From fa6af6aa727009d668fa5b061f21bf2ff9493adc Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Wed, 19 Feb 2025 11:05:32 -0500
Subject: [PATCH] Add `assessments` to OCSF (#1343)
#### Description of changes:
See [this
thread](https://opencybersecu-lz97379.slack.com/archives/C05HLGHMKU2/p1738944570398689?thread_ts=1738942607.568969&cid=C05HLGHMKU2)
in the Slack for more information on the backstory.
Adds an `assessment` object that serves as a generalized Object that can
contain normalized assessment/evaluation data of specific configurations
or signals in a generalized fashion. For instance, this can be used to
capture details for CrowdStrike Zero Trust Assessments of Hosts, to
generalize assessment data of CSPM/DSPM platforms such as the various
ways to express if logging, encryption, or private access is enabled,
and to expand the `compliance` object for specific technical control
assessments.
It is important to separate these from the `Findings` Category as not
every assessment results in a first party alert or detection triggering,
for instance the CrowdStrike Zero Trust Assessments are passively
conducted on certain hosts with Identity Protection and don't
necessarily represent a negative finding.
This also allows for more abstracted asset inventories built upon
different sources where generic assessment data and metadata about the
asset/entity itself can be centralized without needing to rely on
multiple different Event Classes.
---------
Signed-off-by: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
---
CHANGELOG.md | 12 +++++++
dictionary.json | 16 +++++++++
.../cloud_resources_inventory_info.json | 2 +-
events/discovery/config_state.json | 8 ++++-
objects/assessment.json | 33 +++++++++++++++++++
objects/compliance.json | 5 +++
objects/policy.json | 4 +++
7 files changed, 78 insertions(+), 2 deletions(-)
create mode 100644 objects/assessment.json
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4ffaf8e40..616819061 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -45,12 +45,24 @@ Thankyou! -->
* #### Dictionary Attributes
1. Added `boot_uid` as a `string_t`. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
1. Added `raw_data_size` as a `long_t`. [#1347](https://github.com/ocsf/ocsf-schema/pull/1347)
+ 1. Added `assessments` as an array of `assessment` objects. #1343
+ 1. Added `meets_criteria` as a `boolean_t`. #1343
+* #### Objects
+ 1. Added `assessment` object to capture evaluations/assessments of configurations/signals. #1343
### Improved
+* #### Event Classes
+ 1. Added `assessments` to `config_state`. #1343
* #### Objects
1. Added `boot_uid` to `device` object. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
+ 1. Added `meets_criteria` and `policy` to `assessment` object. #1343
+ 1. Added `assessments` to `compliance` object. #1343
+ 1. Added `data` to `policy` object. #1343
+
+### Misc
1. Relaxed constraint to provide `email_addr`, `phone_number`, or `security_questions` on `auth_factor`. [#1339](https://github.com/ocsf/ocsf-schema/pull/1339)
1. Added `raw_data_size` to `base_event` object. [#1347](https://github.com/ocsf/ocsf-schema/pull/1347)
+ 1. Updated description of `config_state` to reflect the addition of the `assessments` object. #1343
## [v1.4.0] - January 31st, 2025
diff --git a/dictionary.json b/dictionary.json
index 2fb987f0a..f1150d70f 100644
--- a/dictionary.json
+++ b/dictionary.json
@@ -238,6 +238,17 @@
"description": "The details of the group assigned to an Incident.",
"type": "group"
},
+ "assessment": {
+ "caption": "Assessment",
+ "description": "The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate os_signals from CrowdStrike Falcon Zero Trust Assessments, or account for Datastore configurations from Cyera.",
+ "type": "assessment"
+ },
+ "assessments": {
+ "caption": "Assessments",
+ "description": "A list of assessment objects.",
+ "type": "assessment",
+ "is_array": true
+ },
"attacks": {
"caption": "MITRE ATT&CK® Details",
"description": "An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques.",
@@ -3325,6 +3336,11 @@
}
]
},
+ "meets_criteria": {
+ "caption": "Meets Criteria",
+ "description": "Determines if an assessment, control, policy, or otherwise meets its assessment criteria. See specific usage.",
+ "type": "boolean_t"
+ },
"metadata": {
"caption": "Metadata",
