All notable changes to this project will be documented in this file. [Unreleased]
section at the top, will be used to track upcoming changes.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
-
- Added new
Unmanned Systems
Category. #1169
- Added new
-
- Added
OSINT Inventory Info
event class to the Discovery category. #1154 - Added
Script Activity
event class to the System category. #1159 - Added
Startup Item Query
event class. #1119 - Added
Drone Flights Activity
event class to the Unmanned Systems category. #1169 - Added
Cloud Resources Inventory Info
event class to the Discovery category. #1250
- Added
-
- Added
has_mfa
as aboolean_t
. #1155 - Added
environment_variables
as an array ofenvironment_variable
object. #1172 - Added
forward_addr
as anemail_t
. #1179 - Added
related_cves
,related_cwes
as arrays ofcve
,cwe
objects respectively. #1176 - Added
exploit_last_seen_time
as atimestamp_t
. #1176 - Added
is_alert
as aboolean_t
, #1179 - Added
working_directory
as astring_t
. #1195 - Added
is_deleted
aboolean_t
. #1196 - Added
body_length
as aninteger_t
#1200 - Added
is_public
as aboolean_t
#1208 - Added
tags
,control_parameters
as an array ofkey_value_object
object. #1219 - Added
community_uid
as astring_t
. #1202 - Added
location
to themanaged_entity
object. #1169 - Added
unmanned_system_operator
to the dictionary, extendsuser
. #1169 - Added
locations
to the dictionary, an array type of thelocation
object, used within the newoperating_area
object. #1169 - Added
altitude_ceiling
,altitude_floor
,geodetic_altitude
,aerial_height
,horizontal_accuracy
,pressure_altitude
,radius
,speed
,track_direction
, andvertical_speed
all to supportoperating_area
andunmanned_aerial_system
objects. #1169 - Added
variable_name
andvariable_value
aslong_string
. #1228 - Added
imei_list
as an arraystring_t
. #1225 - Added
is_encrypted
asboolean_t
;column_name
,cell_name
,storage_class
,key_uid
,json_path
asstring_t
&column_number
,row_number
,page_number
,record_index_in_array
asinteger_t
. #1245 - Added
group_provisioning_enabled
,scim_group_schema
,user_provisioning_enabled
,scim_user_schema
,scopes
,idle_timeout
,login_endpoint
,logout_endpoint
, andmetadata_url
entries to the dictionary to support the newscim
andsso
objects. #1239 - Added new
11: Basic Authentication
enum value toauth_protocol_id
. #1239 - Added
values
as an array ofstring_t
. #1251 - Added
kernel_release
as astring_t
. #1249
- Added
-
- Added
environment_variable
object. #1172 - Added
advisory
object. #1176 - Added a generic
key_value_object
object. #1219 - Added
unmanned_aerial_system
andunmanned_system_operating_area
objects. #1169 - Added a
long_string
object. #1228 - Added
discovery_details
,encryption_details
,occurrence_details
objects. #1245 - Added
scim
object. #1239 - Added
sso
object. #1239 - Added
vendor_attributes
object. #1257
- Added
-
- Added
evidences
tocompliance_finding
class. #1157 - Added
is_alert
todetection_finding
anddata_security_finding
classes. #1178 - Added
risk_details
todata_security_finding
class. #1178 - Removed constraint from
group_management
class. #1193 - Added
Archived|5
as an enum item tostatus_id
attribute in Findings classes. #1219 - Added a
Trace
,activity_id
to theEmail Activity
class. #1252 - Added
vendor_attributes
to allFindings
Category classes. #1257
- Added
-
- Added
is_alert
,confidence_id
,confidence
,confidence_score
attributes to thesecurity_control
profile. #1178 - Added
risk_level_id
,risk_level
,risk_score
,risk_details
attributes to thesecurity_control
profile. #1178 - Added
policy
attribute to thesecurity_control
profile. #1178
- Added
-
- Added
phone_number
touser
andldap_person
objects. #1155 - Added
has_mfa
touser
object. #1155 - Added
vendor_name
tocvss
object. #1165 - Added
