Releases: ocsf/ocsf-schema
Releases · ocsf/ocsf-schema
v1.2.0
[v1.2.0] - April 23rd, 2024
Added
-
Categories
n/a
-
Event Classes
- Added
Data Security Finding
event class. #953 - Added
File Query
event class. #967 - Added
Folder Query
event class. #967 - Added
Group Query
event class. #967 - Added
Job Query
event class. #967 - Added
Kernel Object Query
event class. #967 - Added
Module Query
event class. #967 - Added
Network Connection Query
event class. #967 - Added
Networks Query
event class. #967 - Added
Peripheral Device Query
event class. #967 - Added
Prefetch Query
event class. #967 - Added
Process Query
event class. #967 - Added
Registry Key Query
event class. #967 - Added
Registry Value Query
event class. #967 - Added
Service Query
event class. #967 - Added
Session Query
event class. #967 - Added
User Query
event class. #967 - Added
Tunnel Activity
event class. #1012
- Added
-
Profiles
- Added
data_classification
profile. #998
- Added
-
Objects
-
Observables
- Added
port_t
subnet_t
cmd_line
country
pid
cwe.uid
cve.uid
user_agent
enum items. #1035
- Added
-
Platform Extensions
n/a
Improved
-
Categories
n/a
-
Event Classes
- Added
auth_factors
array to Authentication event class. #949 - Modified all classes such that primary attributes are at least recommended. #974
- Added
src_endpoint
,http_request
attributes to all IAM category classes. #976 - Added
autonomous_system
tonetwork_endpoint
objects. #978 - Added
List
,Encrypt
andDecrypt
activities todatastore
event class. #989 - Added
file
attribute tohttp
,rdp
,ssh
, andftp
event classes. #985 - Added a
Preauth
activity_id
to theAuthentication
class. #1018 - Added the
Security Control
profile to theDatastore Activity
class. #1030 - Added
risk_details
to Detection Finding. #1032
- Added
-
Profiles
n/a
-
Objects
- Expanded
type_id
enum inanalytic
object to account for more use-cases: #9535 - Fingerprinting
6 - Tagging
7 - Keyword Match
8 - Regular Expressions
9 - Exact Data Match
10 - Partial Data Match
11 - Indexed Data Match
- Added
lat
,long
,geohash
attributes tolocation
object. #971. - Added
risk_score
,risk_level_id
,risk_level
touser
object. Issue #972. - Added
app_name
,app_uid
toactor
object. Issue #966, PR #979. - Added
container
,database
,databucket
to theevidences
object. #984 - Added
owner
toendpoint
object. #987 - Added
is_applied
Boolean attribute topolicy
object. #987 - Added
agent_list
as an array ofagent
objects. #987 - Added
policies
object as an array ofpolicy
objects. #987 - Added
agent_list
toendpoint
object. #987 - Added
labels
to theAccount
object. #1028 - Added
data_classification
profile todatabase
,databucket
,email
,file
,metadata
,product
,resource_details
andweb_resource
objects. #998
- Expanded
-
Platform Extensions
n/a
Bugfixes
- Changed datatype of
priority
attribute, frominteger_t
tostring_t
#959 - Extended
email_t
regexp to allow characters from RFC5322 before @. - Updated
logon_type_id
enum to include0
asUnknown
. Added enum item1
asSystem
. #1055
Deprecated
- Deprecated
coordinates
attribute in favor of specificlat
,long
attributes. #971 - Deprecated
invoked_by
attribute in theActor
object in favor ofapp_name
. #979.
Breaking changes
n/a
Misc
- New Extension registration for Sedara. #951
- Corrected punctuation for the
transmit_time
attribute. #1001 - New ways to define observables in the metaschema. #982 and #993
- (Current) Dictionary types using
observable
property in dictionary types. This allows defining all occurrences of attributes of this type as an observable. - (Current) Objects using top-level
observable
property. This allows defining all occurrences attributes whose type is this object as an observable. - (New) Dictionary attributes using
observable
property in attribute. This allows defining all occurrences of this attribute as an observable. - (New) Object-specific attributes using
observable
property class's attributes. This allows defining object attributes as observables only within instances of this specific object. - (New) Event class-specific attributes using
observable
property class's attributes. This allows defining class attributes as observables only within instances of this specific class. - (New) Event class-specific attribute paths using top-level
observables
property. Theobservables
property holds an object mapping from a dotted attribute path to an observabletype_id
. This allows defining an observable only within instances of this specific class, and only for the attributes at these paths, even for attributes that are within nested objects and arrays. This can also be used for top-level class attributes, which can be more convenient that defining a class attribute observable for classes that extend another, but don't otherwise change an attribute definition.
- (Current) Dictionary types using
- Metaschema improvements. #993
- Detect unexpected top-level properties in object and event class definitions. This was added at this point to detect invalid observable definitions: invalid
observable
property in event classes, and invalidobservables
property in objects. - Remove hard-coded list of categories from
metaschema/categories.schema.json
, leaving this to theocsf-validator
. This change makes testing with alternate schemas that may add extra categories easier, as well as making it possible to validate private extensions that contain new categories.
