Add assessments to OCSF (ocsf#1343)

See [this
thread](https://opencybersecu-lz97379.slack.com/archives/C05HLGHMKU2/p1738944570398689?thread_ts=1738942607.568969&cid=C05HLGHMKU2)
in the Slack for more information on the backstory.

Adds an `assessment` object that serves as a generalized Object that can
contain normalized assessment/evaluation data of specific configurations
or signals in a generalized fashion. For instance, this can be used to
capture details for CrowdStrike Zero Trust Assessments of Hosts, to
generalize assessment data of CSPM/DSPM platforms such as the various
ways to express if logging, encryption, or private access is enabled,
and to expand the `compliance` object for specific technical control
assessments.

It is important to separate these from the `Findings` Category as not
every assessment results in a first party alert or detection triggering,
for instance the CrowdStrike Zero Trust Assessments are passively
conducted on certain hosts with Identity Protection and don't
necessarily represent a negative finding.

This also allows for more abstracted asset inventories built upon
different sources where generic assessment data and metadata about the
asset/entity itself can be centralized without needing to rely on
multiple different Event Classes.

---------

Signed-off-by: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>

CHANGELOG.md

@@ -43,10 +43,22 @@ Thankyou! -->
 
 ### Added
 <<<<<<< HEAD
+<<<<<<< HEAD
 * #### Event Classes
     1. Added `OSINT Inventory Info` event class to the Discovery category. #1154
+=======
+* #### Dictionary Attributes
+  1. Added `boot_uid` as a `string_t`. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
+  1. Added `raw_data_size` as a `long_t`. [#1347](https://github.com/ocsf/ocsf-schema/pull/1347)
+  1. Added `assessments` as an array of `assessment` objects. #1343
+  1. Added `meets_criteria` as a `boolean_t`. #1343
+* #### Objects
+  1. Added `assessment` object to capture evaluations/assessments of configurations/signals. #1343
+>>>>>>> fa6af6aa (Add `assessments` to OCSF (#1343))
 
 ### Improved
+* #### Event Classes
+  1. Added `assessments` to `config_state`. #1343
 * #### Objects
     1. Added `phone_number` to `user` and `ldap_person` objects. #1155
     2. Added `has_mfa` to `user` object. #1155
@@ -73,7 +85,13 @@ Thankyou! -->
   1. Added `raw_data_size` to `base_event` object. [#1347](https://github.com/ocsf/ocsf-schema/pull/1347)
 * #### Objects
   1. Added `boot_uid` to `device` object. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
+  1. Added `meets_criteria` and `policy` to `assessment` object. #1343
+  1. Added `assessments` to `compliance` object. #1343
+  1. Added `data` to `policy` object. #1343
+
+### Misc
   1. Relaxed constraint to provide `email_addr`, `phone_number`, or `security_questions` on `auth_factor`. [#1339](https://github.com/ocsf/ocsf-schema/pull/1339)
+<<<<<<< HEAD
   1. Added `boot_uid` to `device` object. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
   1. Added `meets_criteria` and `policy` to `assessment` object. #1343
   1. Added `assessments` to `compliance` object. #1343
@@ -91,6 +109,10 @@ Thankyou! -->
 4. Added `has_mfa` boolean_t to Dictionary. #1155
 5. Deprecate `project_uid`. #1166
 6. Added several new enums to `account.type_id`. #1166
+=======
+  1. Added `raw_data_size` to `base_event` object. [#1347](https://github.com/ocsf/ocsf-schema/pull/1347)
+  1. Updated description of `config_state` to reflect the addition of the `assessments` object. #1343
+>>>>>>> fa6af6aa (Add `assessments` to OCSF (#1343))
 
