All notable changes to this project will be documented in this file. [Unreleased]
section at the top, will be used to track upcoming changes.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
-
- Added
Remediation
category. #1066
- Added
-
- Added
Event Log Activity
event class. #1014 - Added
Remediation Activity
File Remediation Activity
Process Remediation Activity
Network Remediation Activity
event classes. #1066
- Added
-
- Added
d3fend
d3f_tactic
d3f_technique
MITRE objects. #1066 - Added
ja4_fingerprint
object. #834 - Added
ja4_fingerprint_list
as a list ofja4_fingerprint
objects. #834 - Added
ticket
object. #1068
- Added
-
- Added
file_result
to File Hosting Activity. #1045 - Added entries to
injection_type_id
enum (Process Activity
) andactivity_id
enum (Memory Activity
). #1060 - Added a
Restart
,Enable
,Disable
, andUpdate
activity_id
to theApplication Lifecycle
class. #1064 - Added
ja4_fingerprint_list
to base network event class. #834
- Added
-
- Added
ext
toFile
object. #1046 - Added
account
,device
,email
,url
,user
toevidences
in detection finding. #1000 - Added
state_id
,state
toDigital Signature
object. #1069 - Added
ticket
toIncident Finding
object. ticket. #1068
- Added
1. Colorized validator output #1048
* Updated the GitHub workflow for the `ocsf-validator` to print colorized output.
2. Clarify how to reference profiles in metadata #1056
* Updated the description of `metadata.profiles` to clarify the correct way to reference a profile in that list.
3. Added a `gitignore` file. #1071
4. New Extension registration for Cisco #1074
5. Cleaned up MITRE trademarks and registrations for captions and descriptions.
-
n/a
-
- Added
Data Security Finding
event class. #953 - Added
File Query
event class. #967 - Added
Folder Query
event class. #967 - Added
Group Query
event class. #967 - Added
Job Query
event class. #967 - Added
Kernel Object Query
event class. #967 - Added
Module Query
event class. #967 - Added
Network Connection Query
event class. #967 - Added
Networks Query
event class. #967 - Added
Peripheral Device Query
event class. #967 - Added
Prefetch Query
event class. #967 - Added
Process Query
event class. #967 - Added
Registry Key Query
event class. #967 - Added
Registry Value Query
event class. #967 - Added
Service Query
event class. #967 - Added
Session Query
event class. #967 - Added
User Query
event class. #967 - Added
Tunnel Activity
event class. #1012
- Added
-
- Added
data_classification
profile. #998
- Added
-
- Added
auth_factor
object. #949 - Added
data_security
object. #953 - Added
autonomous_system
object. #978 - Added
agent
object. #987 - Added
data_classification
object. #998
- Added
-
- Added
port_t
subnet_t
cmd_line
country
pid
cwe.uid
cve.uid
user_agent
enum items. #1035
- Added
-
n/a
-
- Added
auth_factors
array to Authentication event class. #949 - Modified all classes such that primary attributes are at least recommended. #974
- Added
src_endpoint
,http_request
attributes to all IAM category classes. #976 - Added
autonomous_system
tonetwork_endpoint
objects. #978 - Added
List
,Encrypt
andDecrypt
activities todatastore
event class. #989 - Added
file
attribute tohttp
,rdp
,ssh
, andftp
event classes. #985 - Added a
Preauth
activity_id
to theAuthentication
class. #1018 - Added the
Security Control
profile to theDatastore Activity
class. #1030 - Added
risk_details
to Detection Finding. #1032
- Added
-
n/a
-
- Expanded
type_id
enum inanalytic
object to account for more use-cases: #9535 - Fingerprinting
6 - Tagging
7 - Keyword Match
8 - Regular Expressions
9 - Exact Data Match
10 - Partial Data Match
11 - Indexed Data Match
- Added
lat
,long
,geohash
attributes tolocation
object. #971. - Added
risk_score
,risk_level_id
,risk_level
touser
object. Issue #972. - Added
app_name
,app_uid
toactor
object. Issue #966, PR #979. - Added
container
,database
,databucket
to theevidences
object. #984 - Added
owner
toendpoint
object. #987 - Added
is_applied
Boolean attribute topolicy
object. #987 - Added
agent_list
as an array ofagent
objects. #987 - Added
policies
object as an array ofpolicy
objects. #987 - Added
agent_list
toendpoint
object. #987 - Added
labels
to theAccount
object. #1028 - Added
data_classification
profile todatabase
,databucket
,email
,file
,metadata
,product
,resource_details
andweb_resource
objects. #998
- Expanded
-
n/a
1. Changed datatype of `priority` attribute, from `integer_t` to `string_t` #959
2. Extended `email_t` regexp to allow characters from RFC5322 before @.
3. Updated `logon_type_id` enum to include `0` as `Unknown`. Added enum item `1` as `System`. #1055
1. Deprecated `coordinates` attribute in favor of specific `lat`, `long` attributes. #971
2. Deprecated `invoked_by` attribute in the `Actor` object in favor of `app_name`. #979.
n/a
1. New Extension registration for Sedara. #951
2. Corrected punctuation for the `transmit_time` attribute. #1001
3. New ways to define observables in the metaschema. #982 and #993
* (Current) Dictionary types using `observable` property in dictionary types. This allows defining all occurrences of attributes of this type as an observable.
* (Current) Objects using top-level `observable` property. This allows defining all occurrences attributes whose type is this object as an observable.
* _**(New)**_ Dictionary attributes using `observable` property in attribute. This allows defining all occurrences of this attribute as an observable.
