Expand device with mobile device attributes

CHANGELOG.md

@@ -42,32 +42,38 @@ Thankyou! -->
 ## [Unreleased]
 
 ### Added
-* #### Dictionary Attributes 
-    1. Added `boot_uid` as a `string_t`. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
-    1. Added `raw_data_size` as a `long_t`. [#1347](https://github.com/ocsf/ocsf-schema/pull/1347)
-    1. Added `assessments` as an array of `assessment` objects. #1343
-    1. Added `meets_criteria` as a `boolean_t`. #1343
-    1. Added `display_name` attribute as a `string_t`. [#1341](https://github.com/ocsf/ocsf-schema/pull/1341)
-    1. Added `is_directed` as a `boolean_t`, `relation` as a `string_t`, `query_language` & `query_language_id` a sibling pair. #1343
-    1. Added `resource_relationship` of type `graph`, `nodes` of type `node`, `edges` of type `edge`. #1343
+* #### Dictionary Attributes
+  1. Added `boot_uid` as a `string_t`. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
+  1. Added `raw_data_size` as a `long_t`. [#1347](https://github.com/ocsf/ocsf-schema/pull/1347)
+  1. Added `assessments` as an array of `assessment` objects. #1343
+  1. Added `meets_criteria` as a `boolean_t`. #1343
+  1. Added `display_name` attribute as a `string_t`. [#1341](https://github.com/ocsf/ocsf-schema/pull/1341)
+  1. Added `is_directed` as a `boolean_t`, `relation` as a `string_t`, `query_language` & `query_language_id` a sibling pair. #1343
+  1. Added `resource_relationship` of type `graph`, `nodes` of type `node`, `edges` of type `edge`. #1343
+  1. Added `meets_criteria` as a `boolean_t`. #1343
+  1. Added `eid`, `iccid`, and `meid` as `string_t`. #1346
+  1. Added `is_backed_up`, `is_mobile_account_active`, and `is_shared` as `boolean_t`. #1346
+
 * #### Objects
-    1. Added `assessment` object to capture evaluations/assessments of configurations/signals. #1343
-    1. Added `node`, `edge`, `graph` objects. #1343
+  1. Added `assessment` object to capture evaluations/assessments of configurations/signals. #1343
+  1. Added `node`, `edge`, `graph` objects. #1343
 
 ### Improved
 * #### Event Classes
-    1. Added `assessments` to `config_state`. #1343
-    1. Added `raw_data_size` to `base_event` object. [#1347](https://github.com/ocsf/ocsf-schema/pull/1347)
+  1. Added `assessments` to `config_state`. #1343
+  1. Added `raw_data_size` to `base_event` object. [#1347](https://github.com/ocsf/ocsf-schema/pull/1347)
 * #### Objects
-    1. Added `boot_uid` to `device` object. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
-    1. Relaxed constraint to provide `email_addr`, `phone_number`, or `security_questions` on `auth_factor`. [#1339](https://github.com/ocsf/ocsf-schema/pull/1339)
-    1. Added `boot_uid` to `device` object. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
-    1. Added `meets_criteria` and `policy` to `assessment` object. #1343
-    1. Added `assessments` to `compliance` object. #1343
-    1. Added `data` to `policy` object. #1343
-    1. Added `display_name` attribute to the `user` and `ldap_person` objects. [#1341](https://github.com/ocsf/ocsf-schema/pull/1341)
-    1. Added `resource_relationship` to `resource_details` object. #1343
-
+  1. Added `boot_uid` to `device` object. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
+  1. Relaxed constraint to provide `email_addr`, `phone_number`, or `security_questions` on `auth_factor`. [#1339](https://github.com/ocsf/ocsf-schema/pull/1339)
+  1. Added `boot_uid` to `device` object. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
+  1. Added `meets_criteria` and `policy` to `assessment` object. #1343
+  1. Added `assessments` to `compliance` object. #1343
+  1. Added `data` to `policy` object. #1343
+  1. Added `display_name` attribute to the `user` and `ldap_person` objects. [#1341](https://github.com/ocsf/ocsf-schema/pull/1341)
+  1. Added `resource_relationship` to `resource_details` object. #1343
+  1. Added `eid`, `iccid`, `is_backed_up`, `is_mobile_account_active`, `is_shared`, and `meid` to `device`. #1346
+  1. Added `is_backed_up` to `resource_details`. #1346
+
 ### Misc
   1. Updated description of `config_state` to reflect the addition of the `assessments` object. #1343
 
@@ -562,4 +568,4 @@ n/a
 
 ## [v1.0.0]
 
-Initial release of OCSF.
+Initial release of OCSF.