- Detect unexpected top-level properties in object and event class definitions. This was added at this point to detect invalid observable definitions: invalid
- Metaschema error reporting #1027
- Updated the definition of
object
andevent
so that metaschema errors reported by the validator with nested properties correctly attribute the error to the property with the error, rather than the top-level class.
- Updated the definition of
OCSF Schema Release v1.1.0
[v1.1.0] - January 25th, 2024
Added
-
Categories
n/a
-
Event Classes
- Added
User Inventory Info
event class. #667 - Added
Vulnerability Finding
event class. #698 - Added
NTP Activity
event class #705 - Added
OS Patch State
event class. #746 - Added
Datastore Activity
event class 6005. #874 - Added
Detection Finding
event class. #877 - Added
Incident Finding
event class. #903 - Added
Device Config Sate Change
event class. #914 - Added
Scan Activity
event class. #915 - Added
File Hosting Activity
event class. #917
- Added
-
Profiles
-
Objects
Improved
-
Categories
-
Event Classes
- Added
MFA Enable
andDisable
toactivity_id
to the Account Change event class. #724 - Added
Service Ticket Renew
toactivity_id
of the Authentication event class. #765 - Added
url
attribute to Network Activity event class. #857 - Added
http_request
,http_response
,tls
attributes,network_proxy
profile to Web Resources Activity event class. #895 - Adjusted requirement of
dst_endpoint
fromrequired
torecommended
in the DNS Activity event class. #901 - Added
Create
andDelete
toactivity_id
of the Group Management event class. #929
- Added
-
Profiles
-
Objects
- Added
url_string
attribute to theproduct
and theweb_resource
objects. #675 - Added
type
andtype_id
attributes to theendpoint
object. #690 - Added
cwe
,desc
,references
andtitle
tocve
object. #698 - Added
affected_package
object andaffected_packages
attribute tovulnerability
object. #698 - Added
purl
topackage
object. #698 - Added
cpe_name
attribute to theproduct
and os objects. #713 #731 - Added
container
anddata
toresponse
andrequest
objects. #738 - Added
group
to theapi
object. #738 - Added
namespace
to theresource_details
object. #738 - Added
log_level
to themetadata
object. #738 - Added
length
to thehttp_request
object. #768 - Added
is_exploit_available
to thevulnerability
object. #777 - Added
domain
attribute to thegroup
object. #871 - Adjusted attribute requirements in
dns_query
,dns_answer
objects. #879 - Added firewall, router, switch, hub to endpoint
type_id
enum. #921 - Added
is_vpn
to thesession
object. #922 - Added
state
tonetwork_connection_info
object. #932
- Added
Bugfixes
n/a
Deprecated
- Deprecated
cwe_uid
andcwe_url
attributes and removed fromcve
object. #678 - Deprecated
http_status
attribute fromHTTP Activity
event to be replaced byhttp_response.code
. #767 - Deprecated
finding
object in favor offinding_info
object. #769 - Deprecated
proxy
attribute from the dictionary, in favor ofNetwork Proxy
profile. #856 - Deprecated
group_name
attribute. #873 - Deprecated
Security Finding
class to be replaced by the new specific classes according to the use-case:Vulnerability Finding
,Compliance Finding
,Detection Finding
,Incident Finding
. #877 - Deprecated
Web Resources Access Activity
event class. #890 - Deprecated
Network File Activity
event class in favor ofFile Hosting Activity
#917 - Deprecated
extension_list
in TLS object in favor oftls_extension_list
. #936
Breaking changes
n/a
Misc
- New Extension registration for SentinelOne. #706
- Added json-schema based metaschema validation to ensure correctness, consistency of the JSON definitions. #736 #830 #867 #892
- Increased
max_len
forsubnet_t
type from40
to42
. #745 - Improved the regex for
ip_t
type. #745 - Updated the
datetime_t
validation regex to enable validation of timestamps, and to ensure that timestamps not matchingRFC-3339
are not considered valid. #753 - Added version information to the native extensions. #881
- Updated caption and description of Observable type -
File Hash
to readHash
. #900 - New Extension registration for DataBee. #912
- Changed data-type of
type_uid
tolong_t
fromint_t
. #928
OCSF Schema Release v1.0.0
The OCSF Schema Release v1.0.0!
Note: New release package was cut from the v1.0.0 branch. See Issue #793 for details
OCSF Schema Release Candidate 3 (v1.0.0-rc.3)
The OCSF Schema Release Candidate 3 (v1.0.0-rc.3) contain many updates and additions, and the release is not backwards compatible with the OCSF Schema Release Candidate 2 (v1.0.0-rc.2).
OCSF Schema Release Candidate 2
The same release as 0.99.2.rc2, no schema changes. Using a new version name and tag: v1.0.0-rc.2.
OCSG Schema Release Candidate 2
Add session to process object and authentication and authorization classes.
Some updates in descriptions.
OCSF Schema Release Candidate 1
Merge pull request #464 from splunk/main Email and some final schema updates
The first alpha release
This is an alpha release v0.39.0.