ContainerProcess."}],
"extends": "object",
"name": "container",
"attributes": {
@@ -56,5 +55,11 @@
"uid",
"name"
]
- }
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:ContainerProcess.",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:ContainerProcess/"
+ }
+ ]
}
\ No newline at end of file
diff --git a/objects/cve.json b/objects/cve.json
index 7ce45216a..2d63a4497 100644
--- a/objects/cve.json
+++ b/objects/cve.json
@@ -28,7 +28,7 @@
"description": "A brief description of the CVE Record.",
"requirement": "optional"
},
- "epss":{
+ "epss": {
"requirement": "optional"
},
"modified_time": {
@@ -58,8 +58,8 @@
},
"uid": {
"caption": "CVE ID",
- "observable": 18,
"description": "The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.",
+ "observable": 18,
"requirement": "required"
}
}
diff --git a/objects/cvss.json b/objects/cvss.json
index 79015e33e..e1b77717b 100644
--- a/objects/cvss.json
+++ b/objects/cvss.json
@@ -30,7 +30,7 @@
"vector_string": {
"requirement": "optional"
},
- "vendor_name":{
+ "vendor_name": {
"description": "The vendor that provided the CVSS score. For example: NVD, REDHAT etc.",
"requirement": "recommended"
},
@@ -39,4 +39,4 @@
"requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/cwe.json b/objects/cwe.json
index be698af8d..697ff0429 100644
--- a/objects/cwe.json
+++ b/objects/cwe.json
@@ -4,7 +4,7 @@
"extends": "object",
"name": "cwe",
"attributes": {
- "caption":{
+ "caption": {
"description": "The caption assigned to the Common Weakness Enumeration unique identifier.",
"requirement": "optional"
},
@@ -14,8 +14,8 @@
},
"uid": {
"caption": "CWE ID",
- "observable": 17,
"description": "The Common Weakness Enumeration unique number assigned to a specific weakness. A CWE Identifier begins \"CWE\" followed by a sequence of digits that acts as a unique identifier. For example: CWE-123.",
+ "observable": 17,
"requirement": "required"
}
}
diff --git a/objects/d3f_tactic.json b/objects/d3f_tactic.json
index 30cd790f8..18cf06923 100644
--- a/objects/d3f_tactic.json
+++ b/objects/d3f_tactic.json
@@ -1,19 +1,34 @@
{
"caption": "MITRE D3FEND™ Tactic",
- "name": "d3f_tactic",
"description": "The MITRE D3FEND™ Tactic object describes the tactic ID and/or name that is associated to an attack",
- "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
"extends": "_entity",
+ "name": "d3f_tactic",
"attributes": {
"name": {
"description": "The tactic name that is associated with the defensive technique. For example: Isolate.",
- "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
- "requirement" : "optional"
- },
+ "references": [
+ {
+ "description": "D3FEND™ Matrix",
+ "url": "https://d3fend.mitre.org"
+ }
+ ],
+ "requirement": "optional"
+ },
"src_url": {
"description": "The versioned permalink of the defensive tactic. For example: https://d3fend.mitre.org/tactic/d3f:Isolate/.",
- "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
- "requirement" : "optional"
+ "references": [
+ {
+ "description": "D3FEND™ Matrix",
+ "url": "https://d3fend.mitre.org"
+ }
+ ],
+ "requirement": "optional"
+ }
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Matrix",
+ "url": "https://d3fend.mitre.org"
}
- }
+ ]
}
\ No newline at end of file
diff --git a/objects/d3f_technique.json b/objects/d3f_technique.json
index d138f296c..0c3ca11b8 100644
--- a/objects/d3f_technique.json
+++ b/objects/d3f_technique.json
@@ -1,22 +1,42 @@
{
"caption": "MITRE DEFEND™ Technique",
- "name": "d3f_technique",
"description": "The MITRE D3FEND™ Technique object describes the leaf defensive technique ID and/or name associated to a countermeasure.",
- "references": [{"url": "href='https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
"extends": "_entity",
+ "name": "d3f_technique",
"attributes": {
"name": {
"description": "The name of the defensive technique. For example: IO Port Restriction.",
- "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}]
+ "references": [
+ {
+ "description": "D3FEND™ Matrix",
+ "url": "https://d3fend.mitre.org"
+ }
+ ]
},
"src_url": {
"description": "The versioned permalink of the defensive technique. For example: https://d3fend.mitre.org/technique/d3f:IOPortRestriction/.",
- "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
- "requirement" : "optional"
+ "references": [
+ {
+ "description": "D3FEND™ Matrix",
+ "url": "https://d3fend.mitre.org"
+ }
+ ],
+ "requirement": "optional"
},
"uid": {
"description": "The unique identifier of the defensive technique. For example: D3-IOPR.",
- "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}]
+ "references": [
+ {
+ "description": "D3FEND™ Matrix",
+ "url": "https://d3fend.mitre.org"
+ }
+ ]
+ }
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Matrix",
+ "url": "href='https://d3fend.mitre.org"
}
- }
+ ]
}
\ No newline at end of file
diff --git a/objects/d3fend.json b/objects/d3fend.json
index 44c00c04b..a4ecdc822 100644
--- a/objects/d3fend.json
+++ b/objects/d3fend.json
@@ -1,28 +1,32 @@
{
- "caption": "MITRE D3FEND™",
- "name": "d3fend",
- "description": "The MITRE D3FEND™ object describes the tactic, technique & sub-technique associated with a countermeasure.",
- "references": [{"url": "https://d3fend.mitre.org", "description": "D3FEND™ Matrix"}],
- "extends": "object",
- "attributes": {
- "d3f_tactic": {
- "description": "The Tactic object describes the tactic ID and/or name that is associated with a countermeasure.",
- "requirement": "recommended"
- },
- "d3f_technique": {
- "description": "The Technique object describes the technique ID and/or name associated with a countermeasure.",
- "requirement": "recommended"
- },
- "version": {
- "description": "The D3FEND™ Matrix version.",
- "requirement": "recommended"
- }
+ "caption": "MITRE D3FEND™",
+ "description": "The MITRE D3FEND™ object describes the tactic, technique & sub-technique associated with a countermeasure.",
+ "extends": "object",
+ "name": "d3fend",
+ "attributes": {
+ "d3f_tactic": {
+ "description": "The Tactic object describes the tactic ID and/or name that is associated with a countermeasure.",
+ "requirement": "recommended"
},
- "constraints": {
- "at_least_one": [
- "d3f_tactic",
- "d3f_technique"
- ]
+ "d3f_technique": {
+ "description": "The Technique object describes the technique ID and/or name associated with a countermeasure.",
+ "requirement": "recommended"
+ },
+ "version": {
+ "description": "The D3FEND™ Matrix version.",
+ "requirement": "recommended"
+ }
+ },
+ "constraints": {
+ "at_least_one": [
+ "d3f_tactic",
+ "d3f_technique"
+ ]
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Matrix",
+ "url": "https://d3fend.mitre.org"
}
- }
-
\ No newline at end of file
+ ]
+}
\ No newline at end of file
diff --git a/objects/data_classification.json b/objects/data_classification.json
index 4ed70aa8f..1bc9ec5de 100644
--- a/objects/data_classification.json
+++ b/objects/data_classification.json
@@ -10,7 +10,6 @@
},
"category_id": {
"description": "The normalized identifier of the data classification category.",
- "requirement": "recommended",
"enum": {
"0": {
"caption": "Unknown",
@@ -44,7 +43,8 @@
"caption": "Other",
"description": "Any other type of data classification or a multi-variate classification made up of several other classification categories."
}
- }
+ },
+ "requirement": "recommended"
},
"classifier_details": {
"requirement": "recommended"
@@ -81,7 +81,6 @@
},
"status_id": {
"description": "The normalized status identifier of the classification job.",
- "requirement": "recommended",
"enum": {
"0": {
"caption": "Unknown"
@@ -102,7 +101,8 @@
"caption": "Other",
"description": "The classification job type id is not mapped."
}
- }
+ },
+ "requirement": "recommended"
},
"total": {
"description": "The total count of discovered entities, by the classification job.",
diff --git a/objects/database.json b/objects/database.json
index a53c7adbb..7e142ee48 100644
--- a/objects/database.json
+++ b/objects/database.json
@@ -1,12 +1,8 @@
{
"caption": "Database",
"description": "The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Database/", "description": "D3FEND™ Ontology d3f:Database."}],
"extends": "_entity",
"name": "database",
- "profiles": [
- "data_classification"
- ],
"attributes": {
"$include": [
"profiles/data_classification.json"
@@ -15,29 +11,31 @@
"description": "The time when the database was known to have been created.",
"requirement": "optional"
},
+ "desc": {
+ "description": "The description of the database.",
+ "requirement": "optional"
+ },
+ "groups": {
+ "description": "The group names to which the database belongs.",
+ "requirement": "optional"
+ },
"modified_time": {
"description": "The most recent time when any changes, updates, or modifications were made within the database.",
"requirement": "optional"
},
- "desc": {
- "description": "The description of the database.",
- "requirement": "optional"
+ "name": {
+ "description": "The database name, ordinarily as assigned by a database administrator."
},
"size": {
"description": "The size of the database in bytes.",
"requirement": "optional"
},
- "groups": {
- "description": "The group names to which the database belongs.",
- "requirement": "optional"
- },
"type": {
"description": "The database type.",
"requirement": "recommended"
},
"type_id": {
"description": "The normalized identifier of the database type.",
- "requirement": "required",
"enum": {
"0": {
"caption": "Unknown"
@@ -63,13 +61,20 @@
"99": {
"caption": "Other"
}
- }
- },
- "name": {
- "description": "The database name, ordinarily as assigned by a database administrator."
+ },
+ "requirement": "required"
},
"uid": {
"description": "The unique identifier of the database."
}
- }
-}
+ },
+ "profiles": [
+ "data_classification"
+ ],
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:Database.",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:Database/"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/objects/databucket.json b/objects/databucket.json
index 2b133c578..1dc452f37 100644
--- a/objects/databucket.json
+++ b/objects/databucket.json
@@ -53,7 +53,6 @@
},
"type_id": {
"description": "The normalized identifier of the databucket type.",
- "requirement": "required",
"enum": {
"0": {
"caption": "Unknown"
@@ -70,7 +69,8 @@
"99": {
"caption": "Other"
}
- }
+ },
+ "requirement": "required"
},
"uid": {
"description": "The unique identifier of the databucket."
diff --git a/objects/dce_rpc.json b/objects/dce_rpc.json
index 22e22cd2e..74638cf57 100644
--- a/objects/dce_rpc.json
+++ b/objects/dce_rpc.json
@@ -1,9 +1,8 @@
{
"caption": "DCE/RPC",
- "name": "dce_rpc",
"description": "The DCE/RPC, or Distributed Computing Environment/Remote Procedure Call, object describes the remote procedure call system for distributed computing environments.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:RemoteProcedureCall/", "description": "D3FEND™ Ontology d3f:RemoteProcedureCall."}],
"extends": "object",
+ "name": "dce_rpc",
"attributes": {
"command": {
"description": "The request command (e.g. REQUEST, BIND).",
@@ -17,11 +16,17 @@
"description": "The list of interface flags.",
"requirement": "required"
},
- "rpc_interface": {
- "requirement": "required"
- },
"opnum": {
"requirement": "recommended"
+ },
+ "rpc_interface": {
+ "requirement": "required"
+ }
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:RemoteProcedureCall.",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:RemoteProcedureCall/"
}
- }
+ ]
}
\ No newline at end of file
diff --git a/objects/device.json b/objects/device.json
index 7e5f7b5a7..bb339aac8 100644
--- a/objects/device.json
+++ b/objects/device.json
@@ -1,9 +1,8 @@
{
"caption": "Device",
- "name": "device",
"description": "The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Host/", "description": "D3FEND™ Ontology d3f:Host."}],
"extends": "endpoint",
+ "name": "device",
"attributes": {
"autoscale_uid": {
"requirement": "optional"
@@ -74,14 +73,14 @@
"description": "The geographical location of the device.",
"requirement": "optional"
},
- "modified_time": {
- "description": "The time when the device was last known to have been modified.",
- "requirement": "optional"
- },
"model": {
"description": "The model of the device. For example ThinkPad X1 Carbon.",
"requirement": "optional"
},
+ "modified_time": {
+ "description": "The time when the device was last known to have been modified.",
+ "requirement": "optional"
+ },
"name": {
"description": "The alternate device name, ordinarily as assigned by an administrator.
Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.
Dell or Lenovo.",
"requirement": "recommended"
}
- }
-}
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:Host.",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:Host/"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/objects/device_hw_info.json b/objects/device_hw_info.json
index d6a029fef..4b19bb31b 100644
--- a/objects/device_hw_info.json
+++ b/objects/device_hw_info.json
@@ -1,8 +1,8 @@
{
"caption": "Device Hardware Info",
- "name": "device_hw_info",
"description": "The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device.",
"extends": "object",
+ "name": "device_hw_info",
"attributes": {
"bios_date": {
"requirement": "optional"
@@ -25,10 +25,10 @@
"cpu_bits": {
"requirement": "optional"
},
- "cpu_count": {
+ "cpu_cores": {
"requirement": "optional"
},
- "cpu_cores": {
+ "cpu_count": {
"requirement": "optional"
},
"cpu_speed": {
@@ -59,4 +59,4 @@
"requirement": "optional"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/digital_signature.json b/objects/digital_signature.json
index 438032cdf..6095b132a 100644
--- a/objects/digital_signature.json
+++ b/objects/digital_signature.json
@@ -1,8 +1,8 @@
{
"caption": "Digital Signature",
- "name": "digital_signature",
"description": "The Digital Signature object contains information about the cryptographic mechanism used to verify the authenticity, integrity, and origin of the file or application.",
"extends": "object",
+ "name": "digital_signature",
"attributes": {
"algorithm": {
"description": "The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source.",
@@ -11,9 +11,6 @@
"algorithm_id": {
"description": "The identifier of the normalized digital signature algorithm.",
"enum": {
- "99": {
- "caption": "Other"
- },
"0": {
"caption": "Unknown"
},
@@ -32,6 +29,9 @@
"4": {
"caption": "Authenticode",
"description": "Microsoft Authenticode Digital Signature Algorithm."
+ },
+ "99": {
+ "caption": "Other"
}
},
"requirement": "required"
diff --git a/objects/discovery_details.json b/objects/discovery_details.json
index a02e03cab..c8a2bbe8f 100644
--- a/objects/discovery_details.json
+++ b/objects/discovery_details.json
@@ -8,7 +8,7 @@
"description": "The number of discovered entities of the specified type.",
"requirement": "recommended"
},
- "occurrence_details":{
+ "occurrence_details": {
"description": "Details about where in the target entity, specified information was discovered. Only the attributes, relevant to the target entity type should be populuated.",
"requirement": "optional"
},
diff --git a/objects/display.json b/objects/display.json
index db05cd2dc..b5cd9c172 100644
--- a/objects/display.json
+++ b/objects/display.json
@@ -1,8 +1,8 @@
{
"caption": "Display",
- "name": "display",
"description": "The Display object contains information about the physical or virtual display connected to a computer system.",
"extends": "object",
+ "name": "display",
"attributes": {
"color_depth": {
"requirement": "optional"
@@ -20,4 +20,4 @@
"requirement": "optional"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/dns_answer.json b/objects/dns_answer.json
index 3500c1bfe..d2fd06ced 100644
--- a/objects/dns_answer.json
+++ b/objects/dns_answer.json
@@ -49,4 +49,4 @@
"requirement": "recommended"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/dns_query.json b/objects/dns_query.json
index cd95c10ac..f889bae74 100644
--- a/objects/dns_query.json
+++ b/objects/dns_query.json
@@ -1,9 +1,8 @@
{
"caption": "DNS Query",
- "name": "dns_query",
- "extends": "_dns",
"description": "The DNS query object represents a specific request made to the Domain Name System (DNS) to retrieve information about a domain or perform a DNS operation. This object encapsulates the necessary attributes and methods to construct and send DNS queries, specify the query type (e.g., A, AAAA, MX).",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:DNSLookup/", "description": "D3FEND™ Ontology d3f:DNSLookup."}],
+ "extends": "_dns",
+ "name": "dns_query",
"attributes": {
"hostname": {
"description": "The hostname or domain being queried. For example: www.example.com",
@@ -15,5 +14,11 @@
"opcode_id": {
"requirement": "recommended"
}
- }
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:DNSLookup.",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:DNSLookup/"
+ }
+ ]
}
\ No newline at end of file
diff --git a/objects/domain_contact.json b/objects/domain_contact.json
index 7305462c1..b384606b9 100644
--- a/objects/domain_contact.json
+++ b/objects/domain_contact.json
@@ -1,60 +1,60 @@
{
- "caption": "Domain Contact",
- "description": "The contact information related to a domain registration, e.g., registrant, administrator, abuse, billing, or technical contact.",
- "extends": "object",
- "name": "domain_contact",
- "attributes": {
- "type_id": {
- "caption": "Domain Contact Type ID",
- "description": "The normalized domain contact type ID.",
- "requirement": "required",
- "enum": {
- "1": {
- "caption": "Registrant",
- "description": "The contact information provided is for the domain registrant."
- },
- "2": {
- "caption": "Administrative",
- "description": "The contact information provided is for the domain administrator."
- },
- "3": {
- "caption": "Technical",
- "description": "The contact information provided is for the domain technical lead."
- },
- "4": {
- "caption": "Billing",
- "description": "The contact information provided is for the domain billing lead."
- },
- "5": {
- "caption": "Abuse",
- "description": "The contact information provided is for the domain abuse contact."