 ## [v1.3.0] - August 1st, 2024
 

dictionary.json

@@ -238,6 +238,17 @@
       "description": "The details of the group assigned to an Incident.",
       "type": "group"
     },
+    "assessment": {
+      "caption": "Assessment",
+      "description": "The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate <code>os_signals</code> from CrowdStrike Falcon Zero Trust Assessments, or account for <code>Datastore</code> configurations from Cyera.",
+      "type": "assessment"
+    },
+    "assessments": {
+      "caption": "Assessments",
+      "description": "A list of <code>assessment</code> objects.",
+      "type": "assessment",
+      "is_array": true
+    },
     "attacks": {
       "caption": "MITRE ATT&CK® Details",
       "description": "An array of <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> objects describing identified tactics, techniques & sub-techniques.",
@@ -3349,6 +3360,11 @@
         }
       ]
     },
+    "meets_criteria": {
+      "caption": "Meets Criteria",
+      "description": "Determines if an assessment, control, policy, or otherwise meets its assessment criteria. See specific usage.",
+      "type": "boolean_t"
+    },
     "metadata": {
       "caption": "Metadata",
       "description": "The metadata associated with the event or a finding.",

events/discovery/cloud_resources_inventory_info.json

@@ -1,7 +1,7 @@
 {
   "uid": 23,
   "caption": "Cloud Resources Inventory Info",
-  "description": "Cloud Resources Inventory Info events report cloud asset inventory data that is either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.",
+  "description": "Cloud Resources Inventory Info events report cloud asset inventory data. This data can be either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.",
   "extends": "discovery",
   "name": "cloud_resources_inventory_info",
   "attributes": {

events/discovery/config_state.json

@@ -1,7 +1,7 @@
 {
   "uid": 2,
   "caption": "Device Config State",
-  "description": "Device Config State events report device configuration data and CIS Benchmark results.",
+  "description": "Device Config State events report device configuration data, device assessments, and/or CIS Benchmark results.",
   "extends": "discovery",
   "name": "config_state",
   "attributes": {
@@ -10,6 +10,12 @@
       "requirement": "optional",
       "profile": null
     },
+    "assessments": {
+      "caption": "Related Assessments",
+      "description": "A list of assessments associated with the device.",
+      "group": "context",
+      "requirement": "optional"
+    },
     "cis_benchmark_result": {
       "group": "primary",
       "requirement": "recommended"

objects/assessment.json

@@ -0,0 +1,33 @@
+{
+	"caption": "Assessment",
+	"description": "The Assessment object describes a point-in-time assessment, check, or evaluation of a specific configuration or signal against an asset, entity, person, or otherwise. For example, this can encapsulate <code>os_signals</code> from CrowdStrike Falcon Zero Trust Assessments, or account for <code>Datastore</code> configurations from Cyera, or capture details of Microsoft Intune configuration policies.",
+	"extends": "_entity",
+	"name": "assessment",
+	"attributes": {
+		"category": {
+			"description": "The category that the assessment is part of. For example: <code>Prevention</code> or <code>Windows 10</code>.",
+			"requirement": "optional"
+		},
+		"desc": {
+			"description": "The description of the assessment criteria, or a description of the specific configuration or signal the assessment is targeting.",
+			"requirement": "recommended"
+		},
+		"meets_criteria": {
+			"description": "Determines whether the assessment against the specific configuration or signal meets the assessments criteria. For example, if the assessment checks if a <code>Datastore</code> is encrypted or not, having encryption would be evaluated as <code>true</code>.",
+			"requirement": "required"
+		},
+		"name": {
+			"description": "The name of the configuration or signal being assessed. For example: <code>Kernel Mode Code Integrity (KMCI)</code> or <code>publicAccessibilityState</code>.",
+			"requirement": "recommended"
+		},
+		"policy": {
+			"caption": "Assessment Policy",
+			"description": "The details of any policy associated with an assessment.",
+			"requirement": "optional"
+		},
+		"uid": {
+			"description": "The unique identifier of the configuration or signal being assessed. For example: the <code>signal_id</code>.",
+			"requirement": "optional"
+		}
+	}
+}

objects/compliance.json

@@ -4,6 +4,11 @@
   "extends": "object",
   "name": "compliance",
   "attributes": {
+    "assessments": {
+      "caption": "Related Assessments",
+      "description": "A list of assessments associated with the compliance requirements evaluation",
+      "requirement": "optional"
+    },
     "compliance_references": {
       "requirement": "optional"
     },

objects/policy.json

@@ -4,6 +4,10 @@
   "extends": "_entity",
   "name": "policy",
   "attributes": {
+    "data": {
+      "description": "Additional data about the policy such as the underlying JSON policy itself or other details.",
+      "requirement": "optional"
+    },
     "desc": {
       "description": "The description of the policy.",
       "requirement": "optional"