Add assessments to OCSF
#1343
Merged
Add assessments to OCSF
#1343
+78
−2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jonrau-at-queryai
requested review from
floydtree,
pagbabian-splunk,
Aniak5,
mikeradka,
zschmerber and
davemcatcisco
as code owners
Signed-off-by: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
floydtree
reviewed
Feb 11, 2025
floydtree
reviewed
Feb 11, 2025
Signed-off-by: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
floydtree
approved these changes
Feb 19, 2025
zschmerber
approved these changes
Feb 19, 2025
query-jeremy
pushed a commit
to query-ai/ocsf-schema
that referenced
this pull request
Feb 26, 2025
See [this thread](https://opencybersecu-lz97379.slack.com/archives/C05HLGHMKU2/p1738944570398689?thread_ts=1738942607.568969&cid=C05HLGHMKU2) in the Slack for more information on the backstory. Adds an `assessment` object that serves as a generalized Object that can contain normalized assessment/evaluation data of specific configurations or signals in a generalized fashion. For instance, this can be used to capture details for CrowdStrike Zero Trust Assessments of Hosts, to generalize assessment data of CSPM/DSPM platforms such as the various ways to express if logging, encryption, or private access is enabled, and to expand the `compliance` object for specific technical control assessments. It is important to separate these from the `Findings` Category as not every assessment results in a first party alert or detection triggering, for instance the CrowdStrike Zero Trust Assessments are passively conducted on certain hosts with Identity Protection and don't necessarily represent a negative finding. This also allows for more abstracted asset inventories built upon different sources where generic assessment data and metadata about the asset/entity itself can be centralized without needing to rely on multiple different Event Classes. --------- Signed-off-by: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes:
See this thread in the Slack for more information on the backstory.
Adds an
assessmentobject that serves as a generalized Object that can contain normalized assessment/evaluation data of specific configurations or signals in a generalized fashion. For instance, this can be used to capture details for CrowdStrike Zero Trust Assessments of Hosts, to generalize assessment data of CSPM/DSPM platforms such as the various ways to express if logging, encryption, or private access is enabled, and to expand thecomplianceobject for specific technical control assessments.It is important to separate these from the
FindingsCategory as not every assessment results in a first party alert or detection triggering, for instance the CrowdStrike Zero Trust Assessments are passively conducted on certain hosts with Identity Protection and don't necessarily represent a negative finding.This also allows for more abstracted asset inventories built upon different sources where generic assessment data and metadata about the asset/entity itself can be centralized without needing to rely on multiple different Event Classes.