ocsf · zschmerber · Feb 19, 2025 · Feb 7, 2025 · Feb 7, 2025 · Feb 7, 2025
@@ -45,12 +45,24 @@ Thankyou! -->
 * #### Dictionary Attributes
   1. Added `boot_uid` as a `string_t`. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
   1. Added `raw_data_size` as a `long_t`. [#1347](https://github.com/ocsf/ocsf-schema/pull/1347)
+  1. Added `assessments` as an array of `assessment` objects. #1343
+  1. Added `meets_criteria` as a `boolean_t`. #1343
+* #### Objects
+  1. Added `assessment` object to capture evaluations/assessments of configurations/signals. #1343
 
 ### Improved
+* #### Event Classes
+  1. Added `assessments` to `config_state`. #1343
 * #### Objects
   1. Added `boot_uid` to `device` object. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
+  1. Added `meets_criteria` and `policy` to `assessment` object. #1343
+  1. Added `assessments` to `compliance` object. #1343
+  1. Added `data` to `policy` object. #1343
+
+### Misc
   1. Relaxed constraint to provide `email_addr`, `phone_number`, or `security_questions` on `auth_factor`. [#1339](https://github.com/ocsf/ocsf-schema/pull/1339)
   1. Added `raw_data_size` to `base_event` object. [#1347](https://github.com/ocsf/ocsf-schema/pull/1347)
+  1. Updated description of `config_state` to reflect the addition of the `assessments` object. #1343
 
 ## [v1.4.0] - January 31st, 2025
 

@@ -238,6 +238,17 @@
       "description": "The details of the group assigned to an Incident.",
       "type": "group"
     },
+    "assessment": {
+      "caption": "Assessment",
+      "description": "The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate <code>os_signals</code> from CrowdStrike Falcon Zero Trust Assessments, or account for <code>Datastore</code> configurations from Cyera.",
+      "type": "assessment"
+    },
+    "assessments": {
+      "caption": "Assessments",
+      "description": "A list of <code>assessment</code> objects.",
+      "type": "assessment",
+      "is_array": true
+    },
     "attacks": {
       "caption": "MITRE ATT&CK® Details",
       "description": "An array of <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> objects describing identified tactics, techniques & sub-techniques.",
@@ -3325,6 +3336,11 @@
         }
       ]
     },
+    "meets_criteria": {
+      "caption": "Meets Criteria",
+      "description": "Determines if an assessment, control, policy, or otherwise meets its assessment criteria. See specific usage.",
+      "type": "boolean_t"
+    },
     "metadata": {
       "caption": "Metadata",
       "description": "The metadata associated with the event or a finding.",

@@ -1,7 +1,7 @@
 {
   "uid": 23,
   "caption": "Cloud Resources Inventory Info",
-  "description": "Cloud Resources Inventory Info events report cloud asset inventory data that is either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.",
+  "description": "Cloud Resources Inventory Info events report cloud asset inventory data. This data can be either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.",
   "extends": "discovery",
   "name": "cloud_resources_inventory_info",
   "attributes": {

@@ -1,7 +1,7 @@
 {
   "uid": 2,
   "caption": "Device Config State",
-  "description": "Device Config State events report device configuration data and CIS Benchmark results.",
+  "description": "Device Config State events report device configuration data, device assessments, and/or CIS Benchmark results.",
   "extends": "discovery",
   "name": "config_state",
   "attributes": {
@@ -10,6 +10,12 @@
       "requirement": "optional",
       "profile": null
     },
+    "assessments": {
+      "caption": "Related Assessments",
+      "description": "A list of assessments associated with the device.",
+      "group": "context",
+      "requirement": "optional"
+    },
     "cis_benchmark_result": {
       "group": "primary",
       "requirement": "recommended"

@@ -0,0 +1,33 @@
+{
+	"caption": "Assessment",
+	"description": "The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate <code>os_signals</code> from CrowdStrike Falcon Zero Trust Assessments, or account for <code>Datastore</code> configurations from Cyera, or capture details of Microsoft Intune configuration policies.",
+	"extends": "_entity",
+	"name": "assessment",
+	"attributes": {
+		"category": {
+			"description": "The category that the assessment is part of. For example: <code>Prevention</code> or <code>Windows 10</code>.",
+			"requirement": "optional"
+		},
+		"desc": {
+			"description": "The description of the assessment criteria, or a description of the specific configuration or signal the assessment is targeting.",
+			"requirement": "recommended"
+		},
+		"meets_criteria": {
+			"description": "Determines whether the assessment against the specific configuration or signal meets the assessments criteria. For example, if the assessment checks if a <code>Datastore</code> is encrypted or not, having encryption would be evaluated as <code>true</code>.",
+			"requirement": "required"
+		},
+		"name": {
+			"description": "The name of the configuration or signal being assessed. For example: <code>Kernel Mode Code Integrity (KMCI)</code> or <code>publicAccessibilityState</code>.",
+			"requirement": "recommended"
+		},
+		"policy": {
+			"caption": "Assessment Policy",
+			"description": "The details of any policy associated with an assessment.",
+			"requirement": "optional"
+		},
+		"uid": {
+			"description": "The unique identifier of the configuration or signal being assessed. For example: the <code>signal_id</code>.",
+			"requirement": "optional"
+		}
+	}
+}
@@ -4,6 +4,11 @@
   "extends": "object",
   "name": "compliance",
   "attributes": {
+    "assessments": {
+      "caption": "Related Assessments",
+      "description": "A list of assessments associated with the compliance requirements evaluation",
+      "requirement": "optional"
+    },
     "compliance_references": {
       "requirement": "optional"
     },

@@ -4,6 +4,10 @@
   "extends": "_entity",
   "name": "policy",
   "attributes": {
+    "data": {
+      "description": "Additional data about the policy such as the underlying JSON policy itself or other details.",
+      "requirement": "optional"
+    },
     "desc": {
       "description": "The description of the policy.",
       "requirement": "optional"