- }
- }
- },
- "type": {
- "caption": "Domain Contact Type",
- "description": "The Domain Contact type, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source",
- "requirement": "optional"
- },
- "location": {
- "caption": "Contact Location Information",
- "description": "Location details for the contract such as the city, state/province, country, etc.",
- "requirement": "recommended"
- },
- "email_addr": {
- "caption": "Contact Email",
- "requirement": "recommended"
- },
- "phone_number": {
- "requirement": "optional"
- },
- "name": {
- "description": "The individual or organization name for the contact.",
- "requirement": "optional"
- },
- "uid": {
- "description": "The unique identifier of the contact information, typically provided in WHOIS information.",
- "requirement": "optional"
- }
- }
+ "caption": "Domain Contact",
+ "description": "The contact information related to a domain registration, e.g., registrant, administrator, abuse, billing, or technical contact.",
+ "extends": "object",
+ "name": "domain_contact",
+ "attributes": {
+ "email_addr": {
+ "caption": "Contact Email",
+ "requirement": "recommended"
+ },
+ "location": {
+ "caption": "Contact Location Information",
+ "description": "Location details for the contract such as the city, state/province, country, etc.",
+ "requirement": "recommended"
+ },
+ "name": {
+ "description": "The individual or organization name for the contact.",
+ "requirement": "optional"
+ },
+ "phone_number": {
+ "requirement": "optional"
+ },
+ "type": {
+ "caption": "Domain Contact Type",
+ "description": "The Domain Contact type, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the source",
+ "requirement": "optional"
+ },
+ "type_id": {
+ "caption": "Domain Contact Type ID",
+ "description": "The normalized domain contact type ID.",
+ "enum": {
+ "1": {
+ "caption": "Registrant",
+ "description": "The contact information provided is for the domain registrant."
+ },
+ "2": {
+ "caption": "Administrative",
+ "description": "The contact information provided is for the domain administrator."
+ },
+ "3": {
+ "caption": "Technical",
+ "description": "The contact information provided is for the domain technical lead."
+ },
+ "4": {
+ "caption": "Billing",
+ "description": "The contact information provided is for the domain billing lead."
+ },
+ "5": {
+ "caption": "Abuse",
+ "description": "The contact information provided is for the domain abuse contact."
+ }
+ },
+ "requirement": "required"
+ },
+ "uid": {
+ "description": "The unique identifier of the contact information, typically provided in WHOIS information.",
+ "requirement": "optional"
+ }
+ }
}
\ No newline at end of file
diff --git a/objects/email.json b/objects/email.json
index 5ae4f3c45..dc66b2bae 100644
--- a/objects/email.json
+++ b/objects/email.json
@@ -1,18 +1,9 @@
{
+ "observable": 22,
"caption": "Email",
- "name": "email",
"description": "The Email object describes the email metadata such as sender, recipients, and direction, and can include embedded URLs and files.",
- "references": [
- {
- "url": "https://d3fend.mitre.org/dao/artifact/d3f:Email/",
- "description": "D3FEND™ Ontology d3f:Email."
- }
- ],
"extends": "object",
- "observable": 22,
- "profiles": [
- "data_classification"
- ],
+ "name": "email",
"attributes": {
"$include": [
"profiles/data_classification.json"
@@ -24,18 +15,18 @@
"requirement": "optional"
},
"delivered_to": {
- "requirement": "optional",
"@deprecated": {
"message": "Use the delivered_to_list attribute instead.",
"since": "1.4.0"
- }
+ },
+ "requirement": "optional"
},
"delivered_to_list": {
"requirement": "optional"
},
"files": {
- "requirement": "optional",
- "description": "The files embedded or attached to the email."
+ "description": "The files embedded or attached to the email.",
+ "requirement": "optional"
},
"from": {
"requirement": "recommended"
@@ -53,11 +44,11 @@
"requirement": "optional"
},
"reply_to": {
- "requirement": "recommended",
"@deprecated": {
"message": "Use the reply_to_mailboxes attribute instead.",
"since": "1.4.0"
- }
+ },
+ "requirement": "recommended"
},
"reply_to_mailboxes": {
"requirement": "optional"
@@ -67,26 +58,26 @@
"requirement": "recommended"
},
"smtp_from": {
- "requirement": "recommended",
"@deprecated": {
"message": "Use the from attribute instead.",
"since": "1.4.0"
- }
+ },
+ "requirement": "recommended"
},
"smtp_to": {
- "requirement": "recommended",
"@deprecated": {
"message": "Use the to attribute instead.",
"since": "1.4.0"
- }
+ },
+ "requirement": "recommended"
},
"subject": {
"caption": "Subject",
"description": "The email header Subject value, as defined by RFC 5322.",
"references": [
{
- "url": "https://www.rfc-editor.org/rfc/rfc5322",
- "description": "RFC 5322"
+ "description": "RFC 5322",
+ "url": "https://www.rfc-editor.org/rfc/rfc5322"
}
],
"requirement": "recommended"
@@ -97,17 +88,17 @@
"to_mailboxes": {
"requirement": "optional"
},
- "urls": {
- "requirement": "optional",
- "description": "The URLs embedded in the email."
- },
- "x_originating_ip": {
- "requirement": "optional"
- },
"uid": {
"caption": "Email Thread UID",
"description": "The unique identifier of the email thread.",
"requirement": "recommended"
+ },
+ "urls": {
+ "description": "The URLs embedded in the email.",
+ "requirement": "optional"
+ },
+ "x_originating_ip": {
+ "requirement": "optional"
}
},
"constraints": {
@@ -115,5 +106,14 @@
"from",
"to"
]
- }
-}
+ },
+ "profiles": [
+ "data_classification"
+ ],
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:Email.",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:Email/"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/objects/email_auth.json b/objects/email_auth.json
index 39dc41ed4..aea926b0f 100644
--- a/objects/email_auth.json
+++ b/objects/email_auth.json
@@ -1,13 +1,13 @@
{
"caption": "Email Authentication",
- "name": "email_auth",
"description": "The Email Authentication object describes the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) attributes of an email.",
"extends": "object",
+ "name": "email_auth",
"attributes": {
- "dkim_domain": {
+ "dkim": {
"requirement": "recommended"
},
- "dkim": {
+ "dkim_domain": {
"requirement": "recommended"
},
"dkim_signature": {
diff --git a/objects/encryption_details.json b/objects/encryption_details.json
index b27119664..7f7582664 100644
--- a/objects/encryption_details.json
+++ b/objects/encryption_details.json
@@ -4,20 +4,6 @@
"extends": "object",
"name": "encryption_details",
"attributes": {
- "key_length": {
- "caption": "Encryption Key Length",
- "description": "The length of the encryption key used.",
- "requirement": "optional"
- },
- "key_uid": {
- "description": "The unique identifier of the key used for encrpytion. For example, AWS KMS Key ARN.",
- "requirement": "optional"
- },
- "type": {
- "caption": "Encryption Type",
- "description": "The type of the encryption used.",
- "requirement": "recommended"
- },
"algorithm": {
"caption": "Encryption Algorithm",
"description": "The encryption algorithm used, normalized to the caption of 'algorithm_id",
@@ -26,7 +12,6 @@
"algorithm_id": {
"caption": "Encryption Algorithm ID",
"description": "The encryption algorithm used.",
- "requirement": "recommended",
"enum": {
"1": {
"caption": "DES",
@@ -52,7 +37,22 @@
"caption": "SM2",
"description": "ShangMi Cryptographic Algorithm"
}
- }
+ },
+ "requirement": "recommended"
+ },
+ "key_length": {
+ "caption": "Encryption Key Length",
+ "description": "The length of the encryption key used.",
+ "requirement": "optional"
+ },
+ "key_uid": {
+ "description": "The unique identifier of the key used for encrpytion. For example, AWS KMS Key ARN.",
+ "requirement": "optional"
+ },
+ "type": {
+ "caption": "Encryption Type",
+ "description": "The type of the encryption used.",
+ "requirement": "recommended"
}
}
}
\ No newline at end of file
diff --git a/objects/endpoint.json b/objects/endpoint.json
index 0706556f2..5a1788045 100644
--- a/objects/endpoint.json
+++ b/objects/endpoint.json
@@ -1,12 +1,9 @@
{
+ "observable": 20,
"caption": "Endpoint",
- "name": "endpoint",
"description": "The Endpoint object describes a physical or virtual device that connects to and exchanges information with a computer network. Some examples of endpoints are mobile devices, desktop computers, virtual machines, embedded devices, and servers. Internet-of-Things devices—like cameras, lighting, refrigerators, security systems, smart speakers, and thermostats—are also endpoints.",
"extends": "_entity",
- "observable": 20,
- "profiles": [
- "container"
- ],
+ "name": "endpoint",
"attributes": {
"$include": [
"profiles/container.json"
@@ -73,6 +70,30 @@
"caption": "Server",
"description": "A server."
},
+ "10": {
+ "caption": "Switch",
+ "description": "A networking switch."
+ },
+ "11": {
+ "caption": "Hub",
+ "description": "A networking hub."
+ },
+ "12": {
+ "caption": "Router",
+ "description": "A networking router."
+ },
+ "13": {
+ "caption": "IDS",
+ "description": "An intrusion detection system."
+ },
+ "14": {
+ "caption": "IPS",
+ "description": "An intrusion prevention system."
+ },
+ "15": {
+ "caption": "Load Balancer",
+ "description": "A Load Balancer device."
+ },
"2": {
"caption": "Desktop",
"description": "A desktop computer."
@@ -104,30 +125,6 @@
"9": {
"caption": "Firewall",
"description": "A networking firewall."
- },
- "10": {
- "caption": "Switch",
- "description": "A networking switch."
- },
- "11": {
- "caption": "Hub",
- "description": "A networking hub."
- },
- "12": {
- "caption": "Router",
- "description": "A networking router."
- },
- "13": {
- "caption": "IDS",
- "description": "An intrusion detection system."
- },
- "14": {
- "caption": "IPS",
- "description": "An intrusion prevention system."
- },
- "15": {
- "caption": "Load Balancer",
- "description": "A Load Balancer device."
}
},
"requirement": "recommended"
@@ -155,5 +152,8 @@
"interface_uid",
"interface_name"
]
- }
-}
+ },
+ "profiles": [
+ "container"
+ ]
+}
\ No newline at end of file
diff --git a/objects/endpoint_connection.json b/objects/endpoint_connection.json
index 7c33f6793..f8eefafa5 100644
--- a/objects/endpoint_connection.json
+++ b/objects/endpoint_connection.json
@@ -1,25 +1,23 @@
{
- "caption": "Endpoint Connection",
- "name": "endpoint_connection",
- "description": "The Endpoint Connection object contains information detailing a connection attempt to an endpoint.",
- "extends": "object",
- "attributes": {
- "code": {
- "caption": "Response Code",
- "description": "A numerical response status code providing details about the connection.",
- "requirement": "recommended"
- },
- "network_endpoint": {
- "description": "Provides characteristics of the network endpoint.",
- "requirement": "recommended"
- }
+ "caption": "Endpoint Connection",
+ "description": "The Endpoint Connection object contains information detailing a connection attempt to an endpoint.",
+ "extends": "object",
+ "name": "endpoint_connection",
+ "attributes": {
+ "code": {
+ "caption": "Response Code",
+ "description": "A numerical response status code providing details about the connection.",
+ "requirement": "recommended"
},
- "constraints": {
- "at_least_one": [
- "network_endpoint",
- "code"
- ]
+ "network_endpoint": {
+ "description": "Provides characteristics of the network endpoint.",
+ "requirement": "recommended"
}
-}
-
-
\ No newline at end of file
+ },
+ "constraints": {
+ "at_least_one": [
+ "network_endpoint",
+ "code"
+ ]
+ }
+}
\ No newline at end of file
diff --git a/objects/enrichment.json b/objects/enrichment.json
index e270aac93..8ae54aa5e 100644
--- a/objects/enrichment.json
+++ b/objects/enrichment.json
@@ -32,17 +32,17 @@
"description": "A short description of the enrichment data.",
"requirement": "recommended"
},
- "type": {
- "description": "The enrichment type. For example: location.",
- "requirement": "recommended"
- },
"src_url": {
"description": "The URL of the source of the enrichment data.",
"requirement": "recommended"
},
+ "type": {
+ "description": "The enrichment type. For example: location.",
+ "requirement": "recommended"
+ },
"value": {
"description": "The value of the attribute to which the enriched data pertains.",
"requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/environment_variable.json b/objects/environment_variable.json
index a53156c3a..710178478 100644
--- a/objects/environment_variable.json
+++ b/objects/environment_variable.json
@@ -1,17 +1,16 @@
{
- "caption": "Environment Variable",
- "description": "An environment variable.",
- "extends": "object",
- "name": "environment_variable",
- "attributes": {
- "name": {
- "description": "The name of the environment variable.",
- "requirement": "required"
- },
- "value": {
- "description": "The value of the environment variable.",
- "requirement": "required"
-
- }
+ "caption": "Environment Variable",
+ "description": "An environment variable.",
+ "extends": "object",
+ "name": "environment_variable",
+ "attributes": {
+ "name": {
+ "description": "The name of the environment variable.",
+ "requirement": "required"
+ },
+ "value": {
+ "description": "The value of the environment variable.",
+ "requirement": "required"
}
-}
+ }
+}
\ No newline at end of file
diff --git a/objects/evidences.json b/objects/evidences.json
index fba80c9e7..fb9dfa6d4 100644
--- a/objects/evidences.json
+++ b/objects/evidences.json
@@ -12,14 +12,14 @@
"description": "Describes details about the API call associated to the activity that triggered the detection.",
"requirement": "recommended"
},
- "container": {
- "description": "Describes details about the container associated to the activity that triggered the detection.",
- "requirement": "recommended"
- },
"connection_info": {
"description": "Describes details about the network connection associated to the activity that triggered the detection.",
"requirement": "recommended"
},
+ "container": {
+ "description": "Describes details about the container associated to the activity that triggered the detection.",
+ "requirement": "recommended"
+ },
"data": {
"description": "Additional evidence data that is not accounted for in the specific evidence attributes. Use only when absolutely necessary.",
"requirement": "optional"
@@ -48,18 +48,22 @@
"description": "Describes details about the file associated to the activity that triggered the detection.",
"requirement": "recommended"
},
- "http_response": {
- "description": "Describes details about the http response associated to the activity that triggered the detection.",
- "requirement": "recommended"
- },
"http_request": {
"description": "Describes details about the http request associated to the activity that triggered the detection.",
"requirement": "recommended"
},
+ "http_response": {
+ "description": "Describes details about the http response associated to the activity that triggered the detection.",
+ "requirement": "recommended"
+ },
"ja4_fingerprint_list": {
"description": "Describes details about the JA4+ fingerprints that triggered the detection.",
"requirement": "recommended"
},
+ "job": {
+ "description": "Describes details about the scheduled job that was associated with the activity that triggered the detection.",
+ "requirement": "recommended"
+ },
"process": {
"description": "Describes details about the process associated to the activity that triggered the detection.",
"requirement": "recommended"
@@ -68,6 +72,10 @@
"description": "Describes details about the DNS query associated to the activity that triggered the detection.",
"requirement": "recommended"
},
+ "script": {
+ "description": "Describes details about the script that was associated with the activity that triggered the detection.",
+ "requirement": "recommended"
+ },
"src_endpoint": {
"description": "Describes details about the source of the network activity that triggered the detection.",
"requirement": "recommended"
@@ -83,14 +91,6 @@
"user": {
"description": "Describes details about the user that was the target or somehow else associated with the activity that triggered the detection.",
"requirement": "recommended"
- },
- "job": {
- "description": "Describes details about the scheduled job that was associated with the activity that triggered the detection.",
- "requirement": "recommended"
- },
- "script": {
- "description": "Describes details about the script that was associated with the activity that triggered the detection.",
- "requirement": "recommended"
}
},
"constraints": {
diff --git a/objects/extension.json b/objects/extension.json
index 6961ca6e5..cb7d198d3 100644
--- a/objects/extension.json
+++ b/objects/extension.json
@@ -1,8 +1,8 @@
{
"caption": "Schema Extension",
- "name": "extension",
"description": "The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.",
"extends": "_entity",
+ "name": "extension",
"attributes": {
"name": {
"description": "The schema extension name. For example: dev.",
@@ -18,4 +18,4 @@
}
},
"constraints": {}
-}
+}
\ No newline at end of file
diff --git a/objects/feature.json b/objects/feature.json
index 3fdc3ef22..47e6cc5fc 100644
--- a/objects/feature.json
+++ b/objects/feature.json
@@ -1,8 +1,8 @@
{
"caption": "Feature",
- "name": "feature",
"description": "The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.",
"extends": "_entity",
+ "name": "feature",
"attributes": {
"name": {
"description": "The name of the feature."