* _**(New)**_ Object-specific attributes using `observable` property class's attributes. This allows defining object attributes as observables _only_ within instances of this specific object.
* _**(New)**_ Event class-specific attributes using `observable` property class's attributes. This allows defining class attributes as observables _only_ within instances of this specific class.
* _**(New)**_ Event class-specific attribute _paths_ using top-level `observables` property. The `observables` property holds an object mapping from an dotted attribute path to an observable `type_id`. This allows defining an observables _only_ within instances of this specific class, and only for the attributes at these paths, even for attributes that are within nested objects and arrays. This can also be used for top-level class attributes, which can be more convenient that defining a class attribute observable for classes that extend another, but don't otherwise change a attribute definition.
4. Metaschema improvements. #993
* Detect unexpected top-level properties in object and event class definitions. This was added at this point to detect invalid observable definitions: invalid `observable` property in event classes, and invalid `observables` property in objects.
* Remove hard-coded list of categories from `metaschema/categories.schema.json`, leaving this to the `ocsf-validator`. This change makes testing with alternate schemas that may add extra categories easier, as well as making it possible to validate private extensions that contain new categories.
5. Metaschema error reporting #1027
* Updated the definition of `object` and `event` so that metaschema errors reported by the validator with nested properties correctly attribute the error to the property with the error, rather than the top-level class.
-
n/a
-
- Added
User Inventory Info
event class. #667 - Added
Vulnerability Finding
event class. #698 - Added
NTP Activity
event class #705 - Added
OS Patch State
event class. #746 - Added
Datastore Activity
event class 6005. #874 - Added
Detection Finding
event class. #877 - Added
Incident Finding
event class. #903 - Added
Device Config Sate Change
event class. #914 - Added
Scan Activity
event class. #915 - Added
File Hosting Activity
event class. #917
- Added
-
- Added
Network Proxy
Profile for theNetwork Activity
andApplication Activity
classes. #705 - Added
Load Balancer
Profile for the Network Activity classes. #897
- Added
-
- Added new
cwe
object tocve
andvulnerability
objects. #678 - Added Firewall Rule object. #685
- Added new
kb_article
object to house Knowledgebase Article info. #709 #862 #924 - Added new
epss
object to thecve
object. #741
- Added new
-
- Improved Findings Category, with new and domain specific event classes (Vulnerability Finding, Compliance Finding, Detection Finding, Incident Finding), description updates across the board. #895 #907 #903 #698 #718
-
- Added
MFA Enable
andDisable
toactivity_id
to the Account Change event class. #724 - Added
Service Ticket Renew
toactivity_id
of the Authentication event class. #765 - Added
url
attribute to Network Activity event class. #857 - Added
http_request
,http_response
,tls
attributes,network_proxy
profile to Web Resources Activity event class. #895 - Adjusted requirement of
dst_endpoint
fromrequired
torecommended
in the DNS Activity event class. #901 - Added
Create
andDelete
toactivity_id
of the Group Management event class. #929
- Added
-
- Improved
security_control
profile to include access control semantics, firewall properties. #851 #888 #889 #906
- Improved
-
- Added
url_string
attribute to theproduct
and theweb_resource
objects. #675 - Added
type
andtype_id
attributes to theendpoint
object. #690 - Added
cwe
,desc
,references
andtitle
tocve
object. #698 - Added
affected_package
object andaffected_packages
attribute tovulnerability
object. #698 - Added
purl
topackage
object. #698 - Added
cpe_name
attribute to theproduct
and os objects. #713 #731 - Added
container
anddata
toresponse
andrequest
objects. #738 - Added
group
to theapi
object. #738 - Added
namespace
to theresource_details
object. #738 - Added
log_level
to themetadata
object. #738 - Added
length
to thehttp_request
object. #768 - Added
is_exploit_available
to thevulnerability
object. #777 - Added
domain
attribute to thegroup
object. #871 - Adjusted attribute requirements in
dns_query
,dns_answer
objects. #879 - Added firewall, router, switch, hub to endpoint
type_id
enum. #921 - Added
is_vpn
to thesession
object. #922 - Added
state
tonetwork_connection_info
object. #932
- Added
n/a
- Deprecated
cwe_uid
andcwe_url
attributes and removed fromcve
object. #678 - Deprecated
http_status
attribute fromHTTP Activity
event to be replaced byhttp_response.code
. #767 - Deprecated
finding
object in favor offinding_info
object. #769 - Deprecated
proxy
attribute from the dictionary, in favor ofNetwork Proxy
profile. #856 - Deprecated
group_name
attribute. #873 - Deprecated
Security Finding
class to be replaced by the new specific classes according to the use-case:Vulnerability Finding
,Compliance Finding
,Detection Finding
,Incident Finding
. #877 - Deprecated
Web Resources Access Activity
event class. #890 - Deprecated
Network File Activity
event class in favor ofFile Hosting Activity
#917 - Deprecated
extension_list
in TLS object in favor oftls_extension_list
. #936
n/a
- New Extension registration for SentinelOne. #706
- Added json-schema based metaschema validation to ensure correctness, consistency of the JSON definitions. #736 #830 #867 #892
- Increased
max_len
forsubnet_t
type from40
to42
. #745 - Improved the regex for
ip_t
type. #745 - Updated the
datetime_t
validation regex to enable validation of timestamps, and to ensure that timestamps not matchingRFC-3339
are not considered valid. #753 - Added version information to the native extensions. #881
- Updated caption and description of Observable type -
File Hash
to readHash
. #900 - New Extension registration for DataBee. #912
- Changed data-type of
type_uid
tolong_t
fromint_t
. #928
Initial release of OCSF.