Expand device with mobile device attributes (ocsf#1346)

Currently `device` supports `imei` (deprecated) and `imei_list`. There are several other IDs used within mobile devices that are recorded by MDM tools such as Intune, JAMF Pro, and even CrowdStrike. Adds `eid`, `iccid`, and `meid` to the Dictionary and to `device`. See this example from JAMF Mobile Devices `NETWORK` attributes. ```json "network": { "cellularTechnology": "Unknown", "voiceRoamingEnabled": false, "imei": "59 105109 176278 3", "iccid": "8991101200003204514", "meid": "15302309236898", "eid": "12547444452496388545569920380795", "carrierSettingsVersion": "33.1", "currentCarrierNetwork": "Verizon Wireless", "currentMobileCountryCode": "311", "currentMobileNetworkCode": "480", "homeCarrierNetwork": "Verizon", "homeMobileCountryCode": "US", "homeMobileNetworkCode": "480", "dataRoamingEnabled": true, "roaming": false, "personalHotspotEnabled": false, "phoneNumber": "555-555-5555 ext 5" }, ``` Additionally, extra bools are added: `is_backed_up`, `is_mobile_account_active`, and `is_shared` to reflect similar attributes within JAMF Pro data, but `is_backed_up` and `is_shared` can be re-used for other use cases. --------- Signed-off-by: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com> Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com>
query-ai · Feb 26, 2025 · ad6ee5f · ad6ee5f
1 parent 833f1b3
commit ad6ee5f
Show file tree

Hide file tree

Showing 4 changed files with 102 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -42,6 +42,7 @@ Thankyou! -->
 ## [v1.4.0] - January 31st, 2025
 
 ### Added
+<<<<<<< HEAD
 * #### Event Classes
     1. Added `OSINT Inventory Info` event class to the Discovery category. #1154
 
@@ -50,6 +51,39 @@ Thankyou! -->
     1. Added `phone_number` to `user` and `ldap_person` objects. #1155
     2. Added `has_mfa` to `user` object. #1155
 
+=======
+* #### Dictionary Attributes 
+  1. Added `boot_uid` as a `string_t`. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
+  1. Added `raw_data_size` as a `long_t`. [#1347](https://github.com/ocsf/ocsf-schema/pull/1347)
+  1. Added `assessments` as an array of `assessment` objects. #1343
+  1. Added `meets_criteria` as a `boolean_t`. #1343
+  1. Added `display_name` attribute as a `string_t`. [#1341](https://github.com/ocsf/ocsf-schema/pull/1341)
+  1. Added `is_directed` as a `boolean_t`, `relation` as a `string_t`, `query_language` & `query_language_id` a sibling pair. #1343
+  1. Added `resource_relationship` of type `graph`, `nodes` of type `node`, `edges` of type `edge`. #1343
+  1. Added `fix_coverage` as `string_t` and `fix_coverage_id` as `int_t`. #1350
+  1. Added `eid`, `iccid`, and `meid` as `string_t`. #1346
+  1. Added `is_backed_up`, `is_mobile_account_active`, and `is_shared` as `boolean_t`. #1346
+* #### Objects
+  1. Added `assessment` object to capture evaluations/assessments of configurations/signals. #1343
+  1. Added `node`, `edge`, `graph` objects. #1343
+
+### Improved
+* #### Event Classes
+  1. Added `assessments` to `config_state`. #1343
+  1. Added `raw_data_size` to `base_event` object. [#1347](https://github.com/ocsf/ocsf-schema/pull/1347)
+* #### Objects
+  1. Added `boot_uid` to `device` object. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
+  1. Relaxed constraint to provide `email_addr`, `phone_number`, or `security_questions` on `auth_factor`. [#1339](https://github.com/ocsf/ocsf-schema/pull/1339)
+  1. Added `boot_uid` to `device` object. [#1335](https://github.com/ocsf/ocsf-schema/pull/1335)
+  1. Added `meets_criteria` and `policy` to `assessment` object. #1343
+  1. Added `assessments` to `compliance` object. #1343
+  1. Added `data` to `policy` object. #1343
+  1. Added `display_name` attribute to the `user` and `ldap_person` objects. [#1341](https://github.com/ocsf/ocsf-schema/pull/1341)
+  1. Added `resource_relationship` to `resource_details` object. #1343
+  1. Added `fix_coverage`, `fix_coverage_id` to `vulnerability` object. #1350
+  1. Added `eid`, `iccid`, `is_backed_up`, `is_mobile_account_active`, `is_shared`, and `meid` to `device`. #1346
+  1. Added `is_backed_up` to `resource_details`. #1346
+>>>>>>> e3efe4a8 (Expand `device` with mobile device attributes (#1346))
 ### Misc
 1. Added `user.uid` as an Observable type - `type_id: 31`. #1155
 2. Added `group.name` and `group.uid` as Observable types - `type_id: 32` and `type_id: 33`, respectively. #1155
@@ -549,4 +583,4 @@ n/a
 