@@ -15,4 +15,4 @@
"requirement": "recommended"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/file.json b/objects/file.json
index e2c6e9b64..d8e4e6cd5 100644
--- a/objects/file.json
+++ b/objects/file.json
@@ -1,13 +1,9 @@
{
- "caption": "File",
- "name": "file",
"observable": 24,
+ "caption": "File",
"description": "The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details.",
- "references": [{"url": "https://next.d3fend.mitre.org/dao/artifact/d3f:File/", "description": "D3FEND™ Ontology d3f:File"}],
"extends": "_entity",
- "profiles": [
- "data_classification"
- ],
+ "name": "file",
"attributes": {
"$include": [
"profiles/data_classification.json"
@@ -45,7 +41,7 @@
"drive_type": {
"requirement": "optional"
},
- "drive_type_id" : {
+ "drive_type_id": {
"requirement": "optional"
},
"encryption_details": {
@@ -72,13 +68,13 @@
"description": "Indicates if the file is encrypted.",
"requirement": "optional"
},
- "is_system": {
+ "is_public": {
+ "description": "Indicates if the file is publicly accessible. For example in an object's public access in AWS S3",
+ "profile": "cloud",
"requirement": "optional"
},
- "is_public":{
- "description": "Indicates if the file is publicly accessible. For example in an object's public access in AWS S3",
- "requirement": "optional",
- "profile": "cloud"
+ "is_system": {
+ "requirement": "optional"
},
"mime_type": {
"requirement": "optional"
@@ -119,12 +115,12 @@
"size": {
"requirement": "optional"
},
- "storage_class":{
+ "storage_class": {
"description": "The storage class of the file. For example in AWS S3: STANDARD, STANDARD_IA, GLACIER.",
- "requirement": "optional",
- "profile": "cloud"
+ "profile": "cloud",
+ "requirement": "optional"
},
- "tags":{
+ "tags": {
"description": "The list of tags; {key:value} pairs associated to the file.",
"requirement": "optional"
},
@@ -181,5 +177,14 @@
"requirement": "optional"
}
},
- "constraints": {}
-}
+ "constraints": {},
+ "profiles": [
+ "data_classification"
+ ],
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:File",
+ "url": "https://next.d3fend.mitre.org/dao/artifact/d3f:File/"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/objects/finding.json b/objects/finding.json
index de6ec1bd1..ce140f190 100644
--- a/objects/finding.json
+++ b/objects/finding.json
@@ -62,4 +62,4 @@
"requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/finding_info.json b/objects/finding_info.json
index 629f6a453..2fa8ca069 100644
--- a/objects/finding_info.json
+++ b/objects/finding_info.json
@@ -7,7 +7,7 @@
"analytic": {
"requirement": "recommended"
},
- "attacks":{
+ "attacks": {
"description": "The MITRE ATT&CK® technique and associated tactics related to the finding.",
"requirement": "optional"
},
@@ -45,14 +45,14 @@
"description": "The unique identifier of the product that reported the finding.",
"requirement": "optional"
},
- "related_events": {
+ "related_analytics": {
+ "description": "Other analytics related to this finding.",
"requirement": "optional"
},
- "related_events_count":{
+ "related_events": {
"requirement": "optional"
},
- "related_analytics": {
- "description": "Other analytics related to this finding.",
+ "related_events_count": {
"requirement": "optional"
},
"src_url": {
@@ -80,4 +80,4 @@
"requirement": "optional"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/fingerprint.json b/objects/fingerprint.json
index d68cb7b97..b3f2a38d4 100644
--- a/objects/fingerprint.json
+++ b/objects/fingerprint.json
@@ -1,10 +1,9 @@
{
+ "observable": 30,
"caption": "Fingerprint",
"description": "The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content. It contains the algorithm and value of the fingerprint, enabling efficient and reliable identification of the associated data.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:DigitalFingerprint/", "description": "D3FEND™ Ontology d3f:DigitalFingerprint."}],
"extends": "object",
"name": "fingerprint",
- "observable": 30,
"attributes": {
"algorithm": {
"description": "The hash algorithm used to create the digital fingerprint, normalized to the caption of algorithm_id. In the case of Other, it is defined by the event source.",
@@ -55,5 +54,11 @@
"requirement": "required",
"type": "file_hash_t"
}
- }
-}
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:DigitalFingerprint.",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:DigitalFingerprint/"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/objects/firewall_rule.json b/objects/firewall_rule.json
index aa67c0e8f..b1f9d03df 100644
--- a/objects/firewall_rule.json
+++ b/objects/firewall_rule.json
@@ -1,27 +1,27 @@
{
"caption": "Firewall Rule",
"description": "The Firewall Rule object represents a specific rule within a firewall policy or event. It contains information about a rule's configuration, properties, and associated actions that define how network traffic is handled by the firewall.",
- "name": "firewall_rule",
"extends": "rule",
+ "name": "firewall_rule",
"attributes": {
"condition": {
"requirement": "optional"
},
- "sensitivity": {
- "requirement": "optional"
- },
- "match_location": {
+ "duration": {
+ "description": "The rule response time duration, usually used for challenge completion time.",
"requirement": "optional"
- },
+ },
"match_details": {
"requirement": "optional"
- },
+ },
+ "match_location": {
+ "requirement": "optional"
+ },
"rate_limit": {
"requirement": "optional"
},
- "duration": {
- "description": "The rule response time duration, usually used for challenge completion time.",
+ "sensitivity": {
"requirement": "optional"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/group.json b/objects/group.json
index 31ffe903a..5556ef6f8 100644
--- a/objects/group.json
+++ b/objects/group.json
@@ -1,9 +1,8 @@
{
"caption": "Group",
"description": "The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization, including but not limited to purposes of access control.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:AccessControlGroup/", "description": "D3FEND™ Ontology d3f:AccessControlGroup."}],
- "name": "group",
"extends": "_entity",
+ "name": "group",
"attributes": {
"desc": {
"description": "The group description.",
@@ -22,13 +21,19 @@
"requirement": "optional"
},
"type": {
- "description": "The type of the group or account.",
"caption": "Account Type",
+ "description": "The type of the group or account.",
"requirement": "optional"
},
"uid": {
"description": "The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.",
"observable": 33
}
- }
-}
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:AccessControlGroup.",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:AccessControlGroup/"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/objects/hassh.json b/objects/hassh.json
index 04646d8fd..1cace4beb 100644
--- a/objects/hassh.json
+++ b/objects/hassh.json
@@ -1,8 +1,8 @@
{
"caption": "HASSH",
"description": "The HASSH object contains SSH network fingerprinting values for specific client/server implementations. It provides a standardized way of identifying and categorizing SSH connections based on their unique characteristics and behavior.",
- "name": "hassh",
"extends": "object",
+ "name": "hassh",
"attributes": {
"algorithm": {
"description": "The concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation.",
@@ -13,4 +13,4 @@
"requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/http_cookie.json b/objects/http_cookie.json
index 0e1ebd21a..39f1f0f77 100644
--- a/objects/http_cookie.json
+++ b/objects/http_cookie.json
@@ -1,7 +1,6 @@
{
"caption": "HTTP Cookie",
"description": "The HTTP Cookie object, also known as a web cookie or browser cookie, contains details and values pertaining to a small piece of data that a server sends to a user's web browser. This data is then stored by the browser and sent back to the server with subsequent requests, allowing the server to remember and track certain information about the user's browsing session or preferences.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:SessionCookie/", "description": "D3FEND™ Ontology d3f:SessionCookie."}],
"extends": "object",
"name": "http_cookie",
"attributes": {
@@ -40,5 +39,11 @@
"description": "The HTTP cookie value.",
"requirement": "required"
}
- }
-}
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:SessionCookie.",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:SessionCookie/"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/objects/http_header.json b/objects/http_header.json
index 8f56f2430..caaff4a20 100644
--- a/objects/http_header.json
+++ b/objects/http_header.json
@@ -13,4 +13,4 @@
"requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/http_request.json b/objects/http_request.json
index abf5176df..79ecb9612 100644
--- a/objects/http_request.json
+++ b/objects/http_request.json
@@ -7,6 +7,11 @@
"args": {
"requirement": "optional"
},
+ "body_length": {
+ "caption": "Request Body Length",
+ "description": "The actual length of the HTTP request body, in number of bytes, independent of a potentially existing Content-Length header.",
+ "requirement": "optional"
+ },
"http_headers": {
"requirement": "recommended"
},
@@ -54,11 +59,6 @@
"description": "The length of the entire HTTP request, in number of bytes.",
"requirement": "optional"
},
- "body_length": {
- "caption": "Request Body Length",
- "description": "The actual length of the HTTP request body, in number of bytes, independent of a potentially existing Content-Length header.",
- "requirement": "optional"
- },
"referrer": {
"requirement": "optional"
},
@@ -82,4 +82,4 @@
"requirement": "optional"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/http_response.json b/objects/http_response.json
index 2aa5c875d..884f91bad 100644
--- a/objects/http_response.json
+++ b/objects/http_response.json
@@ -4,6 +4,11 @@
"extends": "object",
"name": "http_response",
"attributes": {
+ "body_length": {
+ "caption": "Response Body Length",
+ "description": "The actual length of the HTTP response body, in number of bytes, independent of a potentially existing Content-Length header.",
+ "requirement": "optional"
+ },
"code": {
"description": "The Hypertext Transfer Protocol (HTTP) status code returned from the web server to the client. For example, 200.",
"requirement": "required"
@@ -22,17 +27,12 @@
"description": "The length of the entire HTTP response, in number of bytes.",
"requirement": "optional"
},
- "body_length": {
- "caption": "Response Body Length",
- "description": "The actual length of the HTTP response body, in number of bytes, independent of a potentially existing Content-Length header.",
- "requirement": "optional"
- },
"message": {
"requirement": "optional"
},
"status": {
- "requirement": "optional",
- "description": "The response status. For example: A successful HTTP status of 'OK' which corresponds to a code of 200."
+ "description": "The response status. For example: A successful HTTP status of 'OK' which corresponds to a code of 200.",
+ "requirement": "optional"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/idp.json b/objects/idp.json
index 017c5c578..e4e6b45ff 100644
--- a/objects/idp.json
+++ b/objects/idp.json
@@ -8,10 +8,6 @@
"description": "The Authentication Factors object describes the different types of Multi-Factor Authentication (MFA) methods and/or devices supported by the Identity Provider.",
"requirement": "optional"
},
- "name": {
- "description": "The name of the Identity Provider.",
- "requirement": "recommended"
- },
"domain": {
"description": "The primary domain associated with the Identity Provider.",
"requirement": "optional"
@@ -30,6 +26,10 @@
"description": "The unique identifier (often a URL) used by the Identity Provider as its issuer.",
"requirement": "optional"
},
+ "name": {
+ "description": "The name of the Identity Provider.",
+ "requirement": "recommended"
+ },
"protocol_name": {
"caption": "Supported Protocol",
"description": "The supported protocol of the Identity Provider. E.g., SAML, OIDC, or OAuth2.",
diff --git a/objects/image.json b/objects/image.json
index d77189ba3..7daf2e152 100644
--- a/objects/image.json
+++ b/objects/image.json
@@ -1,9 +1,8 @@
{
"caption": "Image",
- "name": "image",
"description": "The Image object provides a description of a specific Virtual Machine (VM) or Container image.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:ContainerImage/", "description": "D3FEND™ Ontology d3f:ContainerImage"}],
"extends": "_entity",
+ "name": "image",
"attributes": {
"labels": {
"description": "The list of labels associated to the image.",
@@ -28,5 +27,11 @@
"requirement": "required"
}
},
- "constraints": {}
+ "constraints": {},
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:ContainerImage",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:ContainerImage/"
+ }
+ ]
}
\ No newline at end of file
diff --git a/objects/ja4_fingerprint.json b/objects/ja4_fingerprint.json
index 001359fd5..e09b222df 100644
--- a/objects/ja4_fingerprint.json
+++ b/objects/ja4_fingerprint.json
@@ -74,4 +74,4 @@
"type": "string_t"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/job.json b/objects/job.json
index 350083c38..a6e81e910 100644
--- a/objects/job.json
+++ b/objects/job.json
@@ -1,9 +1,8 @@
{
"caption": "Job",
- "name": "job",
"description": "The Job object provides information about a scheduled job or task, including its name, command line, and state. It encompasses attributes that describe the properties and status of the scheduled job.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:ScheduledJob/", "description": "D3FEND™ Ontology d3f:ScheduledJob."}],
"extends": "object",
+ "name": "job",
"attributes": {
"cmd_line": {
"description": "The job command line.",
@@ -65,5 +64,11 @@
"description": "The user that created the job.",
"requirement": "optional"
}
- }
-}
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:ScheduledJob.",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:ScheduledJob/"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/objects/kb_article.json b/objects/kb_article.json
index 62e81453f..27a437438 100644
--- a/objects/kb_article.json
+++ b/objects/kb_article.json
@@ -8,6 +8,18 @@
"description": "The average time to patch.",
"requirement": "optional"
},
+ "bulletin": {
+ "description": "The kb article bulletin identifier.",
+ "requirement": "optional"
+ },
+ "classification": {
+ "description": "The vendors classification of the kb article.",
+ "requirement": "optional"
+ },
+ "created_time": {
+ "description": "The date the kb article was released by the vendor.",
+ "requirement": "optional"
+ },
"install_state": {
"description": "The install state of the kb article.",
"requirement": "recommended"
@@ -16,37 +28,21 @@
"description": "The normalized install state ID of the kb article.",
"requirement": "recommended"
},
- "title": {
- "description": "The title of the kb article.",
- "requirement": "recommended"
- },
- "uid": {
- "description": "The unique identifier for the kb article.",
- "requirement": "required"
+ "is_superseded": {
+ "description": "The kb article has been replaced by another.",
+ "requirement": "optional"
},
"os": {
"description": "The operating system the kb article applies.",
"requirement": "recommended"
},
- "severity": {
- "description": "The severity of the kb article.",
- "requirement": "recommended"
- },
- "bulletin": {
- "description": "The kb article bulletin identifier.",
- "requirement": "optional"
- },
"product": {
"description": "The product details the kb article applies.",
"requirement": "optional"
},
- "is_superseded": {
- "description": "The kb article has been replaced by another.",
- "requirement": "optional"
- },
- "created_time": {
- "description": "The date the kb article was released by the vendor.",
- "requirement": "optional"
+ "severity": {
+ "description": "The severity of the kb article.",
+ "requirement": "recommended"
},
"size": {
"description": "The size in bytes for the kb article.",
@@ -56,9 +52,13 @@
"description": "The kb article link from the source vendor.",
"requirement": "optional"
},
- "classification": {
- "description": "The vendors classification of the kb article.",
- "requirement": "optional"
+ "title": {
+ "description": "The title of the kb article.",
+ "requirement": "recommended"
+ },
+ "uid": {
+ "description": "The unique identifier for the kb article.",
+ "requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/kernel.json b/objects/kernel.json
index acc2cd793..b906131e4 100644
--- a/objects/kernel.json
+++ b/objects/kernel.json
@@ -1,9 +1,8 @@
{
"caption": "Kernel Resource",
- "name": "kernel",
"description": "The Kernel Resource object provides information about a specific kernel resource, including its name and type. It describes essential attributes associated with a resource managed by the kernel of an operating system.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Kernel/", "description": "D3FEND™ Ontology d3f:Kernel"}],
"extends": "object",
+ "name": "kernel",
"attributes": {
"is_system": {
"requirement": "optional"
@@ -35,5 +34,11 @@
},
"requirement": "required"
}
- }
-}
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:Kernel",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:Kernel/"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/objects/kernel_driver.json b/objects/kernel_driver.json
index ab0c0b29c..a34d67ef6 100644
--- a/objects/kernel_driver.json
+++ b/objects/kernel_driver.json
@@ -1,14 +1,19 @@
{
"caption": "Kernel Extension",
- "name": "kernel_driver",
"description": "The Kernel Extension object describes a kernel driver that has been loaded or unloaded into the operating system (OS) kernel.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:KernelModule/", "description": "D3FEND™ Ontology d3f:KernelModule"}],
"extends": "object",
+ "name": "kernel_driver",
"attributes": {
"file": {
"description": "The driver/extension file object.",
"group": "primary",
"requirement": "required"
}
- }
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:KernelModule",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:KernelModule/"
+ }
+ ]
}
\ No newline at end of file
diff --git a/objects/kill_chain_phase.json b/objects/kill_chain_phase.json
index 79cf6eb4b..f68125d8a 100644
--- a/objects/kill_chain_phase.json
+++ b/objects/kill_chain_phase.json
@@ -12,4 +12,4 @@
"sibling": "phase"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/load_balancer.json b/objects/load_balancer.json
index 0ca8d5c91..f3d64aab7 100644
--- a/objects/load_balancer.json
+++ b/objects/load_balancer.json
@@ -1,61 +1,59 @@
{
- "caption": "Load Balancer",
- "name": "load_balancer",
- "extends": "_entity",
- "description": "The load balancer object describes the load balancer entity and contains additional information regarding the distribution of traffic across a network.",
- "attributes": {
-
- "metrics": {
- "caption": "Metrics",
- "description": "General purpose metrics associated with the load balancer.",
- "is_array": true,
- "requirement": "optional"
- },
- "dst_endpoint": {
- "caption": "Destination Endpoint",
- "description": "The destination to which the load balancer is distributing traffic.",
- "requirement": "recommended"
- },
- "code": {
- "caption": "Response Code",
- "description": "The numeric response status code detailing the connection from the load balancer to the destination target.",
- "requirement": "recommended"
- },
- "endpoint_connections":{
- "caption": "Endpoint Connections",
- "description": "An object detailing the load balancer connection attempts and responses.",
- "requirement": "recommended"
- },
+ "caption": "Load Balancer",
+ "description": "The load balancer object describes the load balancer entity and contains additional information regarding the distribution of traffic across a network.",
+ "extends": "_entity",
+ "name": "load_balancer",
+ "attributes": {
"classification": {
- "caption": "Classification",
- "description": "The request classification as defined by the load balancer.",
- "requirement": "optional"
+ "caption": "Classification",
+ "description": "The request classification as defined by the load balancer.",
+ "requirement": "optional"
+ },
+ "code": {
+ "caption": "Response Code",
+ "description": "The numeric response status code detailing the connection from the load balancer to the destination target.",
+ "requirement": "recommended"
+ },
+ "dst_endpoint": {
+ "caption": "Destination Endpoint",
+ "description": "The destination to which the load balancer is distributing traffic.",
+ "requirement": "recommended"
+ },
+ "endpoint_connections": {
+ "caption": "Endpoint Connections",
+ "description": "An object detailing the load balancer connection attempts and responses.",
+ "requirement": "recommended"
},
- "ip": {
- "description": "The IP address of the load balancer node that handled the client request. Note: the load balancer may have other IP addresses, and this is not an IP address of the target/distribution endpoint - see dst_endpoint.",
- "requirement": "optional"
- },
- "status_detail": {
- "caption": "Status Detail",
- "description": "The status detail contains additional status information about the load balancer distribution event.",
- "requirement": "optional"
- },
"error_message": {
- "caption": "Error Message",
- "description": "The load balancer error message.",
- "requirement": "optional"
- },
+ "caption": "Error Message",
+ "description": "The load balancer error message.",
+ "requirement": "optional"
+ },
+ "ip": {
+ "description": "The IP address of the load balancer node that handled the client request. Note: the load balancer may have other IP addresses, and this is not an IP address of the target/distribution endpoint - see dst_endpoint.",
+ "requirement": "optional"
+ },
"message": {
- "caption": "Message",
- "description": "The load balancer message.",
- "requirement": "optional"
- },
+ "caption": "Message",
+ "description": "The load balancer message.",
+ "requirement": "optional"
+ },
+ "metrics": {
+ "caption": "Metrics",
+ "description": "General purpose metrics associated with the load balancer.",
+ "is_array": true,
+ "requirement": "optional"
+ },
"name": {
- "description": "The name of the load balancer."
