Merge pull request #469 from splunk/main

Add missing user session attributes
ocsf · Feb 1, 2023 · af6412f · af6412f
2 parents 5a74371 + 4fa43b3
commit af6412f
Show file tree

Hide file tree

Showing 6 changed files with 47 additions and 34 deletions.
diff --git a/dictionary.json b/dictionary.json
@@ -2616,8 +2616,8 @@
       "type": "service"
     },
     "session": {
-      "caption": "Session",
-      "description": "This object describes details about an authenticated session. e.g. Session Creation Time, Session Issuer.",
+      "caption": "User Session",
+      "description": "The authenticated user session.",
       "type": "session"
     },
     "severity": {
@@ -3031,7 +3031,7 @@
     },
     "vulnerabilities": {
       "caption": "Vulnerabilities",
-      "description": "This object describes vulnerabilities reported in a security finding",
+      "description": "This object describes vulnerabilities reported in a security finding.",
       "is_array": true,
       "type": "vulnerability"
     },

diff --git a/events/audit/authentication.json b/events/audit/authentication.json
@@ -4,20 +4,6 @@
   "extends": "audit",
   "name": "authentication",
   "uid": 2,
-  "associations": {
-    "dst_endpoint": [
-      "user"
-    ],
-    "user": [
-      "dst_endpoint"
-    ],
-    "src_endpoint": [
-      "actor.user"
-    ],
-    "actor.user": [
-      "src_endpoint"
-    ]
-  },
   "attributes": {
     "activity_id": {
       "enum": {
@@ -57,20 +43,11 @@
       "group": "primary",
       "requirement": "required"
     },
-    "http_request":{
+    "http_request": {
       "description": "Details about the underlying http request.",
       "group": "context",
       "requirement": "optional"
     },
-    "mfa": {
-      "group": "primary",
-      "requirement": "optional"
-    },
-    "user": {
-      "description": "The target identity (user/role) to authenticate.",
-      "group": "primary",
-      "requirement": "required"
-    },
     "is_cleartext": {
       "group": "primary",
       "requirement": "optional"
@@ -90,13 +67,40 @@
       "group": "primary",
       "requirement": "recommended"
     },
+    "mfa": {
+      "group": "primary",
+      "requirement": "optional"
+    },
+    "session": {
+      "description": "The new session of the authenticated user.",
+      "requirement": "optional"
+    },
     "src_endpoint": {
       "description": "The Endpoint from which the authentication was requested.",
       "group": "primary",
       "requirement": "optional"
     },
     "status_detail": {
       "description": "The details about the authentication request. For example, possible details for Windows logon or logoff events are:<ul><li>Success</li><ul><li>LOGOFF_USER_INITIATED</li><li>LOGOFF_OTHER</li></ul><li>Failure</li><ul><li>USER_DOES_NOT_EXIST</li><li>INVALID_CREDENTIALS</li><li>ACCOUNT_DISABLED</li><li>ACCOUNT_LOCKED_OUT</li><li>PASSWORD_EXPIRED</li></ul></ul>"
+    },
+    "user": {
+      "description": "The target identity (user/role) to authenticate.",
+      "group": "primary",
+      "requirement": "required"
     }
+  },
+  "associations": {
+    "actor.user": [
+      "src_endpoint"
+    ],
+    "dst_endpoint": [
+      "user"
+    ],
+    "src_endpoint": [
+      "actor.user"
+    ],
+    "user": [
+      "dst_endpoint"
+    ]
   }
 }
diff --git a/events/audit/authorization.json b/events/audit/authorization.json
@@ -26,6 +26,10 @@
       "group": "primary",
       "requirement": "required"
     },
+    "session": {
+      "description": "The modified user session.",
+      "requirement": "optional"
+    },
     "user": {
       "description": "The user to which new privileges were assigned.",
       "group": "primary",

diff --git a/objects/actor.json b/objects/actor.json
@@ -1,6 +1,6 @@
 {
-  "description": "The actor object describes details about the user/role/process that was the source of the activity.",
   "caption": "Actor",
+  "description": "The actor object describes details about the user/role/process that was the source of the activity.",
   "name": "actor",
   "attributes": {
     "authorizations": {
@@ -12,13 +12,14 @@
     "invoked_by": {
       "requirement": "optional"
     },
-    "session": {
-      "requirement": "optional"
-    },
     "process": {
       "description": "The process that initiated the activity.",
       "requirement": "recommended"
     },
+    "session": {
+      "description": "The user session from which the activity was initiated.",
+      "requirement": "optional"
+    },
     "user": {
       "description": "The user that initiated the activity or the user context from which the activity was initiated.",
       "requirement": "recommended"

diff --git a/objects/process.json b/objects/process.json
@@ -68,6 +68,10 @@
     "sandbox": {
       "requirement": "optional"
     },
+    "session": {
+      "description": "The user session under which this process is running.",
+      "requirement": "optional"
+    },
     "terminated_time": {
       "description": "The time when the process was terminated.",
       "requirement": "optional"
@@ -81,8 +85,8 @@
       "requirement": "recommended"
     },
     "user": {
-      "description": "The user context under which this process is running.",
-      "caption": "Process user context",
+      "description": "The user under which this process is running.",
+      "caption": "User",
       "requirement": "recommended"
     },
     "xattributes": {

diff --git a/version.json b/version.json
@@ -1,3 +1,3 @@
 {
-  "version": "0.99.1"
+  "version": "0.99.2"
 }