"description": "The metadata associated with the event or a finding.",
diff --git a/events/discovery/cloud_resources_inventory_info.json b/events/discovery/cloud_resources_inventory_info.json
index b399be30f..8c1d38908 100644
--- a/events/discovery/cloud_resources_inventory_info.json
+++ b/events/discovery/cloud_resources_inventory_info.json
@@ -1,7 +1,7 @@
{
"uid": 23,
"caption": "Cloud Resources Inventory Info",
- "description": "Cloud Resources Inventory Info events report cloud asset inventory data that is either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.",
+ "description": "Cloud Resources Inventory Info events report cloud asset inventory data. This data can be either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.",
"extends": "discovery",
"name": "cloud_resources_inventory_info",
"attributes": {
diff --git a/events/discovery/config_state.json b/events/discovery/config_state.json
index dd2d03273..e52a68d9d 100644
--- a/events/discovery/config_state.json
+++ b/events/discovery/config_state.json
@@ -1,7 +1,7 @@
{
"uid": 2,
"caption": "Device Config State",
- "description": "Device Config State events report device configuration data and CIS Benchmark results.",
+ "description": "Device Config State events report device configuration data, device assessments, and/or CIS Benchmark results.",
"extends": "discovery",
"name": "config_state",
"attributes": {
@@ -10,6 +10,12 @@
"requirement": "optional",
"profile": null
},
+ "assessments": {
+ "caption": "Related Assessments",
+ "description": "A list of assessments associated with the device.",
+ "group": "context",
+ "requirement": "optional"
+ },
"cis_benchmark_result": {
"group": "primary",
"requirement": "recommended"
diff --git a/objects/assessment.json b/objects/assessment.json
new file mode 100644
index 000000000..1bd420f33
--- /dev/null
+++ b/objects/assessment.json
@@ -0,0 +1,33 @@
+{
+ "caption": "Assessment",
+ "description": "The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate os_signals from CrowdStrike Falcon Zero Trust Assessments, or account for Datastore configurations from Cyera, or capture details of Microsoft Intune configuration policies.",
+ "extends": "_entity",
+ "name": "assessment",
+ "attributes": {
+ "category": {
+ "description": "The category that the assessment is part of. For example: Prevention or Windows 10.",
+ "requirement": "optional"
+ },
+ "desc": {
+ "description": "The description of the assessment criteria, or a description of the specific configuration or signal the assessment is targeting.",
+ "requirement": "recommended"
+ },
+ "meets_criteria": {
+ "description": "Determines whether the assessment against the specific configuration or signal meets the assessments criteria. For example, if the assessment checks if a Datastore is encrypted or not, having encryption would be evaluated as true.",
+ "requirement": "required"
+ },
+ "name": {
+ "description": "The name of the configuration or signal being assessed. For example: Kernel Mode Code Integrity (KMCI) or publicAccessibilityState.",
+ "requirement": "recommended"
+ },
+ "policy": {
+ "caption": "Assessment Policy",
+ "description": "The details of any policy associated with an assessment.",
+ "requirement": "optional"
+ },
+ "uid": {
+ "description": "The unique identifier of the configuration or signal being assessed. For example: the signal_id.",
+ "requirement": "optional"
+ }
+ }
+}
\ No newline at end of file
diff --git a/objects/compliance.json b/objects/compliance.json
index a2ebdcdd0..33e1acf41 100644
--- a/objects/compliance.json
+++ b/objects/compliance.json
@@ -4,6 +4,11 @@
"extends": "object",
"name": "compliance",
"attributes": {
+ "assessments": {
+ "caption": "Related Assessments",
+ "description": "A list of assessments associated with the compliance requirements evaluation",
+ "requirement": "optional"
+ },
"compliance_references": {
"requirement": "optional"
},
diff --git a/objects/policy.json b/objects/policy.json
index e259a20b6..48a9973a6 100644
--- a/objects/policy.json
+++ b/objects/policy.json
@@ -4,6 +4,10 @@
"extends": "_entity",
"name": "policy",
"attributes": {
+ "data": {
+ "description": "Additional data about the policy such as the underlying JSON policy itself or other details.",
+ "requirement": "optional"
+ },
"desc": {
"description": "The description of the policy.",
"requirement": "optional"