- },
+ "description": "The name of the load balancer."
+ },
+ "status_detail": {
+ "caption": "Status Detail",
+ "description": "The status detail contains additional status information about the load balancer distribution event.",
+ "requirement": "optional"
+ },
"uid": {
- "description": "The unique identifier for the load balancer."
- }
-
+ "description": "The unique identifier for the load balancer."
}
-}
+ }
+}
\ No newline at end of file
diff --git a/objects/location.json b/objects/location.json
index d06feb941..e4e3b63fe 100644
--- a/objects/location.json
+++ b/objects/location.json
@@ -1,9 +1,9 @@
{
- "caption": "Geo Location",
- "name": "location",
"observable": 26,
+ "caption": "Geo Location",
"description": "The Geo Location object describes a geographical location, usually associated with an IP address.",
"extends": "object",
+ "name": "location",
"attributes": {
"aerial_height": {
"requirement": "optional"
@@ -60,7 +60,16 @@
},
"region": {
"description": "The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. For example, 'CH-VD' for the Canton of Vaud, Switzerland",
- "references": [{"url": "https://www.iso.org/iso-3166-country-codes.html", "description": "ISO Region Codes"}, {"url": "https://www.iso.org/obp/ui/#iso:code:3166:US", "description": "U.S. Region Codes"}],
+ "references": [
+ {
+ "description": "ISO Region Codes",
+ "url": "https://www.iso.org/iso-3166-country-codes.html"
+ },
+ {
+ "description": "U.S. Region Codes",
+ "url": "https://www.iso.org/obp/ui/#iso:code:3166:US"
+ }
+ ],
"requirement": "optional"
}
},
diff --git a/objects/logger.json b/objects/logger.json
index 42cc4e535..157f54d44 100644
--- a/objects/logger.json
+++ b/objects/logger.json
@@ -1,8 +1,8 @@
{
"caption": "Logger",
"description": "The Logger object represents the device and product where events are stored with times for receipt and transmission. This may be at the source device where the event occurred, a remote scanning device, intermediate hops, or the ultimate destination.",
- "name": "logger",
"extends": "_entity",
+ "name": "logger",
"attributes": {
"device": {
"description": "The device where the events are logged.",
diff --git a/objects/long_string.json b/objects/long_string.json
index fa9f9123b..fb2f1d175 100644
--- a/objects/long_string.json
+++ b/objects/long_string.json
@@ -4,17 +4,17 @@
"extends": "object",
"name": "long_string",
"attributes": {
- "value": {
- "description": "The string value, truncated if is_truncated is true.",
- "requirement" : "required"
- },
"is_truncated": {
"description": "Indicates that value has been truncated. May be omitted if truncation has not occurred.",
- "requirement" : "optional"
+ "requirement": "optional"
},
"untruncated_size": {
"description": "The size in bytes of the string represented by value before truncation. Should be omitted if truncation has not occurred.",
- "requirement" : "optional"
+ "requirement": "optional"
+ },
+ "value": {
+ "description": "The string value, truncated if is_truncated is true.",
+ "requirement": "required"
}
}
}
\ No newline at end of file
diff --git a/objects/malware.json b/objects/malware.json
index ab638cde2..589444876 100644
--- a/objects/malware.json
+++ b/objects/malware.json
@@ -6,35 +6,10 @@
"attributes": {
"classification_ids": {
"description": "The list of normalized identifiers of the malware classifications. Reference: STIX Malware Types ",
- "requirement": "required",
"enum": {
"1": {
"caption": "Adware"
},
- "2": {
- "caption": "Backdoor"
- },
- "3": {
- "caption": "Bot"
- },
- "4": {
- "caption": "Bootkit"
- },
- "5": {
- "caption": "DDOS"
- },
- "6": {
- "caption": "Downloader"
- },
- "7": {
- "caption": "Dropper"
- },
- "8": {
- "caption": "Exploit-Kit"
- },
- "9": {
- "caption": "Keylogger"
- },
"10": {
"caption": "Ransomware"
},
@@ -62,6 +37,9 @@
"19": {
"caption": "Virus"
},
+ "2": {
+ "caption": "Backdoor"
+ },
"20": {
"caption": "Webshell"
},
@@ -70,8 +48,30 @@
},
"22": {
"caption": "Worm"
+ },
+ "3": {
+ "caption": "Bot"
+ },
+ "4": {
+ "caption": "Bootkit"
+ },
+ "5": {
+ "caption": "DDOS"
+ },
+ "6": {
+ "caption": "Downloader"
+ },
+ "7": {
+ "caption": "Dropper"
+ },
+ "8": {
+ "caption": "Exploit-Kit"
+ },
+ "9": {
+ "caption": "Keylogger"
}
- }
+ },
+ "requirement": "required"
},
"classifications": {
"description": "The list of malware classifications, normalized to the captions of the classification_ids values. In the case of 'Other', they are defined by the event source.",
diff --git a/objects/managed_entity.json b/objects/managed_entity.json
index c248c911c..d69794adb 100644
--- a/objects/managed_entity.json
+++ b/objects/managed_entity.json
@@ -8,15 +8,33 @@
"description": "The managed entity content as a JSON object.",
"requirement": "optional"
},
+ "device": {
+ "requirement": "recommended"
+ },
+ "email": {
+ "requirement": "recommended"
+ },
+ "group": {
+ "requirement": "recommended"
+ },
+ "location": {
+ "requirement": "optional"
+ },
"name": {
"description": "The name of the managed entity."
},
+ "org": {
+ "requirement": "recommended"
+ },
+ "policy": {
+ "description": "Describes details of a managed policy.",
+ "requirement": "recommended"
+ },
"type": {
"description": "The managed entity type. For example: policy, user, organizational unit, device.",
"requirement": "recommended"
},
"type_id": {
- "requirement": "recommended",
"description": "The type of the Managed Entity. It is recommended to also populate the type attribute with the associated label, or the source specific name if Other.",
"enum": {
"1": {
@@ -43,33 +61,15 @@
"caption": "Email",
"description": "A managed Email entity. This item corresponds to population of the email attribute."
}
- }
- },
- "device": {
- "requirement": "recommended"
- },
- "email": {
- "requirement": "recommended"
- },
- "group": {
+ },
"requirement": "recommended"
},
- "org": {
- "requirement": "recommended"
- },
- "policy": {
- "requirement": "recommended",
- "description": "Describes details of a managed policy."
- },
"uid": {
"description": "The identifier of the managed entity."
},
"user": {
"requirement": "recommended"
},
- "location": {
- "requirement": "optional"
- },
"version": {
"description": "The version of the managed entity. For example: 1.2.3.",
"requirement": "recommended"
@@ -78,7 +78,7 @@
"constraints": {
"at_least_one": [
"name",
- "uid",
+ "uid",
"device",
"group",
"org",
diff --git a/objects/metadata.json b/objects/metadata.json
index 413f71222..c62655d12 100644
--- a/objects/metadata.json
+++ b/objects/metadata.json
@@ -1,9 +1,8 @@
{
"caption": "Metadata",
- "name": "metadata",
"description": "The Metadata object describes the metadata associated with the event.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Metadata/", "description": "D3FEND™ Ontology d3f:Metadata"}],
"extends": "object",
+ "name": "metadata",
"attributes": {
"$include": [
"profiles/data_classification.json"
@@ -83,5 +82,11 @@
},
"profiles": [
"data_classification"
+ ],
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:Metadata",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:Metadata/"
+ }
]
}
\ No newline at end of file
diff --git a/objects/module.json b/objects/module.json
index bedc4fa6c..4ba07be03 100644
--- a/objects/module.json
+++ b/objects/module.json
@@ -19,7 +19,6 @@
},
"load_type_id": {
"description": "The normalized identifier for how the module was loaded in memory.",
- "requirement": "required",
"enum": {
"1": {
"caption": "Standard",
@@ -41,7 +40,8 @@
"caption": "NonStandard Backed",
"description": "A module loaded in a non standard way. However, GetModuleFileName succeeds on this allocation."
}
- }
+ },
+ "requirement": "required"
},
"start_address": {
"requirement": "recommended"
diff --git a/objects/network_connection_info.json b/objects/network_connection_info.json
index d4fa68e9b..bafaa3ff5 100644
--- a/objects/network_connection_info.json
+++ b/objects/network_connection_info.json
@@ -1,9 +1,8 @@
{
"caption": "Network Connection Information",
- "name": "network_connection_info",
"description": "The Network Connection Information object describes characteristics of an OSI Transport Layer communication, including TCP and UDP.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:NetworkSession/", "description": "D3FEND™ Ontology d3f:NetworkSession"}],
"extends": "object",
+ "name": "network_connection_info",
"attributes": {
"boundary": {
"requirement": "optional"
@@ -28,8 +27,8 @@
"description": "The IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). For example: tcp or udp.",
"references": [
{
- "url": "https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml",
- "description": "IANA Protocol Numbers"
+ "description": "IANA Protocol Numbers",
+ "url": "https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml"
}
],
"requirement": "recommended"
@@ -72,5 +71,11 @@
"description": "The unique identifier of the connection.",
"requirement": "recommended"
}
- }
-}
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:NetworkSession",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:NetworkSession/"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/objects/network_endpoint.json b/objects/network_endpoint.json
index 8e0be8ab5..fd50679dd 100644
--- a/objects/network_endpoint.json
+++ b/objects/network_endpoint.json
@@ -10,14 +10,14 @@
"intermediate_ips": {
"requirement": "optional"
},
- "proxy_endpoint": {
- "description": "The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT).",
- "requirement": "optional"
- },
"port": {
"description": "The port used for communication within the network connection.",
"requirement": "recommended"
},
+ "proxy_endpoint": {
+ "description": "The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT).",
+ "requirement": "optional"
+ },
"svc_name": {
"requirement": "recommended"
},
@@ -41,4 +41,4 @@
"domain"
]
}
-}
+}
\ No newline at end of file
diff --git a/objects/network_interface.json b/objects/network_interface.json
index e5802fdaa..042cf8c22 100644
--- a/objects/network_interface.json
+++ b/objects/network_interface.json
@@ -66,4 +66,4 @@
"hostname"
]
}
-}
+}
\ No newline at end of file
diff --git a/objects/network_proxy.json b/objects/network_proxy.json
index 2aa92418b..18a67d72c 100644
--- a/objects/network_proxy.json
+++ b/objects/network_proxy.json
@@ -1,9 +1,13 @@
{
"caption": "Network Proxy Endpoint",
- "name": "network_proxy",
"description": "The network proxy endpoint object describes a proxy server, which acts as an intermediary between a client requesting a resource and the server providing that resource.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:ProxyServer/", "description": "D3FEND™ Ontology d3f:ProxyServer"}],
"extends": "network_endpoint",
- "attributes": {
- }
+ "name": "network_proxy",
+ "attributes": {},
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:ProxyServer",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:ProxyServer/"
+ }
+ ]
}
\ No newline at end of file
diff --git a/objects/network_traffic.json b/objects/network_traffic.json
index f0fd83b07..ae07cc2a1 100644
--- a/objects/network_traffic.json
+++ b/objects/network_traffic.json
@@ -1,9 +1,8 @@
{
"caption": "Network Traffic",
- "name": "network_traffic",
"description": "The Network Traffic object describes characteristics of network traffic. Network traffic refers to data moving across a network at a given point of time.",
- "references": [{"description": "D3FEND™ Ontology d3f:NetworkTraffic", "url": "https://d3fend.mitre.org/dao/artifact/d3f:NetworkTraffic/"}],
"extends": "object",
+ "name": "network_traffic",
"attributes": {
"bytes": {
"requirement": "recommended"
@@ -38,5 +37,11 @@
"packets_out": {
"requirement": "optional"
}
- }
-}
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:NetworkTraffic",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:NetworkTraffic/"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/objects/observable.json b/objects/observable.json
index 24db90165..ff7cbd6e5 100644
--- a/objects/observable.json
+++ b/objects/observable.json
@@ -17,7 +17,6 @@
},
"type_id": {
"description": "The observable value type identifier.",
- "requirement": "required",
"enum": {
"0": {
"caption": "Unknown",
@@ -27,7 +26,8 @@
"caption": "Other",
"description": "The observable data type is not mapped. See the type attribute, which may contain data source specific value."
}
- }
+ },
+ "requirement": "required"
},
"value": {
"description": "The value associated with the observable attribute. The meaning of the value depends on the observable type.name refers to a scalar attribute, then the value is the value of the attribute.name refers to an object attribute, then the value is not populated.",
@@ -36,8 +36,8 @@
},
"references": [
{
- "url": "https://github.com/ocsf/ocsf-docs/blob/main/Articles/Defining and Using Observables.md",
- "description": "OCSF Observables FAQ"
+ "description": "OCSF Observables FAQ",
+ "url": "https://github.com/ocsf/ocsf-docs/blob/main/Articles/Defining and Using Observables.md"
}
]
}
\ No newline at end of file
diff --git a/objects/organization.json b/objects/organization.json
index 151a3f0ae..82bfd5f61 100644
--- a/objects/organization.json
+++ b/objects/organization.json
@@ -8,15 +8,15 @@
"description": "The name of the organization, Oracle Cloud Tenancy, Google Cloud Organization, or AWS Organization. For example, Widget, Inc. or the AWS Organization name ."
},
"ou_name": {
- "requirement": "recommended",
- "description": "The name of an organizational unit, Google Cloud Folder, or AWS Org Unit. For example, the GCP Project Name , or Dev_Prod_OU ."
+ "description": "The name of an organizational unit, Google Cloud Folder, or AWS Org Unit. For example, the GCP Project Name , or Dev_Prod_OU .",
+ "requirement": "recommended"
},
"ou_uid": {
- "requirement": "optional",
- "description": "The unique identifier of an organizational unit, Google Cloud Folder, or AWS Org Unit. For example, an Oracle Cloud Tenancy ID , AWS OU ID , or GCP Folder ID ."
+ "description": "The unique identifier of an organizational unit, Google Cloud Folder, or AWS Org Unit. For example, an Oracle Cloud Tenancy ID , AWS OU ID , or GCP Folder ID .",
+ "requirement": "optional"
},
"uid": {
"description": "The unique identifier of the organization, Oracle Cloud Tenancy, Google Cloud Organization, or AWS Organization. For example, an AWS Org ID or Oracle Cloud Domain ID ."
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/os.json b/objects/os.json
index ac279fb59..f2063ef5c 100644
--- a/objects/os.json
+++ b/objects/os.json
@@ -1,16 +1,20 @@
{
"caption": "Operating System (OS)",
- "name": "os",
"description": "The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:OperatingSystem/", "description": "D3FEND™ Ontology d3f:OperatingSystem"}],
"extends": "object",
+ "name": "os",
"attributes": {
"build": {
"requirement": "optional"
},
"country": {
- "references": [{"url": "https://www.iso.org/obp/ui/#iso:pub:PUB500001:en", "description": "ISO 3166-1 alpha-2 codes"}],
"description": "The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code).Note: The two letter country code should be capitalized. For example: US or CA.
IAM Policy."
},
@@ -21,11 +26,6 @@
"version": {
"description": "The policy version number.",
"requirement": "recommended"
- },
- "is_applied": {
- "caption": "Applied",
- "description": "A determination if the content of a policy was applied to a target or request, or not.",
- "requirement": "recommended"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/process.json b/objects/process.json
index 13e7c37bf..417a91e5e 100644
--- a/objects/process.json
+++ b/objects/process.json
@@ -1,13 +1,9 @@
{
+ "observable": 25,
"caption": "Process",
- "name": "process",
"description": "The Process object describes a running instance of a launched program.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Process/", "description": "D3FEND™ Ontology d3f:Process"}],
"extends": "process_entity",
- "observable": 25,
- "profiles": [
- "container"
- ],
+ "name": "process",
"attributes": {
"$include": [
"profiles/container.json"
@@ -31,8 +27,8 @@
},
"lineage": {
"@deprecated": {
- "since": "1.4.0",
- "message": "Use the ancestry attribute."