 ## [v1.0.0]
 
-Initial release of OCSF.
+Initial release of OCSF.
diff --git a/dictionary.json b/dictionary.json
@@ -1981,6 +1981,11 @@
       "description": "The operating system edition. For example: <code>Professional</code>.",
       "type": "string_t"
     },
+    "eid": {
+      "caption": "EID",
+      "description": "An Embedded Identity Document, is a unique serial number that identifies an eSIM-enabled device.",
+      "type": "string_t"
+    },
     "email": {
       "caption": "Email",
       "description": "The email object.",
@@ -2506,6 +2511,11 @@
       "description": "The name of the hypervisor running on the device. For example, <code>Xen</code>, <code>VMware</code>, <code>Hyper-V</code>, <code>VirtualBox</code>, etc.",
       "type": "string_t"
     },
+    "iccid": {
+      "caption": "ICCID",
+      "description": "The Integrated Circuit Card Identification of a mobile device. Typically it is a unique 18 to 22 digit number that identifies a SIM card.",
+      "type": "string_t"
+    },
     "identifier_cookie": {
       "caption": "Identifier Cookie",
       "description": "The client identifier cookie during client/server exchange.",
@@ -2747,6 +2757,11 @@
       "description": "A determination if a policy, rule, or enforcement action was applied.",
       "type": "boolean_t"
     },
+    "is_backed_up": {
+      "caption": "Back Ups Configured",
+      "description": "Indicates whether the device or resource has a backup enabled, such as an automated snapshot or a cloud backup. For example, this is indicated by the <code>cloudBackupEnabled</code> value within JAMF Pro mobile devices or the registration of an AWS ARN with the AWS Backup service.",
+      "type": "boolean_t"
+    },
     "is_cleartext": {
       "caption": "Cleartext Credentials",
       "description": "Indicates whether the credentials were passed in clear text.<p><b>Note:</b> True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text.</p>",
@@ -2807,6 +2822,11 @@
       "description": "Indicates whether Multi Factor Authentication was used during authentication.",
       "type": "boolean_t"
     },
+    "is_mobile_account_active": {
+      "caption": "Mobile Account Active",
+      "description": "Indicates whether the device has an active mobile account. For example, this is indicated by the <code>itunesStoreAccountActive</code> value within JAMF Pro mobile devices.",
+      "type": "boolean_t"
+    },
     "is_new_logon": {
       "caption": "New Logon",
       "description": "Indicates logon is from a device not seen before or a first time account logon.",
@@ -2847,6 +2867,11 @@
       "description": "Denotes whether a digital certificate is self-signed or signed by a known certificate authority (CA).",
       "type": "boolean_t"
     },
+    "is_shared": {
+      "caption": "Shared Device",
+      "description": "The event occurred on a shared device.",
+      "type": "boolean_t"
+    },
     "is_superseded": {
       "caption": "The patch is superseded.",
       "description": "The vendor patch has been replaced by another.",
@@ -2857,6 +2882,11 @@
       "description": "A determination based on analytics as to whether a potential breach was found.",
       "type": "boolean_t"
     },
+    "is_supervised": {
+      "caption": "Supervised Device",
+      "description": "The event occurred on a supervised device. Devices that are supervised are typically mobile devices managed by a Mobile Device Management solution and are restricted from specific behaviors such as Apple AirDrop.",
+      "type": "boolean_t"
+    },
     "is_system": {
       "caption": "System",
       "description": "The indication of whether the object is part of the operating system.",
@@ -3286,6 +3316,11 @@
       "description": "The location of the matched data in the source which resulted in the triggered firewall rule. For example: HEADER.",
       "type": "string_t"
     },
+    "meid": {
+      "caption": "MEID",
+      "description": "The Mobile Equipment Identifier. It's a unique number that identifies a Code Division Multiple Access (CDMA) mobile device.",
+      "type": "string_t"
+    },
     "message": {
       "caption": "Message",
       "description": "The description of the event/finding, as defined by the source.",
@@ -5334,6 +5369,11 @@
       "type": "string_t",
       "is_array": true
     },
+    "udid": {
+      "caption": "Unique Device Identifier",
+      "description": "The Unique Device Identifier, used for iOS and macOS devices.",
+      "type": "string_t"
+    },
     "uid": {
       "caption": "Unique ID",
       "description": "The unique identifier. See specific usage.",

diff --git a/objects/device.json b/objects/device.json
@@ -24,6 +24,9 @@
       "description": "The network domain where the device resides. For example: <code>work.example.com</code>.",
       "requirement": "optional"
     },
+    "eid": {
+      "requirement": "optional"
+    },
     "first_seen_time": {
       "description": "The initial discovery time of the device.",
       "requirement": "optional"
@@ -43,6 +46,9 @@
       "description": "The image used as a template to run the virtual machine.",
       "requirement": "optional"
     },
+    "iccid": {
+      "requirement": "optional"
+    },
     "imei": {
       "requirement": "optional"
     },
@@ -53,15 +59,27 @@
       "description": "The device IP address, in either IPv4 or IPv6 format.",
       "requirement": "optional"
     },
+    "is_backed_up": {
+      "requirement": "optional"
+    },
     "is_compliant": {
       "requirement": "optional"
     },
     "is_managed": {
       "requirement": "optional"
     },
+    "is_mobile_account_active": {
+      "requirement": "optional"
+    },
     "is_personal": {
       "requirement": "optional"
     },
+    "is_shared": {
+      "requirement": "optional"
+    },
+    "is_supervised": {
+      "requirement": "optional"
+    },
     "is_trusted": {
       "requirement": "optional"
     },
@@ -73,6 +91,9 @@
       "description": "The geographical location of the device.",
       "requirement": "optional"
     },
+    "meid": {
+      "requirement": "optional"
+    },
     "model": {
       "description": "The model of the device. For example <code>ThinkPad X1 Carbon</code>.",
       "requirement": "optional"
@@ -119,6 +140,9 @@
       "description": "The device type ID.",
       "requirement": "required"
     },
+    "udid": {
+      "requirement": "optional"
+    },
     "uid": {
       "description": "The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.",
       "requirement": "recommended"

diff --git a/objects/resource_details.json b/objects/resource_details.json
@@ -27,6 +27,9 @@
       "description": "The IP address of the resource, in either IPv4 or IPv6 format.",
       "requirement": "recommended"
     },
+    "is_backed_up": {
+      "requirement": "optional"
+    },
     "name": {
       "observable": 38,
       "requirement": "recommended"