dictionary.json

@@ -2014,6 +2014,11 @@
       "description": "The operating system edition. For example: <code>Professional</code>.",
       "type": "string_t"
     },
+    "eid": {
+      "caption": "EID",
+      "description": "An Embedded Identity Document, is a unique serial number that identifies an eSIM-enabled device.",
+      "type": "string_t"
+    },
     "email": {
       "caption": "Email",
       "description": "The email object.",
@@ -2544,6 +2549,11 @@
       "description": "The name of the hypervisor running on the device. For example, <code>Xen</code>, <code>VMware</code>, <code>Hyper-V</code>, <code>VirtualBox</code>, etc.",
       "type": "string_t"
     },
+    "iccid": {
+      "caption": "ICCID",
+      "description": "The Integrated Circuit Card Identification of a mobile device. Typically it is a unique 18 to 22 digit number that identifies a SIM card.",
+      "type": "string_t"
+    },
     "identifier_cookie": {
       "caption": "Identifier Cookie",
       "description": "The client identifier cookie during client/server exchange.",
@@ -2785,6 +2795,11 @@
       "description": "A determination if a policy, rule, or enforcement action was applied.",
       "type": "boolean_t"
     },
+    "is_backed_up": {
+      "caption": "Back Ups Configured",
+      "description": "Indicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. For example, this is indicated by the <code>cloudBackupEnabled</code> value within JAMF Pro mobile devices or the registration of an AWS ARN with the AWS Backup service.",
+      "type": "boolean_t"
+    },
     "is_cleartext": {
       "caption": "Cleartext Credentials",
       "description": "Indicates whether the credentials were passed in clear text.<p><b>Note:</b> True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text.</p>",
@@ -2850,6 +2865,11 @@
       "description": "Indicates whether Multi Factor Authentication was used during authentication.",
       "type": "boolean_t"
     },
+    "is_mobile_account_active": {
+      "caption": "Mobile Account Active",
+      "description": "Indicates whether the device has an active mobile account. For example, this is indicated by the <code>itunesStoreAccountActive</code> value within JAMF Pro mobile devices.",
+      "type": "boolean_t"
+    },
     "is_new_logon": {
       "caption": "New Logon",
       "description": "Indicates logon is from a device not seen before or a first time account logon.",
@@ -2890,6 +2910,11 @@
       "description": "Denotes whether a digital certificate is self-signed or signed by a known certificate authority (CA).",
       "type": "boolean_t"
     },
+    "is_shared": {
+      "caption": "Shared Device",
+      "description": "The event occurred on a shared device.",
+      "type": "boolean_t"
+    },
     "is_superseded": {
       "caption": "The patch is superseded.",
       "description": "The vendor patch has been replaced by another.",
@@ -2900,6 +2925,11 @@
       "description": "A determination based on analytics as to whether a potential breach was found.",
       "type": "boolean_t"
     },
+    "is_supervised": {
+      "caption": "Supervised Device",
+      "description": "The event occurred on a supervised device. Devices that are supervised are typically mobile devices managed by a Mobile Device Management solution and are restricted from specific behaviors such as Apple AirDrop.",
+      "type": "boolean_t"
+    },
     "is_system": {
       "caption": "System",
       "description": "The indication of whether the object is part of the operating system.",
@@ -3329,6 +3359,11 @@
       "description": "The location of the matched data in the source which resulted in the triggered firewall rule. For example: HEADER.",
       "type": "string_t"
     },
+    "meid": {
+      "caption": "MEID",
+      "description": "The Mobile Equipment Identifier. It's a unique number that identifies a Code Division Multiple Access (CDMA) mobile device.",
+      "type": "string_t"
+    },
     "message": {
       "caption": "Message",
       "description": "The description of the event/finding, as defined by the source.",
@@ -5434,6 +5469,11 @@
       "type": "string_t",
       "is_array": true
     },
+    "udid": {
+      "caption": "Unique Device Identifier",
+      "description": "The Unique Device Identifier, used for iOS and macOS devices.",
+      "type": "string_t"
+    },
     "uid": {
       "caption": "Unique ID",
       "description": "The unique identifier. See specific usage.",

objects/device.json

@@ -24,6 +24,9 @@
       "description": "The network domain where the device resides. For example: <code>work.example.com</code>.",
       "requirement": "optional"
     },
+    "eid": {
+      "requirement": "optional"
+    },
     "first_seen_time": {
       "description": "The initial discovery time of the device.",
       "requirement": "optional"
@@ -43,6 +46,9 @@
       "description": "The image used as a template to run the virtual machine.",
       "requirement": "optional"
     },
+    "iccid": {
+      "requirement": "optional"
+    },
     "imei": {
       "requirement": "optional"
     },
@@ -53,15 +59,27 @@
       "description": "The device IP address, in either IPv4 or IPv6 format.",
       "requirement": "optional"
     },
+    "is_backed_up": {
+      "requirement": "optional"
+    },
     "is_compliant": {
       "requirement": "optional"
     },
     "is_managed": {
       "requirement": "optional"
     },
+    "is_mobile_account_active": {
+      "requirement": "optional"
+    },
     "is_personal": {
       "requirement": "optional"
     },
+    "is_shared": {
+      "requirement": "optional"
+    },
+    "is_supervised": {
+      "requirement": "optional"
+    },
     "is_trusted": {
       "requirement": "optional"
     },
@@ -73,6 +91,9 @@
       "description": "The geographical location of the device.",
       "requirement": "optional"
     },
+    "meid": {
+      "requirement": "optional"
+    },
     "model": {
       "description": "The model of the device. For example <code>ThinkPad X1 Carbon</code>.",
       "requirement": "optional"
@@ -119,6 +140,9 @@
       "description": "The device type ID.",
       "requirement": "required"
     },
+    "udid": {
+      "requirement": "optional"
+    },
     "uid": {
       "description": "The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.",
       "requirement": "recommended"

objects/resource_details.json

@@ -27,6 +27,9 @@
       "description": "The IP address of the resource, in either IPv4 or IPv6 format.",
       "requirement": "recommended"
     },
+    "is_backed_up": {
+      "requirement": "optional"
+    },
     "name": {
       "observable": 38,
       "requirement": "recommended"