+ "message": "Use the ancestry attribute.",
+ "since": "1.4.0"
},
"requirement": "optional"
},
@@ -73,5 +69,14 @@
"pid",
"uid"
]
- }
-}
+ },
+ "profiles": [
+ "container"
+ ],
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:Process",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:Process/"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/objects/process_entity.json b/objects/process_entity.json
index 33514ae89..14685702a 100644
--- a/objects/process_entity.json
+++ b/objects/process_entity.json
@@ -1,32 +1,38 @@
{
- "caption": "Process Entity",
- "description": "The Process Entity object provides critical fields for referencing a process.",
- "name": "process_entity",
- "extends": "_entity",
- "attributes": {
- "cmd_line": {
- "requirement": "recommended"
- },
- "created_time": {
- "description": "The time when the process was created/started.",
- "requirement": "recommended"
- },
- "name": {
- "description": "The friendly name of the process, for example: Notepad++.",
- "type": "process_name_t"
- },
- "path":{
- "description": "The process file path.",
- "requirement": "optional"
- },
- "pid": {
- "requirement": "recommended"
- },
- "uid": {
- "description": "A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process."
- }
+ "caption": "Process Entity",
+ "description": "The Process Entity object provides critical fields for referencing a process.",
+ "extends": "_entity",
+ "name": "process_entity",
+ "attributes": {
+ "cmd_line": {
+ "requirement": "recommended"
},
- "constraints": {
- "at_least_one": ["cmd_line", "name", "path", "pid", "uid"]
+ "created_time": {
+ "description": "The time when the process was created/started.",
+ "requirement": "recommended"
+ },
+ "name": {
+ "description": "The friendly name of the process, for example: Notepad++.",
+ "type": "process_name_t"
+ },
+ "path": {
+ "description": "The process file path.",
+ "requirement": "optional"
+ },
+ "pid": {
+ "requirement": "recommended"
+ },
+ "uid": {
+ "description": "A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process."
}
-}
+ },
+ "constraints": {
+ "at_least_one": [
+ "cmd_line",
+ "name",
+ "path",
+ "pid",
+ "uid"
+ ]
+ }
+}
\ No newline at end of file
diff --git a/objects/product.json b/objects/product.json
index f5470e7d4..78c821a94 100644
--- a/objects/product.json
+++ b/objects/product.json
@@ -3,17 +3,14 @@
"description": "The Product object describes characteristics of a software product.",
"extends": "_entity",
"name": "product",
- "profiles": [
- "data_classification"
- ],
"attributes": {
"$include": [
"profiles/data_classification.json"
],
- "feature": {
+ "cpe_name": {
"requirement": "optional"
},
- "cpe_name": {
+ "feature": {
"requirement": "optional"
},
"lang": {
@@ -41,5 +38,8 @@
"description": "The version of the product, as defined by the event source. For example: 2013.1.3-beta.",
"requirement": "recommended"
}
- }
-}
+ },
+ "profiles": [
+ "data_classification"
+ ]
+}
\ No newline at end of file
diff --git a/objects/query_info.json b/objects/query_info.json
index 1f2918bdc..d2791b819 100644
--- a/objects/query_info.json
+++ b/objects/query_info.json
@@ -4,28 +4,28 @@
"extends": "_entity",
"name": "query_info",
"attributes": {
- "query_time": {
- "description": "The time when the query was run.",
+ "bytes": {
+ "description": "The size of the data returned from the query.",
"requirement": "optional"
},
- "query_string": {
- "caption": "Query String",
- "description": "A string representing the query code being run. For example: SELECT * FROM my_table",
- "requirement": "required"
- },
"data": {
"description": "The data returned from the query execution.",
"requirement": "optional"
},
- "bytes": {
- "description": "The size of the data returned from the query.",
- "requirement": "optional"
- },
"name": {
"description": "The query name for a saved or scheduled query."
},
+ "query_string": {
+ "caption": "Query String",
+ "description": "A string representing the query code being run. For example: SELECT * FROM my_table",
+ "requirement": "required"
+ },
+ "query_time": {
+ "description": "The time when the query was run.",
+ "requirement": "optional"
+ },
"uid": {
"description": "The unique identifier of the query."
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/related_event.json b/objects/related_event.json
index 11ca82d80..91c67299b 100644
--- a/objects/related_event.json
+++ b/objects/related_event.json
@@ -45,12 +45,12 @@
"description": "The unique identifier of the product that reported the related event.",
"requirement": "optional"
},
- "severity_id": {
- "requirement": "recommended"
- },
"severity": {
"requirement": "optional"
},
+ "severity_id": {
+ "requirement": "recommended"
+ },
"tags": {
"description": "The list of tags; {key:value} pairs associated with the related event/finding.",
"requirement": "optional"
diff --git a/objects/remediation.json b/objects/remediation.json
index 9cc48bb08..d151d5120 100644
--- a/objects/remediation.json
+++ b/objects/remediation.json
@@ -8,15 +8,15 @@
"description": "The description of the remediation strategy.",
"requirement": "required"
},
- "references": {
- "description": "A list of supporting URL/s, references that help describe the remediation strategy.",
+ "kb_article_list": {
"requirement": "optional"
},
"kb_articles": {
"requirement": "optional"
},
- "kb_article_list": {
+ "references": {
+ "description": "A list of supporting URL/s, references that help describe the remediation strategy.",
"requirement": "optional"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/request.json b/objects/request.json
index 1132b88c9..f438b137b 100644
--- a/objects/request.json
+++ b/objects/request.json
@@ -20,4 +20,4 @@
"requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/response.json b/objects/response.json
index 7de60eedd..b388d5408 100644
--- a/objects/response.json
+++ b/objects/response.json
@@ -28,4 +28,4 @@
"requirement": "recommended"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/rpc_interface.json b/objects/rpc_interface.json
index d338bf01c..748b7468b 100644
--- a/objects/rpc_interface.json
+++ b/objects/rpc_interface.json
@@ -1,8 +1,8 @@
{
"caption": "RPC Interface",
- "name": "rpc_interface",
"description": "The RPC Interface represents the remote procedure call interface used in the DCE/RPC session.",
"extends": "object",
+ "name": "rpc_interface",
"attributes": {
"ack_reason": {
"requirement": "recommended"
diff --git a/objects/sbom.json b/objects/sbom.json
index ce2c01c62..34efa6dda 100644
--- a/objects/sbom.json
+++ b/objects/sbom.json
@@ -4,20 +4,20 @@
"extends": "object",
"name": "sbom",
"attributes": {
- "package":{
- "description": "The device software that is being discovered by an inventory process.",
- "requirement": "required"
+ "created_time": {
+ "description": "The time when the SBOM was created.",
+ "requirement": "recommended"
},
- "software_components":{
+ "package": {
+ "description": "The device software that is being discovered by an inventory process.",
"requirement": "required"
},
"product": {
"description": "The product that generated the SBOM e.g. cdxgen or Syft.",
"requirement": "recommended"
},
- "created_time":{
- "description": "The time when the SBOM was created.",
- "requirement": "recommended"
+ "software_components": {
+ "requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/scan.json b/objects/scan.json
index d6d902601..4cad43eeb 100644
--- a/objects/scan.json
+++ b/objects/scan.json
@@ -12,51 +12,51 @@
"requirement": "optional"
},
"type_id": {
- "description": "The type id of the scan.",
- "requirement": "required",
- "enum": {
- "0": {
- "caption": "Unknown"
- },
- "1": {
- "description": "The scan was manually initiated by the user or administrator.",
- "caption": "Manual"
- },
- "2": {
- "description": "The scan was started based on scheduler.",
- "caption": "Scheduled"
- },
- "3": {
- "description": "The scan was triggered by a content update.",
- "caption": "Updated Content"
- },
- "4": {
- "description": "The scan was triggered by newly quarantined items.",
- "caption": "Quarantined Items"
- },
- "5": {
- "description": "The scan was triggered by the attachment of removable media.",
- "caption": "Attached Media"
- },
- "6": {
- "description": "The scan was started due to a user logon.",
- "caption": "User Logon"
- },
- "7": {
- "description": "The scan was triggered by an Early Launch Anti-Malware (ELAM) detection.",
- "caption": "ELAM"
- },
- "99": {
- "caption": "Other",
- "description": "The scan type id is not mapped. See the type attribute, which contains a data source specific value."
- }
- },
- "sibling": "type",
- "type": "integer_t"
+ "description": "The type id of the scan.",
+ "enum": {
+ "0": {
+ "caption": "Unknown"
+ },
+ "1": {
+ "caption": "Manual",
+ "description": "The scan was manually initiated by the user or administrator."
+ },
+ "2": {
+ "caption": "Scheduled",
+ "description": "The scan was started based on scheduler."
+ },
+ "3": {
+ "caption": "Updated Content",
+ "description": "The scan was triggered by a content update."
+ },
+ "4": {
+ "caption": "Quarantined Items",
+ "description": "The scan was triggered by newly quarantined items."
+ },
+ "5": {
+ "caption": "Attached Media",
+ "description": "The scan was triggered by the attachment of removable media."
+ },
+ "6": {
+ "caption": "User Logon",
+ "description": "The scan was started due to a user logon."
+ },
+ "7": {
+ "caption": "ELAM",
+ "description": "The scan was triggered by an Early Launch Anti-Malware (ELAM) detection."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The scan type id is not mapped. See the type attribute, which contains a data source specific value."
+ }
},
- "uid": {
- "description": "The application-defined unique identifier assigned to an instance of a scan.",
- "caption": "Scan UID"
- }
+ "requirement": "required",
+ "sibling": "type",
+ "type": "integer_t"
+ },
+ "uid": {
+ "caption": "Scan UID",
+ "description": "The application-defined unique identifier assigned to an instance of a scan."
}
-}
+ }
+}
\ No newline at end of file
diff --git a/objects/scim.json b/objects/scim.json
index e1eb30a09..945b4a42c 100644
--- a/objects/scim.json
+++ b/objects/scim.json
@@ -1,122 +1,121 @@
{
- "caption": "SCIM",
- "description": "The System for Cross-domain Identity Management (SCIM) Configuration object provides a structured set of attributes related to SCIM protocols used for identity provisioning and management across cloud-based platforms. It standardizes user and group provisioning details, enabling identity synchronization and lifecycle management with compatible Identity Providers (IdPs) and applications. SCIM is defined in RFC-7634",
- "extends": "object",
- "name": "scim",
- "attributes": {
- "auth_protocol": {
- "description": "The authorization protocol as defined by the caption of auth_protocol_id. In the case of Other, it is defined by the event source.",
- "requirement": "optional"
- },
- "auth_protocol_id": {
- "description": "The normalized identifier of the authorization protocol used by the SCIM resource.",
- "requirement": "optional"
- },
- "created_time": {
- "description": "When the SCIM resource was added to the service provider.",
- "requirement": "optional"
- },
- "error_message": {
- "caption": "Last Error Message",
- "description": "Message or code associated with the last encountered error.",
- "requirement": "optional"
- },
- "is_group_provisioning_enabled": {
- "caption": "SCIM Group Provisioning Enabled",
- "description": "Indicates whether the SCIM resource is configured to provision groups, automatically or otherwise.",
- "requirement": "optional"
- },
- "is_user_provisioning_enabled": {
- "caption": "SCIM User Provisioning Enabled",
- "description": "Indicates whether the SCIM resource is configured to provision users, automatically or otherwise.",
- "requirement": "optional"
- },
- "last_run_time": {
- "caption": "Last Sync Time",
- "description": "Timestamp of the most recent successful synchronization.",
- "requirement": "optional"
- },
- "modified_time": {
- "description": "The most recent time when the SCIM resource was updated at the service provider.",
- "requirement": "optional"
- },
- "name": {
- "description": "The name of the SCIM resource.",
- "requirement": "recommended"
- },
- "protocol_name": {
- "caption": "Supported Protocol",
- "description": "The supported protocol for the SCIM resource. E.g., SAML, OIDC, or OAuth2.",
- "requirement": "optional"
- },
- "rate_limit": {
- "description": "Maximum number of requests allowed by the SCIM resource within a specified time frame to avoid throttling.",
- "requirement": "optional"
- },
- "scim_group_schema": {
- "requirement": "recommended"
- },
- "scim_user_schema": {
- "requirement": "recommended"
- },
- "state": {
- "description": "The provisioning state of the SCIM resource, normalized to the caption of the state_id value. In the case of Other, it is defined by the event source.",
- "requirement": "optional"
- },
- "state_id": {
- "description": "The normalized state ID of the SCIM resource to reflect its activation status.",
- "enum": {
- "0": {
- "caption": "Unknown",
- "description": "The provisioning state of the SCIM resource is unknown."
- },
- "1": {
- "caption": "Pending",
- "description": "The SCIM resource is Pending activation or creation."
- },
- "2": {
- "caption": "Active",
- "description": "The SCIM resource is in an Active state, or otherwise enabled."
- },
- "3": {
- "caption": "Failed",
- "description": "The SCIM resource is in a Failed state."
- },
- "4": {
- "caption": "Deleted",
- "description": "The SCIM resource is in a Deleted state, or otherwise disabled."
- },
- "99": {
- "caption": "Other",
- "description": "The provisioning state of the SCIM resource is not mapped. See the state attribute, which contains a data source specific value."
- }
+ "caption": "SCIM",
+ "description": "The System for Cross-domain Identity Management (SCIM) Configuration object provides a structured set of attributes related to SCIM protocols used for identity provisioning and management across cloud-based platforms. It standardizes user and group provisioning details, enabling identity synchronization and lifecycle management with compatible Identity Providers (IdPs) and applications. SCIM is defined in RFC-7634",
+ "extends": "object",
+ "name": "scim",
+ "attributes": {
+ "auth_protocol": {
+ "description": "The authorization protocol as defined by the caption of auth_protocol_id. In the case of Other, it is defined by the event source.",
+ "requirement": "optional"
+ },
+ "auth_protocol_id": {
+ "description": "The normalized identifier of the authorization protocol used by the SCIM resource.",
+ "requirement": "optional"
+ },
+ "created_time": {
+ "description": "When the SCIM resource was added to the service provider.",
+ "requirement": "optional"
+ },
+ "error_message": {
+ "caption": "Last Error Message",
+ "description": "Message or code associated with the last encountered error.",
+ "requirement": "optional"
+ },
+ "is_group_provisioning_enabled": {
+ "caption": "SCIM Group Provisioning Enabled",
+ "description": "Indicates whether the SCIM resource is configured to provision groups, automatically or otherwise.",
+ "requirement": "optional"
+ },
+ "is_user_provisioning_enabled": {
+ "caption": "SCIM User Provisioning Enabled",
+ "description": "Indicates whether the SCIM resource is configured to provision users, automatically or otherwise.",
+ "requirement": "optional"
+ },
+ "last_run_time": {
+ "caption": "Last Sync Time",
+ "description": "Timestamp of the most recent successful synchronization.",
+ "requirement": "optional"
+ },
+ "modified_time": {
+ "description": "The most recent time when the SCIM resource was updated at the service provider.",
+ "requirement": "optional"
+ },
+ "name": {
+ "description": "The name of the SCIM resource.",
+ "requirement": "recommended"
+ },
+ "protocol_name": {
+ "caption": "Supported Protocol",
+ "description": "The supported protocol for the SCIM resource. E.g., SAML, OIDC, or OAuth2.",
+ "requirement": "optional"
+ },
+ "rate_limit": {
+ "description": "Maximum number of requests allowed by the SCIM resource within a specified time frame to avoid throttling.",
+ "requirement": "optional"
+ },
+ "scim_group_schema": {
+ "requirement": "recommended"
+ },
+ "scim_user_schema": {
+ "requirement": "recommended"
+ },
+ "state": {
+ "description": "The provisioning state of the SCIM resource, normalized to the caption of the state_id value. In the case of Other, it is defined by the event source.",
+ "requirement": "optional"
+ },
+ "state_id": {
+ "description": "The normalized state ID of the SCIM resource to reflect its activation status.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The provisioning state of the SCIM resource is unknown."
},
- "requirement": "optional"
- },
- "vendor_name": {
- "caption": "Service Provider",
- "description": "Name of the vendor or service provider implementing SCIM. E.g., Okta, Auth0, Microsoft.",
- "requirement": "optional"
- },
- "version": {
- "caption": "SCIM Version",
- "description": "SCIM protocol version supported e.g., SCIM 2.0.",
- "requirement": "recommended"
- },
- "uid": {
- "description": "A unique identifier for a SCIM resource as defined by the service provider.",
- "requirement": "recommended"
- },
- "uid_alt": {
- "caption": "External ID",
- "description": "A String that is an identifier for the resource as defined by the provisioning client. The externalId may simplify identification of a resource between the provisioning client and the service provider by allowing the client to use a filter to locate the resource with an identifier from the provisioning domain, obviating the need to store a local mapping between the provisioning domain's identifier of the resource and the identifier used by the service provider.",
- "requirement": "optional"
- },
- "url_string": {
- "caption": "SCIM Endpoint URL",
- "description": "The primary URL for SCIM API requests.",
- "requirement": "optional"
- }
+ "1": {
+ "caption": "Pending",
+ "description": "The SCIM resource is Pending activation or creation."
+ },
+ "2": {
+ "caption": "Active",
+ "description": "The SCIM resource is in an Active state, or otherwise enabled."
+ },
+ "3": {
+ "caption": "Failed",
+ "description": "The SCIM resource is in a Failed state."
+ },
+ "4": {
+ "caption": "Deleted",
+ "description": "The SCIM resource is in a Deleted state, or otherwise disabled."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The provisioning state of the SCIM resource is not mapped. See the state attribute, which contains a data source specific value."
+ }
+ },
+ "requirement": "optional"
+ },
+ "uid": {
+ "description": "A unique identifier for a SCIM resource as defined by the service provider.",
+ "requirement": "recommended"
+ },
+ "uid_alt": {
+ "caption": "External ID",
+ "description": "A String that is an identifier for the resource as defined by the provisioning client. The externalId may simplify identification of a resource between the provisioning client and the service provider by allowing the client to use a filter to locate the resource with an identifier from the provisioning domain, obviating the need to store a local mapping between the provisioning domain's identifier of the resource and the identifier used by the service provider.",
+ "requirement": "optional"
+ },
+ "url_string": {
+ "caption": "SCIM Endpoint URL",
+ "description": "The primary URL for SCIM API requests.",
+ "requirement": "optional"
+ },
+ "vendor_name": {
+ "caption": "Service Provider",
+ "description": "Name of the vendor or service provider implementing SCIM. E.g., Okta, Auth0, Microsoft.",
+ "requirement": "optional"
+ },
+ "version": {
+ "caption": "SCIM Version",
+ "description": "SCIM protocol version supported e.g., SCIM 2.0.",
+ "requirement": "recommended"
}
}
-
\ No newline at end of file
+}
\ No newline at end of file
diff --git a/objects/script.json b/objects/script.json
index 0b74bc1ba..43dade2ef 100644
--- a/objects/script.json
+++ b/objects/script.json
@@ -1,7 +1,6 @@
{
"caption": "Script",
"description": "The Script object describes a script or command that can be executed by a shell, script engine, or interpreter. Examples include Bash, JavsScript, PowerShell, Python, VBScript, etc. Note that the term script here denotes not only a script contained within a file but also a script or command typed interactively by a user, supplied on the command line, or provided by some other file-less mechanism.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:ExecutableScript/", "description": "D3FEND™ Ontology d3f:ExecutableScript."}],
"extends": "object",
"name": "script",
"attributes": {
@@ -30,7 +29,6 @@
},
"type_id": {
"description": "The normalized script type ID.",
- "requirement": "required",
"enum": {
"0": {
"caption": "Unknown",
@@ -61,11 +59,18 @@
"caption": "Other",
"description": "The script type is not mapped. See the type attribute which contains an event source specific value."
}
- }
+ },
+ "requirement": "required"
},
"uid": {
"description": "Some script engines assign a unique ID to each individual execution of a given script. This attribute captures that unique ID. In the case of PowerShell, the unique ID corresponds to the ScriptBlockId in the raw ETW events provided by the OS.",
"requirement": "optional"
}
- }
-}
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:ExecutableScript.",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:ExecutableScript/"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/objects/security_state.json b/objects/security_state.json
index 3ba39de28..a9f8dc4e2 100644
--- a/objects/security_state.json
+++ b/objects/security_state.json
@@ -13,10 +13,6 @@
"caption": "Security State ID",
"description": "The security state of the managed entity.",
"enum": {
- "99": {
- "caption": "Other",
- "description": "The security state is not mapped. See the state attribute, which contains data source specific values."
- },
"0": {
"caption": "Unknown",
"description": "The security state is unknown."
@@ -25,38 +21,6 @@
"caption": "Missing or outdated content",
"description": "The content is missing or outdated."
},
- "2": {
- "caption": "Policy mismatch",
- "description": "Not in compliance with the expected security policy."
- },
- "3": {
- "caption": "In network quarantine",
- "description": "Isolated from the network."
- },
- "4": {
- "caption": "Protection off",
- "description": "Not protected by a security solution."
- },
- "5": {
- "caption": "Protection malfunction",
- "description": "The security solution is not functioning properly."
- },
- "6": {
- "caption": "Protection not licensed",
- "description": "The security solution does not have a valid license."
- },
- "7": {
- "caption": "Unremediated threat",
- "description": "A detected threat has not been remediated."
- },
- "8": {
- "caption": "Suspicious reputation",
- "description": "Reputation of the entity is suspicious."
- },
- "9": {
- "caption": "Reboot pending",
- "description": "A reboot is required for one or more pending actions."
- },
"10": {
"caption": "Content is locked",
"description": "The content is locked to a specific version."
@@ -97,6 +61,10 @@
"caption": "Open remote access",
"description": "Remote access is enabled."
},
+ "2": {
+ "caption": "Policy mismatch",
+ "description": "Not in compliance with the expected security policy."
+ },
"20": {
"caption": "OTA updates disabled",
"description": "Mobile OTA (Over The Air) updates have been disabled."
@@ -112,9 +80,41 @@
"23": {
"caption": "Compliance failure",
"description": "The entity is not compliant with the associated security policy."
+ },
+ "3": {
+ "caption": "In network quarantine",
+ "description": "Isolated from the network."
+ },
+ "4": {
+ "caption": "Protection off",
+ "description": "Not protected by a security solution."
+ },
+ "5": {
+ "caption": "Protection malfunction",
+ "description": "The security solution is not functioning properly."
+ },
+ "6": {
+ "caption": "Protection not licensed",
+ "description": "The security solution does not have a valid license."
+ },
+ "7": {
+ "caption": "Unremediated threat",
+ "description": "A detected threat has not been remediated."
+ },
+ "8": {
+ "caption": "Suspicious reputation",
+ "description": "Reputation of the entity is suspicious."
+ },
+ "9": {
+ "caption": "Reboot pending",
+ "description": "A reboot is required for one or more pending actions."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The security state is not mapped. See the state attribute, which contains data source specific values."
}
},
"requirement": "recommended"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/session.json b/objects/session.json
index 250a1fc0e..e8b8ccb4a 100644
--- a/objects/session.json
+++ b/objects/session.json
@@ -1,9 +1,8 @@
{
"caption": "Session",
- "name": "session",
"description": "The Session object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Session/", "description": "D3FEND™ Ontology d3f:Session"}],
"extends": "object",
+ "name": "session",
"attributes": {
"count": {
"description": "The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time.",
@@ -16,20 +15,20 @@
"credential_uid": {
"requirement": "optional"
},
+ "expiration_reason": {
+ "description": "The reason which triggered the session expiration.",
+ "requirement": "optional"
+ },
"expiration_time": {
"description": "The session expiration time.",
"requirement": "optional"
},
- "expiration_reason": {
- "description": "The reason which triggered the session expiration.",
+ "is_mfa": {
"requirement": "optional"
},
"is_remote": {
"requirement": "recommended"
},
- "is_mfa":{
- "requirement": "optional"
- },
"is_vpn": {
"requirement": "optional"
},
@@ -53,5 +52,11 @@
"description": "The universally unique identifier of the session.",
"requirement": "optional"
}
- }
-}
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:Session",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:Session/"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/objects/software_component.json b/objects/software_component.json
index bf9070001..d3e311158 100644
--- a/objects/software_component.json
+++ b/objects/software_component.json
@@ -4,19 +4,9 @@
"extends": "object",
"name": "software_component",
"attributes": {
- "related_component": {
- "requirement": "recommended"
- },
- "relationship": {
- "requirement": "optional"
- },
- "relationship_id": {
+ "author": {
"requirement": "recommended"
},
- "name": {
- "description": "The software component name.",
- "requirement": "required"
- },
"hash": {
"description": "Cryptographic hash to identify the binary instance of a software component.",
"requirement": "optional"
@@ -25,11 +15,21 @@
"description": "The software license applied to this component.",
"requirement": "optional"
},
- "purl":{
+ "name": {
+ "description": "The software component name.",
+ "requirement": "required"
+ },
+ "purl": {
"description": "The Package URL (PURL) to identify the software component. This is a URL that uniquely identifies the component, including the component's name, version, and type. The URL is used to locate and retrieve the component's metadata and content.",
"requirement": "recommended"
},
- "author": {
+ "related_component": {
+ "requirement": "recommended"
+ },
+ "relationship": {
+ "requirement": "optional"
+ },
+ "relationship_id": {
"requirement": "recommended"
},
"type": {
@@ -59,4 +59,4 @@
"requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/span.json b/objects/span.json
index 0ae6fb086..45608a9d8 100644
--- a/objects/span.json
+++ b/objects/span.json
@@ -41,4 +41,4 @@
"requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/sso.json b/objects/sso.json
index ff580b244..e7e82c200 100644
--- a/objects/sso.json
+++ b/objects/sso.json
@@ -1,75 +1,75 @@
{
- "caption": "SSO",
- "description": "The Single Sign-On (SSO) object provides a structure for normalizing SSO attributes, configuration, and/or settings from Identity Providers.",
- "extends": "object",
- "name": "sso",
- "attributes": {
- "auth_protocol": {
- "description": "The authorization protocol as defined by the caption of auth_protocol_id. In the case of Other, it is defined by the event source.",
- "requirement": "optional"
- },
- "auth_protocol_id": {
- "description": "The normalized identifier of the authentication protocol used by the SSO resource.",
- "requirement": "optional"
- },
- "certificate": {
- "caption": "SAML Certificate",
- "description": "Digital Signature associated with the SSO resource, e.g., SAML X.509 certificate details.",
- "requirement": "recommended"
- },
- "created_time": {
- "description": "When the SSO resource was created.",
- "requirement": "optional"
- },
- "duration_mins": {
- "caption": "SSO Session Duration",
- "description": "The duration (in minutes) for an SSO session, after which re-authentication is required.",
- "requirement": "optional"
- },
- "idle_timeout": {
- "caption": "SSO Idle Timeout",
- "description": "Duration (in minutes) of allowed inactivity before Single Sign-On (SSO) session expiration.",
- "requirement": "optional"
- },
- "login_endpoint": {
- "caption": "SSO Login Endpoint",
- "description": "URL for initiating an SSO login request.",
- "requirement": "optional"
- },
- "logout_endpoint": {
- "caption": "SSO Logout Endpoint",
- "description": "URL for initiating an SSO logout request, allowing sessions to be terminated across applications.",
- "requirement": "optional"
- },
- "metadata_endpoint": {
- "caption": "SSO Metadata Endpoint",
- "description": "URL where metadata about the SSO configuration is available (e.g., for SAML configurations).",
- "requirement": "optional"
- },
- "modified_time": {
- "description": "The most recent time when the SSO resource was updated.",
- "requirement": "optional"
- },
- "name": {
- "description": "The name of the SSO resource.",
- "requirement": "recommended"
- },
- "protocol_name": {
- "caption": "Supported Protocol",
- "description": "The supported protocol for the SSO resource. E.g., SAML or OIDC.",
- "requirement": "optional"
- },
- "scopes": {
- "requirement": "optional"
- },
- "vendor_name": {
- "caption": "Service Provider",
- "description": "Name of the vendor or service provider implementing SSO. E.g., Okta, Auth0, Microsoft.",
- "requirement": "optional"
- },
- "uid": {
- "description": "A unique identifier for a SSO resource.",
- "requirement": "recommended"
- }
+ "caption": "SSO",
+ "description": "The Single Sign-On (SSO) object provides a structure for normalizing SSO attributes, configuration, and/or settings from Identity Providers.",
+ "extends": "object",
+ "name": "sso",
+ "attributes": {
+ "auth_protocol": {
+ "description": "The authorization protocol as defined by the caption of auth_protocol_id. In the case of Other, it is defined by the event source.",
+ "requirement": "optional"
+ },
+ "auth_protocol_id": {
+ "description": "The normalized identifier of the authentication protocol used by the SSO resource.",
+ "requirement": "optional"
+ },
+ "certificate": {
+ "caption": "SAML Certificate",
+ "description": "Digital Signature associated with the SSO resource, e.g., SAML X.509 certificate details.",
+ "requirement": "recommended"
+ },
+ "created_time": {
+ "description": "When the SSO resource was created.",
+ "requirement": "optional"
+ },
+ "duration_mins": {
+ "caption": "SSO Session Duration",
+ "description": "The duration (in minutes) for an SSO session, after which re-authentication is required.",
+ "requirement": "optional"
+ },
+ "idle_timeout": {
+ "caption": "SSO Idle Timeout",
+ "description": "Duration (in minutes) of allowed inactivity before Single Sign-On (SSO) session expiration.",
+ "requirement": "optional"
+ },
+ "login_endpoint": {
+ "caption": "SSO Login Endpoint",
+ "description": "URL for initiating an SSO login request.",
+ "requirement": "optional"
+ },
+ "logout_endpoint": {
+ "caption": "SSO Logout Endpoint",
+ "description": "URL for initiating an SSO logout request, allowing sessions to be terminated across applications.",
+ "requirement": "optional"
+ },
+ "metadata_endpoint": {
+ "caption": "SSO Metadata Endpoint",
+ "description": "URL where metadata about the SSO configuration is available (e.g., for SAML configurations).",
+ "requirement": "optional"
+ },
+ "modified_time": {
+ "description": "The most recent time when the SSO resource was updated.",
+ "requirement": "optional"
+ },
+ "name": {
+ "description": "The name of the SSO resource.",
+ "requirement": "recommended"
+ },
+ "protocol_name": {
+ "caption": "Supported Protocol",
+ "description": "The supported protocol for the SSO resource. E.g., SAML or OIDC.",
+ "requirement": "optional"
+ },
+ "scopes": {
+ "requirement": "optional"
+ },
+ "uid": {
+ "description": "A unique identifier for a SSO resource.",
+ "requirement": "recommended"
+ },
+ "vendor_name": {
+ "caption": "Service Provider",
+ "description": "Name of the vendor or service provider implementing SSO. E.g., Okta, Auth0, Microsoft.",
+ "requirement": "optional"
}
- }
\ No newline at end of file
+ }
+}
\ No newline at end of file
diff --git a/objects/startup_item.json b/objects/startup_item.json
index 9e83c597b..165e66624 100644
--- a/objects/startup_item.json
+++ b/objects/startup_item.json
@@ -1,19 +1,26 @@
{
"caption": "Startup Item",
- "name": "startup_item",
"description": "The startup item object describes an application component that has associated startup criteria and configurations.",
+ "name": "startup_item",
"attributes": {
+ "driver": {
+ "description": "The startup item kernel driver resource.",
+ "requirement": "optional"
+ },
+ "job": {
+ "description": "The startup item job resource.",
+ "requirement": "optional"
+ },
"name": {
"description": "The unique name of the startup item.",
"requirement": "required"
},
- "run_modes": {
- "description": "The list of run_modes, normalized to the captions of the run_mode_id values. In the case of 'Other', they are defined by the event source.",
+ "process": {
+ "description": "The startup item process resource.",
"requirement": "optional"
},
"run_mode_ids": {
"description": "The list of normalized identifiers that describe the startup items' properties when it is running. Use this field to capture extended information about the process, which may depend on the type of startup item. E.g., A Windows service that interacts with the desktop.",
- "requirement": "optional",
"enum": {
"1": {
"caption": "Interactive",
@@ -27,7 +34,12 @@
"caption": "Shared Process",
"description": "The startup item runs in a shared process."
}
- }
+ },
+ "requirement": "optional"
+ },
+ "run_modes": {
+ "description": "The list of run_modes, normalized to the captions of the run_mode_id values. In the case of 'Other', they are defined by the event source.",
+ "requirement": "optional"
},
"run_state": {
"description": "The run state of the startup item.",
@@ -35,7 +47,6 @@
},
"run_state_id": {
"description": "The run state ID of the startup item.",
- "requirement": "recommended",
"enum": {
"1": {
"caption": "Stopped",
@@ -69,7 +80,8 @@
"caption": "Restart Pending",
"description": "The service is pending restart."
}
- }
+ },
+ "requirement": "recommended"
},
"start_type": {
"description": "The start type of the startup item.",
@@ -88,7 +100,6 @@
"type_id": {
"caption": "Type ID",
"description": "The startup item type identifier.",
- "requirement": "recommended",
"enum": {
"0": {
"caption": "Unknown",
@@ -131,19 +142,8 @@
"description": "The startup item type is not mapped. See the type attribute, which contains data source specific values."
}
},
+ "requirement": "recommended",
"type": "integer_t"
- },
- "driver": {
- "description": "The startup item kernel driver resource.",
- "requirement": "optional"
- },
- "job": {
- "description": "The startup item job resource.",
- "requirement": "optional"
- },
- "process": {
- "description": "The startup item process resource.",
- "requirement": "optional"
}
},
"constraints": {
@@ -153,4 +153,4 @@
"process"
]
}
-}
+}
\ No newline at end of file
diff --git a/objects/sub_technique.json b/objects/sub_technique.json
index 58bc3ec24..cfc8501fb 100644
--- a/objects/sub_technique.json
+++ b/objects/sub_technique.json
@@ -6,15 +6,15 @@
"attributes": {
"name": {
"description": "The name of the attack sub technique, as defined by ATT&CK® Matrix. For example: Scanning IP Blocks.",
- "requirement" : "optional"
+ "requirement": "optional"
},
"src_url": {
"description": "The versioned permalink of the attack sub technique, as defined by ATT&CK® Matrix. For example: https://attack.mitre.org/versions/v14/techniques/T1595/001/.",
- "requirement" : "optional"
+ "requirement": "optional"
},
"uid": {
"description": "The unique identifier of the attack sub technique, as defined by ATT&CK® Matrix. For example: T1595.001.",
- "requirement" : "recommended"
+ "requirement": "recommended"
}
}
}
\ No newline at end of file
diff --git a/objects/table.json b/objects/table.json
index 48eff1fee..9065e7a3a 100644
--- a/objects/table.json
+++ b/objects/table.json
@@ -8,28 +8,28 @@
"description": "The time when the table was known to have been created.",
"requirement": "optional"
},
- "modified_time": {
- "description": "The most recent time when any changes, updates, or modifications were made within the table.",
- "requirement": "optional"
- },
"desc": {
"caption": "Description",
"description": "The description of the table.",
"requirement": "optional"
},
- "size": {
- "description": "The size of the data table in bytes.",
- "requirement": "optional"
- },
"groups": {
"description": "The group names to which the table belongs.",
"requirement": "optional"
},
+ "modified_time": {
+ "description": "The most recent time when any changes, updates, or modifications were made within the table.",
+ "requirement": "optional"
+ },
"name": {
"description": "The table name, ordinarily as assigned by a database administrator."
},
+ "size": {
+ "description": "The size of the data table in bytes.",
+ "requirement": "optional"
+ },
"uid": {
"description": "The unique identifier of the table."
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/tactic.json b/objects/tactic.json
index 7ac86f3c5..6e5d2b687 100644
--- a/objects/tactic.json
+++ b/objects/tactic.json
@@ -6,15 +6,15 @@
"attributes": {
"name": {
"description": "The tactic name that is associated with the attack technique, as defined by ATT&CK® Matrix. For example: Reconnaissance.",
- "requirement" : "optional"
- },
+ "requirement": "optional"
+ },
"src_url": {
"description": "The versioned permalink of the attack tactic, as defined by ATT&CK® Matrix. For example: https://attack.mitre.org/versions/v14/tactics/TA0043/.",
- "requirement" : "optional"
+ "requirement": "optional"
},
"uid": {
"description": "The tactic ID that is associated with the attack technique, as defined by ATT&CK® Matrix. For example: TA0043.",
- "requirement" : "recommended"
+ "requirement": "recommended"
}
}
}
\ No newline at end of file
diff --git a/objects/technique.json b/objects/technique.json
index 7811b97f6..11163ac9a 100644
--- a/objects/technique.json
+++ b/objects/technique.json
@@ -9,7 +9,7 @@
},
"src_url": {
"description": "The versioned permalink of the attack technique, as defined by ATT&CK® Matrix. For example: https://attack.mitre.org/versions/v14/techniques/T1595/.",
- "requirement" : "optional"
+ "requirement": "optional"
},
"uid": {
"description": "The unique identifier of the attack technique, as defined by ATT&CK® Matrix. For example: T1595."
diff --git a/objects/ticket.json b/objects/ticket.json
index 995834996..2990e5254 100644
--- a/objects/ticket.json
+++ b/objects/ticket.json
@@ -1,16 +1,16 @@
{
"caption": "Ticket",
- "name": "ticket",
"description": "The Ticket object represents ticket in the customer's systems like Salesforce, jira etc.",
"extends": "object",
+ "name": "ticket",
"attributes": {
"src_url": {
"description": "The url of a ticket in the ticket system.",
"requirement": "recommended"
},
- "uid": {
- "description": "Unique ticket identifier like ticket id.",
- "requirement": "recommended"
+ "title": {
+ "description": "The title of the ticket.",
+ "requirement": "optional"
},
"type": {
"caption": "Ticket Type",
@@ -36,9 +36,9 @@
},
"requirement": "optional"
},
- "title": {
- "description": "The title of the ticket.",
- "requirement": "optional"
+ "uid": {
+ "description": "Unique ticket identifier like ticket id.",
+ "requirement": "recommended"
}
},
"constraints": {
@@ -47,4 +47,4 @@
"uid"
]
}
-}
+}
\ No newline at end of file
diff --git a/objects/timespan.json b/objects/timespan.json
index 218fa3247..c7f777ffd 100644
--- a/objects/timespan.json
+++ b/objects/timespan.json
@@ -1,94 +1,94 @@
{
- "caption": "Time Span",
- "name": "timespan",
- "description": "The Time Span object represents different time period durations. If a timespan is fractional, i.e. crosses one period, e.g. a week and 3 days, more than one may be populated since each member is of integral type. In that case type_id if present should be set to Other.",
- "extends": "object",
- "attributes": {
- "duration" : {
- "description": "The duration of the time span in milliseconds.",
- "requirement": "recommended"
+ "caption": "Time Span",
+ "description": "The Time Span object represents different time period durations. If a timespan is fractional, i.e. crosses one period, e.g. a week and 3 days, more than one may be populated since each member is of integral type. In that case type_id if present should be set to Other.",
+ "extends": "object",
+ "name": "timespan",
+ "attributes": {
+ "duration": {
+ "description": "The duration of the time span in milliseconds.",
+ "requirement": "recommended"
+ },
+ "duration_days": {
+ "description": "The duration of the time span in days.",
+ "requirement": "recommended"
+ },
+ "duration_hours": {
+ "description": "The duration of the time span in hours.",
+ "requirement": "recommended"
+ },
+ "duration_mins": {
+ "description": "The duration of the time span in minutes.",
+ "requirement": "recommended"
+ },
+ "duration_months": {
+ "description": "The duration of the time span in months.",
+ "requirement": "recommended"
+ },
+ "duration_secs": {
+ "description": "The duration of the time span in seconds.",
+ "requirement": "recommended"
+ },
+ "duration_weeks": {
+ "description": "The duration of the time span in weeks.",
+ "requirement": "recommended"
+ },
+ "duration_years": {
+ "description": "The duration of the time span in years.",
+ "requirement": "recommended"
+ },
+ "type": {
+ "caption": "Time Span Type",
+ "description": "The type of time span duration the object represents.",
+ "requirement": "optional"
+ },
+ "type_id": {
+ "caption": "Time Span Type ID",
+ "description": "The normalized identifier for the time span duration type.",
+ "enum": {
+ "0": {
+ "caption": "Unknown"
},
- "duration_days": {
- "description": "The duration of the time span in days.",
- "requirement": "recommended"
+ "1": {
+ "caption": "Milliseconds"
},
- "duration_hours": {
- "description": "The duration of the time span in hours.",
- "requirement": "recommended"
+ "2": {
+ "caption": "Seconds"
},
- "duration_mins": {
- "description": "The duration of the time span in minutes.",
- "requirement": "recommended"
+ "3": {
+ "caption": "Minutes"
},
- "duration_months": {
- "description": "The duration of the time span in months.",
- "requirement": "recommended"
+ "4": {
+ "caption": "Hours"
},
- "duration_secs": {
- "description": "The duration of the time span in seconds.",
- "requirement": "recommended"
+ "5": {
+ "caption": "Days"
},
- "duration_weeks": {
- "description": "The duration of the time span in weeks.",
- "requirement": "recommended"
+ "6": {
+ "caption": "Weeks"
},
- "duration_years": {
- "description": "The duration of the time span in years.",
- "requirement": "recommended"
+ "7": {
+ "caption": "Months"
},
- "type": {
- "caption": "Time Span Type",
- "description": "The type of time span duration the object represents.",
- "requirement": "optional"
- },
- "type_id": {
- "caption": "Time Span Type ID",
- "description": "The normalized identifier for the time span duration type.",
- "enum": {
- "0": {
- "caption": "Unknown"
- },
- "1": {
- "caption": "Milliseconds"
- },
- "2": {
- "caption": "Seconds"
- },
- "3": {
- "caption": "Minutes"
- },
- "4": {
- "caption": "Hours"
- },
- "5": {
- "caption": "Days"
- },
- "6": {
- "caption": "Weeks"
- },
- "7": {
- "caption": "Months"
- },
- "8": {
- "caption": "Years"
- },
- "99": {
- "caption": "Other"
- }
- },
- "requirement": "recommended"
- }
- },
- "constraints": {
- "at_least_one": [
- "duration",
- "duration_days",
- "duration_hours",
- "duration_mins",
- "duration_months",
- "duration_secs",
- "duration_weeks",
- "duration_years"
- ]
+ "8": {
+ "caption": "Years"
+ },
+ "99": {
+ "caption": "Other"
+ }
+ },
+ "requirement": "recommended"
}
-}
+ },
+ "constraints": {
+ "at_least_one": [
+ "duration",
+ "duration_days",
+ "duration_hours",
+ "duration_mins",
+ "duration_months",
+ "duration_secs",
+ "duration_weeks",
+ "duration_years"
+ ]
+ }
+}
\ No newline at end of file
diff --git a/objects/tls.json b/objects/tls.json
index d3b4ac9f7..307628ce4 100644
--- a/objects/tls.json
+++ b/objects/tls.json
@@ -22,9 +22,6 @@
"extension_list": {
"requirement": "optional"
},
- "tls_extension_list": {
- "requirement": "optional"
- },
"handshake_dur": {
"requirement": "optional"
},
@@ -50,9 +47,12 @@
"sni": {
"requirement": "recommended"
},
+ "tls_extension_list": {
+ "requirement": "optional"
+ },
"version": {
"description": "The TLS protocol version.",
"requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/tls_extension.json b/objects/tls_extension.json
index bee6301d7..562bf0511 100644
--- a/objects/tls_extension.json
+++ b/objects/tls_extension.json
@@ -14,7 +14,6 @@
},
"type_id": {
"description": "The TLS extension type identifier. See The Transport Layer Security (TLS) extension page.",
- "requirement": "required",
"enum": {
"0": {
"caption": "server_name",
@@ -24,10 +23,6 @@
"caption": "maximum_fragment_length",
"description": "The Maximum Fragment Length Negotiation extension."
},
- "5": {
- "caption": "status_request",
- "description": "The Certificate Status Request extension."
- },
"10": {
"caption": "supported_groups",
"description": "The Supported Groups extension."
@@ -96,6 +91,10 @@
"caption": "post_handshake_auth",
"description": "The Post-Handshake Client Authentication extension."
},
+ "5": {
+ "caption": "status_request",
+ "description": "The Certificate Status Request extension."
+ },
"50": {
"caption": "signature_algorithms_cert",
"description": "The Signature Algorithms extension."
@@ -104,7 +103,8 @@
"caption": "key_share",
"description": "The Key Share extension."
}
- }
+ },
+ "requirement": "required"
}
}
}
\ No newline at end of file
diff --git a/objects/trace.json b/objects/trace.json
index 24b3b0fd1..fdb5d7064 100644
--- a/objects/trace.json
+++ b/objects/trace.json
@@ -33,4 +33,4 @@
"requirement": "required"
}
}
-}
+}
\ No newline at end of file
diff --git a/objects/unmanned_aerial_system.json b/objects/unmanned_aerial_system.json
index dfddd7ffa..0af9fb0ed 100644
--- a/objects/unmanned_aerial_system.json
+++ b/objects/unmanned_aerial_system.json
@@ -1,102 +1,102 @@
{
- "caption": "Unmanned Aerial System",
- "description": "The Unmanned Aerial System object describes the characteristics, Position Location Information (PLI), and other metadata of Unmanned Aerial Systems (UAS) and other unmanned and drone systems used in Remote ID. Remote ID is defined in the Standard Specification for Remote ID and Tracking (ASTM Designation: F3411-22a) ASTM F3411-22a.",
- "extends": "aircraft",
- "name": "unmanned_aerial_system",
- "attributes": {
- "hw_info": {
- "caption": "UAS Hardware Information",
- "requirement": "optional"
- },
- "location": {
- "caption": "UAS Position Location Information",
- "requirement": "recommended"
- },
- "name": {
- "description": "The name of the unmanned system as reported by tracking or sensing hardware.",
- "requirement": "optional"
- },
- "serial_number": {
- "description": "The serial number of the unmanned system. This is expressed in CTA-2063-A format.",
- "requirement": "recommended"
- },
- "type": {
- "description": "The type of the UAS. For example, Helicopter, Gyroplane, Rocket, etc.",
- "requirement": "optional"
- },
- "type_id": {
- "description": "The UAS type identifier.",
- "enum": {
- "0": {
- "caption": "Unknown/Undeclared",
- "description": "The UAS type is empty or not declared."
- },
- "1": {
- "caption": "Airplane"
- },
- "2": {
- "caption": "Helicopter",
- "description": "Can also be a Multi-rotor Unmanned Aircraft (e.g., Quad-copter)."
- },
- "3": {
- "caption": "Gyroplane"
- },
- "4": {
- "caption": "Hybrid Lift",
- "description": "Fixed wing aircraft that can take off vertically."
- },
- "5": {
- "caption": "Ornithopter"
- },
- "6": {
- "caption": "Glider"
- },
- "7": {
- "caption": "Kite"
- },
- "8": {
- "caption": "Free Balloon"
- },
- "9": {
- "caption": "Captive Balloon"
- },
- "10": {
- "caption": "Airship",
- "description": "E.g., a blimp."
- },
- "11": {
- "caption": "Free Fall/Parachute",
- "description": "Parachutes, or objects without any power or propulsion mechanism."
- },
- "12": {
- "caption": "Rocket"
- },
- "13": {
- "caption": "Tethered Powered Aircraft"
- },
- "14": {
- "caption": "Ground Obstacle"
- },
- "99": {
- "caption": "Other"
- }
+ "caption": "Unmanned Aerial System",
+ "description": "The Unmanned Aerial System object describes the characteristics, Position Location Information (PLI), and other metadata of Unmanned Aerial Systems (UAS) and other unmanned and drone systems used in Remote ID. Remote ID is defined in the Standard Specification for Remote ID and Tracking (ASTM Designation: F3411-22a) ASTM F3411-22a.",
+ "extends": "aircraft",
+ "name": "unmanned_aerial_system",
+ "attributes": {
+ "hw_info": {
+ "caption": "UAS Hardware Information",
+ "requirement": "optional"
+ },
+ "location": {
+ "caption": "UAS Position Location Information",
+ "requirement": "recommended"
+ },
+ "name": {
+ "description": "The name of the unmanned system as reported by tracking or sensing hardware.",
+ "requirement": "optional"
+ },
+ "serial_number": {
+ "description": "The serial number of the unmanned system. This is expressed in CTA-2063-A format.",
+ "requirement": "recommended"
+ },
+ "type": {
+ "description": "The type of the UAS. For example, Helicopter, Gyroplane, Rocket, etc.",
+ "requirement": "optional"
+ },
+ "type_id": {
+ "description": "The UAS type identifier.",
+ "enum": {
+ "0": {
+ "caption": "Unknown/Undeclared",
+ "description": "The UAS type is empty or not declared."
},
- "requirement": "recommended"
- },
- "uid": {
- "caption": "UAS ID",
- "description": "The primary identification identifier for an unmanned system. This can be a Serial Number (in CTA-2063-A format, the Registration ID (provided by the CAA, a UTM, or a unique Session ID.",
- "requirement": "recommended"
- },
- "uid_alt": {
- "caption": "UAS Alternate ID",
- "description": "A secondary identification identifier for an unmanned system. This can be a Serial Number (in CTA-2063-A format, the Registration ID (provided by the CAA, a UTM, or a unique Session ID.",
- "requirement": "recommended"
+ "1": {
+ "caption": "Airplane"
+ },
+ "10": {
+ "caption": "Airship",
+ "description": "E.g., a blimp."
+ },
+ "11": {
+ "caption": "Free Fall/Parachute",
+ "description": "Parachutes, or objects without any power or propulsion mechanism."
+ },
+ "12": {
+ "caption": "Rocket"
+ },
+ "13": {
+ "caption": "Tethered Powered Aircraft"
+ },
+ "14": {
+ "caption": "Ground Obstacle"
+ },
+ "2": {
+ "caption": "Helicopter",
+ "description": "Can also be a Multi-rotor Unmanned Aircraft (e.g., Quad-copter)."
+ },
+ "3": {
+ "caption": "Gyroplane"
+ },
+ "4": {
+ "caption": "Hybrid Lift",
+ "description": "Fixed wing aircraft that can take off vertically."
+ },
+ "5": {
+ "caption": "Ornithopter"
+ },
+ "6": {
+ "caption": "Glider"
+ },
+ "7": {
+ "caption": "Kite"
+ },
+ "8": {
+ "caption": "Free Balloon"
+ },
+ "9": {
+ "caption": "Captive Balloon"
+ },
+ "99": {
+ "caption": "Other"
+ }
},
- "uuid": {
- "caption": "UTM UUID",
- "description": "The Unmanned Aircraft System Traffic Management (UTM) provided universal unique ID (UUID) traceable to a non-obfuscated ID where this UTM UUID acts as a 'session id' to protect exposure of operationally sensitive information.",
- "requirement": "recommended"
- }
+ "requirement": "recommended"
+ },
+ "uid": {
+ "caption": "UAS ID",
+ "description": "The primary identification identifier for an unmanned system. This can be a Serial Number (in CTA-2063-A format, the Registration ID (provided by the CAA, a UTM, or a unique Session ID.",
+ "requirement": "recommended"
+ },
+ "uid_alt": {
+ "caption": "UAS Alternate ID",
+ "description": "A secondary identification identifier for an unmanned system. This can be a Serial Number (in CTA-2063-A format, the Registration ID (provided by the CAA, a UTM, or a unique Session ID.",
+ "requirement": "recommended"
+ },
+ "uuid": {
+ "caption": "UTM UUID",
+ "description": "The Unmanned Aircraft System Traffic Management (UTM) provided universal unique ID (UUID) traceable to a non-obfuscated ID where this UTM UUID acts as a 'session id' to protect exposure of operationally sensitive information.",
+ "requirement": "recommended"
}
- }
\ No newline at end of file
+ }
+}
\ No newline at end of file
diff --git a/objects/unmanned_system_operating_area.json b/objects/unmanned_system_operating_area.json
index 9f354ee1e..9538276f9 100644
--- a/objects/unmanned_system_operating_area.json
+++ b/objects/unmanned_system_operating_area.json
@@ -19,7 +19,7 @@
"requirement": "optional"
},
"locations": {
- "caption":"Operating Polygon",
+ "caption": "Operating Polygon",
"description": "A list of Position Location Information (PLI) (latitude/longitude pairs) defining the area where a group or Intent-Based Network Participant operation is taking place. (This field is only applicable to Network Remote ID.)",
"requirement": "recommended"
},
diff --git a/objects/url.json b/objects/url.json
index c4bd9c04c..cad6a1259 100644
--- a/objects/url.json
+++ b/objects/url.json
@@ -1,10 +1,9 @@
{
- "caption": "Uniform Resource Locator",
- "name": "url",
"observable": 23,
+ "caption": "Uniform Resource Locator",
"description": "The Uniform Resource Locator (URL) object describes the characteristics of a URL.",
- "references": [{"url": "https://datatracker.ietf.org/doc/html/rfc1738", "description": "Defined in RFC 1738"}, {"url": "https://d3fend.mitre.org/dao/artifact/d3f:URL/", "description": "D3FEND™ Ontology d3f:URL"}],
"extends": "object",
+ "name": "url",
"attributes": {
"categories": {
"requirement": "optional"
@@ -51,5 +50,15 @@
"url_string",
"path"
]
- }
+ },
+ "references": [
+ {
+ "description": "Defined in RFC 1738",
+ "url": "https://datatracker.ietf.org/doc/html/rfc1738"
+ },
+ {
+ "description": "D3FEND™ Ontology d3f:URL",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:URL/"
+ }
+ ]
}
\ No newline at end of file
diff --git a/objects/user.json b/objects/user.json
index 76ad0fb55..7d0bfa3c1 100644
--- a/objects/user.json
+++ b/objects/user.json
@@ -1,10 +1,9 @@
{
+ "observable": 21,
"caption": "User",
- "name": "user",
"description": "The User object describes the characteristics of a user/person or a security principal.",
- "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/", "description": "D3FEND™ Ontology d3f:UserAccount"}],
"extends": "_entity",
- "observable": 21,
+ "name": "user",
"attributes": {
"account": {
"description": "The user's account or the account associated with the user.",
@@ -90,8 +89,8 @@
},
"uid": {
"description": "The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.",
- "requirement": "recommended",
- "observable": 31
+ "observable": 31,
+ "requirement": "recommended"
},
"uid_alt": {
"description": "The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.",
@@ -104,5 +103,11 @@
"name",
"uid"
]
- }
+ },
+ "references": [
+ {
+ "description": "D3FEND™ Ontology d3f:UserAccount",
+ "url": "https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/"
+ }
+ ]
}
\ No newline at end of file
diff --git a/objects/vendor_attributes.json b/objects/vendor_attributes.json
index 61d4d5ff7..8b6502c25 100644
--- a/objects/vendor_attributes.json
+++ b/objects/vendor_attributes.json
@@ -13,5 +13,4 @@
"requirement": "optional"
}
}
-}
-
+}
\ No newline at end of file
diff --git a/objects/vulnerability.json b/objects/vulnerability.json
index ad95cc5ee..a92965c1a 100644
--- a/objects/vulnerability.json
+++ b/objects/vulnerability.json
@@ -4,7 +4,7 @@
"extends": "object",
"name": "vulnerability",
"attributes": {
- "advisory":{
+ "advisory": {
"requirement": "optional"
},
"affected_code": {
@@ -25,6 +25,9 @@
"description": "The description of the vulnerability.",
"requirement": "optional"
},
+ "exploit_last_seen_time": {
+ "requirement": "optional"
+ },
"first_seen_time": {
"description": "The time when the vulnerability was first observed.",
"requirement": "optional"
@@ -32,23 +35,20 @@
"fix_available": {
"requirement": "optional"
},
- "exploit_last_seen_time":{
+ "is_exploit_available": {
"requirement": "optional"
},
- "kb_articles": {
+ "is_fix_available": {
"requirement": "optional"
},
"kb_article_list": {
+ "requirement": "optional",
"@deprecated": {
"message": "Use advisory attribute instead.",
"since": "1.4.0"
- },
- "requirement": "optional"
+ }
},
- "is_exploit_available":{
- "requirement": "optional"
- },
- "is_fix_available": {
+ "kb_articles": {
"requirement": "optional"
},
"last_seen_time": {
diff --git a/objects/whois.json b/objects/whois.json
index 63bbe59cd..5732587bc 100644
--- a/objects/whois.json
+++ b/objects/whois.json
@@ -1,64 +1,64 @@
{
- "caption":"WHOIS",
- "description":"The resources of a WHOIS record for a given domain. This can include domain names, IP address blocks, autonomous system information, and/or contact and registration information for a domain.",
- "extends":"object",
- "name":"whois",
- "attributes":{
- "autonomous_system":{
- "description":"The autonomous system information associated with a domain.",
- "requirement":"optional"
+ "caption": "WHOIS",
+ "description": "The resources of a WHOIS record for a given domain. This can include domain names, IP address blocks, autonomous system information, and/or contact and registration information for a domain.",
+ "extends": "object",
+ "name": "whois",
+ "attributes": {
+ "autonomous_system": {
+ "description": "The autonomous system information associated with a domain.",
+ "requirement": "optional"
},
- "domain_contacts":{
- "requirement":"recommended"
+ "created_time": {
+ "caption": "Registered At",
+ "description": "When the domain was registered or WHOIS entry was created.",
+ "requirement": "recommended"
},
- "created_time":{
- "caption":"Registered At",
- "description":"When the domain was registered or WHOIS entry was created.",
- "requirement":"recommended"
+ "dnssec_status": {
+ "requirement": "optional"
},
- "dnssec_status_id":{
- "requirement":"recommended"
+ "dnssec_status_id": {
+ "requirement": "recommended"
},
- "dnssec_status":{
- "requirement":"optional"
- },
- "domain":{
+ "domain": {
"description": "The domain name corresponding to the WHOIS record.",
- "requirement":"recommended"
+ "requirement": "recommended"
+ },
+ "domain_contacts": {
+ "requirement": "recommended"
},
- "email_addr":{
- "caption":"Registrar Abuse Email Address",
- "description":"The email address for the registrar's abuse contact",
- "requirement":"optional"
+ "email_addr": {
+ "caption": "Registrar Abuse Email Address",
+ "description": "The email address for the registrar's abuse contact",
+ "requirement": "optional"
},
- "last_seen_time":{
- "caption":"Last Updated At",
- "requirement":"recommended",
- "description":"When the WHOIS record was last updated or seen at."
+ "last_seen_time": {
+ "caption": "Last Updated At",
+ "description": "When the WHOIS record was last updated or seen at.",
+ "requirement": "recommended"
},
- "name_servers":{
- "requirement":"recommended"
+ "name_servers": {
+ "requirement": "recommended"
},
- "phone_number":{
- "caption":"Registrar Abuse Phone Number",
- "description":"The phone number for the registrar's abuse contact",
- "requirement":"optional"
+ "phone_number": {
+ "caption": "Registrar Abuse Phone Number",
+ "description": "The phone number for the registrar's abuse contact",
+ "requirement": "optional"
},
- "registrar":{
- "requirement":"recommended"
+ "registrar": {
+ "requirement": "recommended"
},
- "status":{
- "caption":"Domain Status",
- "description":"The status of a domain and its ability to be transferred, e.g., clientTransferProhibited.",
- "requirement":"recommended"
+ "status": {
+ "caption": "Domain Status",
+ "description": "The status of a domain and its ability to be transferred, e.g., clientTransferProhibited.",
+ "requirement": "recommended"
},
- "subdomains":{
- "requirement":"optional"
+ "subdomains": {
+ "requirement": "optional"
},
- "subnet":{
- "caption":"Subnet Block",
- "description":"The IP address block (CIDR) associated with a domain.",
- "requirement":"optional"
+ "subnet": {
+ "caption": "Subnet Block",
+ "description": "The IP address block (CIDR) associated with a domain.",
+ "requirement": "optional"
}
}
}
\ No newline at end of file
diff --git a/profiles/cloud.json b/profiles/cloud.json
index 4e807e5f4..360522d04 100644
--- a/profiles/cloud.json
+++ b/profiles/cloud.json
@@ -1,16 +1,16 @@
{
+ "caption": "Cloud",
"description": "The attributes that describe information specific to Cloud services/applications.",
"meta": "profile",
- "caption": "Cloud",
"name": "cloud",
"attributes": {
- "cloud": {
- "requirement": "required",
- "group": "primary"
- },
"api": {
- "requirement": "optional",
- "group": "context"
+ "group": "context",
+ "requirement": "optional"
+ },
+ "cloud": {
+ "group": "primary",
+ "requirement": "required"
}
}
}
\ No newline at end of file
diff --git a/profiles/container.json b/profiles/container.json
index 00e8e6b8b..d36a4472a 100644
--- a/profiles/container.json
+++ b/profiles/container.json
@@ -1,7 +1,7 @@
{
+ "caption": "Container",
"description": "The container context for a process.",
"meta": "profile",
- "caption": "Container",
"name": "container",
"attributes": {
"container": {
@@ -13,4 +13,4 @@
"requirement": "recommended"
}
}
-}
+}
\ No newline at end of file
diff --git a/profiles/data_classification.json b/profiles/data_classification.json
index 0bd7fdd23..748d64aa9 100644
--- a/profiles/data_classification.json
+++ b/profiles/data_classification.json
@@ -1,7 +1,7 @@
{
+ "caption": "Data Classification",
"description": "The Data Classification profile adds attributes to spepcific resource objects, allowing users to describe information about classifiers & data classification results.",
"meta": "profile",
- "caption": "Data Classification",
"name": "data_classification",
"attributes": {
"data_classification": {
diff --git a/profiles/datetime.json b/profiles/datetime.json
index 85ee97df7..c099fe122 100644
--- a/profiles/datetime.json
+++ b/profiles/datetime.json
@@ -1,7 +1,7 @@
{
+ "caption": "Date/Time",
"description": "This profile defines date/time attributes as defined in RFC-3339. For example 1985-04-12T23:20:50.52Z.",
"meta": "profile",
- "caption": "Date/Time",
"name": "datetime",
"attributes": {}
}
\ No newline at end of file
diff --git a/profiles/host.json b/profiles/host.json
index 7e611d90c..54cec3e1e 100644
--- a/profiles/host.json
+++ b/profiles/host.json
@@ -1,17 +1,17 @@
{
+ "caption": "Host",
"description": "The attributes that identify host/device attributes.",
"meta": "profile",
- "caption": "Host",
"name": "host",
"annotations": {
"group": "primary"
},
"attributes": {
- "device": {
- "requirement": "recommended"
- },
"actor": {
"requirement": "optional"
+ },
+ "device": {
+ "requirement": "recommended"
}
}
}
\ No newline at end of file
diff --git a/profiles/incident.json b/profiles/incident.json
index 1b1296c9b..53541c1a7 100644
--- a/profiles/incident.json
+++ b/profiles/incident.json
@@ -1,60 +1,60 @@
{
+ "caption": "Incident",
"description": "The attributes that add incident handling semantics to a Finding.",
"meta": "profile",
- "caption": "Incident",
"name": "incident",
"annotations": {
- "group": "primary"
+ "group": "primary"
},
"attributes": {
"assignee": {
"group": "context",
"requirement": "optional"
- },
- "assignee_group": {
+ },
+ "assignee_group": {
"group": "context",
"requirement": "optional"
- },
- "impact": {
+ },
+ "impact": {
"group": "primary",
"requirement": "recommended"
- },
- "impact_id": {
+ },
+ "impact_id": {
"group": "primary",
"requirement": "recommended"
- },
- "impact_score": {
+ },
+ "impact_score": {
"group": "primary",
"requirement": "recommended"
- },
- "is_suspected_breach": {
+ },
+ "is_suspected_breach": {
"group": "context",
"requirement": "optional"
- },
- "priority": {
+ },
+ "priority": {
"group": "context",
"requirement": "optional"
- },
- "priority_id": {
+ },
+ "priority_id": {
"group": "context",
"requirement": "recommended"
- },
- "src_url": {
+ },
+ "src_url": {
"description": "A Url link used to access the original incident.",
"group": "primary",
"requirement": "recommended"
- },
- "ticket": {
+ },
+ "ticket": {
"group": "context",
"requirement": "optional"
- },
- "verdict": {
+ },
+ "verdict": {
"group": "primary",
"requirement": "recommended"
- },
- "verdict_id": {
+ },
+ "verdict_id": {
"group": "primary",
"requirement": "recommended"
- }
+ }
}
- }
\ No newline at end of file
+}
\ No newline at end of file
diff --git a/profiles/load_balancer.json b/profiles/load_balancer.json
index 6df7d6b8c..a68efd196 100644
--- a/profiles/load_balancer.json
+++ b/profiles/load_balancer.json
@@ -1,14 +1,14 @@
{
+ "caption": "Load Balancer",
"description": "The attributes that describe information specific to load balancers.",
"meta": "profile",
- "caption": "Load Balancer",
"name": "load_balancer",
"annotations": {
- "group": "primary"
- },
+ "group": "primary"
+ },
"attributes": {
- "load_balancer": {
- "requirement": "recommended"
+ "load_balancer": {
+ "requirement": "recommended"
}
}
-}
+}
\ No newline at end of file
diff --git a/profiles/network_proxy.json b/profiles/network_proxy.json
index 6793c8357..8f8d28420 100644
--- a/profiles/network_proxy.json
+++ b/profiles/network_proxy.json
@@ -1,20 +1,20 @@
{
+ "caption": "Network Proxy",
"description": "The attributes that identify network proxy attributes.",
"meta": "profile",
- "caption": "Network Proxy",
"name": "network_proxy",
"annotations": {
"group": "context"
},
"attributes": {
- "proxy_endpoint": {
- "description": "The proxy (server) in a network connection.",
- "requirement": "optional"
- },
"proxy_connection_info": {
"description": "The connection information from the proxy server to the remote server.",
"requirement": "recommended"
},
+ "proxy_endpoint": {
+ "description": "The proxy (server) in a network connection.",
+ "requirement": "optional"
+ },
"proxy_http_request": {
"description": "The HTTP Request from the proxy server to the remote server.",
"requirement": "optional"
@@ -23,13 +23,13 @@
"description": "The HTTP Response from the remote server to the proxy server.",
"requirement": "optional"
},
- "proxy_traffic": {
- "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.",
- "requirement": "recommended"
- },
"proxy_tls": {
"description": "The TLS protocol negotiated between the proxy server and the remote server.",
"requirement": "recommended"
+ },
+ "proxy_traffic": {
+ "description": "The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time.",
+ "requirement": "recommended"
}
}
}
\ No newline at end of file
diff --git a/profiles/osint.json b/profiles/osint.json
index f4162cc5a..81149ce91 100644
--- a/profiles/osint.json
+++ b/profiles/osint.json
@@ -1,12 +1,12 @@
{
+ "caption": "OSINT",
"description": "The OSINT (Open Source Intelligence) profile contains one or more indicators and associated analysis and details, such as registrar (WHOIS) information and commentary about a hostname, or information about a digital certificate and its usage within a campaign. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers within the profile itself.",
"meta": "profile",
- "caption": "OSINT",
- "name": "osint",
+ "name": "osint",
"attributes": {
"osint": {
- "requirement": "required",
- "group": "primary"
+ "group": "primary",
+ "requirement": "required"
}
}
}
\ No newline at end of file
diff --git a/profiles/security_control.json b/profiles/security_control.json
index 818d7eee8..461a51355 100644
--- a/profiles/security_control.json
+++ b/profiles/security_control.json
@@ -1,7 +1,7 @@
{
+ "caption": "Security Control",
"description": "The attributes including disposition that represent the outcome of a security control including but not limited to access control, malware or policy violation, network proxy, intrusion detection, firewall, or data control. The profile is intended to augment activities or findings with an outcome when a security control has observed or intervened. If the control detected a security violation, and the disposition_id or action_id is an alertable outcome or action, the is_alert flag may be set to true.",
"meta": "profile",
- "caption": "Security Control",
"name": "security_control",
"annotations": {
"group": "primary"
@@ -15,6 +15,7 @@
"action_id": {
"caption": "Action ID",
"description": "The action taken by a control or other policy-based system leading to an outcome or disposition. An unknown action may still correspond to a known disposition. Refer to disposition_id for the outcome of the action.",
+ "requirement": "recommended",
"enum": {
"0": {
"caption": "Unknown",
@@ -40,8 +41,7 @@
"caption": "Other",
"description": "The action is not mapped. See the action attribute which contains a data source specific value."
}
- },
- "requirement": "recommended"
+ }
},
"attacks": {
"requirement": "optional"
@@ -68,8 +68,8 @@
"requirement": "recommended"
},
"firewall_rule": {
- "requirement": "optional",
- "description": "The firewall rule that pertains to the control that triggered the event, if applicable."
+ "description": "The firewall rule that pertains to the control that triggered the event, if applicable.",
+ "requirement": "optional"
},
"is_alert": {
"description": "Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.",
@@ -79,8 +79,8 @@
"requirement": "optional"
},
"policy": {
- "requirement": "optional",
- "description": "The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy."
+ "description": "The policy that pertains to the control that triggered the event, if applicable. For example the name of an anti-malware policy or an access control policy.",
+ "requirement": "optional"
},
"risk_details": {
"group": "context",
@@ -99,4 +99,4 @@
"requirement": "optional"
}
}
-}
+}
\ No newline at end of file
diff --git a/profiles/trace.json b/profiles/trace.json
index 1189c3b82..833f31e1d 100644
--- a/profiles/trace.json
+++ b/profiles/trace.json
@@ -1,7 +1,7 @@
{
+ "caption": "Trace",
"description": "The Trace Profile extends the OCSF framework to capture and standardize observability events, specifically targeting trace-level data. This profile enables integration and normalization of distributed tracing information, allowing OCSF events to retain essential trace context such as trace IDs, span relationships, and service dependencies.",
"meta": "profile",
- "caption": "Trace",
"name": "trace",
"annotations": {
"group": "primary"
@@ -12,4 +12,4 @@
"requirement": "recommended"
}
}
-}
+}
\ No newline at end of file