file
,reputation
,subnet
, andscript
toosint
object. #1168 - Added
environment_variables
attribute to theprocess
object. #1172 - Added
forward_addr
to theuser
object. #1179 - Added
src_url
to thecvss
object. #1176 - Added
advisory
,exploit_last_seen_time
to thevulnerability
object. #1176 - Added
related_cwes
to thecve
object. #1176 - Added
vendor_name
andmodel
todevice
object. - Added
http_headers
toemail
object. #1199 - Added
working_directory
toprocess
object. #1195 - Added
is_deleted
tofile
object. #1196 - Added entry for VBA macros to
type_id
enum inscript
object. #1198 - Added
body_length
to thehttp_response
andhttp_request
objects. #1200 - Added
is_public
to thedatabucket
object. #1208 - Added
tags
to theaccount
,container
,image
,ldap_person
,metadata
,resource_details
,service
,web_resource
objects. #1207 - Added
domain
as a constraint tonetwork_endpoint
object. #1224 - Added
http_request
andhttp_response
to the evidences object. #1212 - Added
control_parameters
andstatus_details
to the compliance object. #1219 - Added
geodetic_altitude
,height
,horizontal_accuracy
, andpressure_altitude
tolocation
. #1169 - Added
location
tomanaged_entity
. #1169 - Added
imei_list
to thedevice
object. #1225 - Added
storage_class
&is_public
ascloud
profile attributes tofile
object. Also addedis_encrypted
,encryption_details
,tags
to thefile
object. #1245 - Added
discovery_details
,occurrence_details
,status
trio,total
,uid
,size
, &src_url
to thedata_classification
object. #1245 data_bucket
object now inheritsresource_details
instead of_entity
. Also, addedencryption_details
object to thedata_bucket
object. #1245- Added
auth_factors
,domain
,fingerprint
,has_mfa
,issuer
,protocol_name
,scim
,sso
,state
,state_id
,tenant_uid
, anduid
toidp
. #1239 - Added
hostname
,ip
, andname
toresource_details
for purposes of assigning an Observable number. #1250 - Added
values
tokey_value_object
. #1251 - Added
kernel_release
toos
object. #1249
- Added
- Added sibling definition to
confidence_id
in dictionary, accurately associatingconfidence
as its sibling. #1180 - Added a fix (profile: null) to
OSINT Inventory Info
so that theosint
attribute is present w/o the OSINT profile, per the class definition. - Added http_response to all classes that have http_request, but no http_response object. #1200
- Removed redundant
name
attribute from Windows extension to thestartup_item
object for consistency with other extensions. #1203
- Deprecated
project_uid
in favor ofaccount.uid
. #1166 - Deprecated
kb_article_list
in favor ofadvisory
in the vulnerability object. #1176 - Deprecated
cwe
in favor ofrelated_cwes
in thecve
object. #1176 - Deprecated
tag
in favor oflabels
ortags
inimage
&container
object. #1207 - Deprecated
status_detail
in favor ofstatus_details
in `compliance object. #1219 - Deprecated
imei
in favor ofimei_list
indevice
object. #1225 - Deprecated
data_classification
in favor ofdata_classifications
in thedata_classification
profile. #1245 - Deprecated activity_id
4|Suppressed
in the Data Security Finding event class. This shouldn't have been added when we first created it, as the right place for this info isstatus_id
. #1245
- Added
user.uid
as an Observable type -type_id: 31
. #1155 - Added
group.name
andgroup.uid
as Observable types -type_id: 32
andtype_id: 33
, respectively. #1155 - Added
account.name
andaccount.uid
as Observable types -type_id: 34
andtype_id: 35
, respectively. #1155 - Added new enumeration items to
account.type_id
. #1166 - Cleaned up event class definition files, removed /includes dir, simplified definition of
base_event
. #1167, #1171 - Added new
file
enum toosint.type_id
. #1168 - Relaxed data-type constraints for
file_hash_t
,resource_uid_t
&string_t
. Fixed regex fordatetime_t
. #1174 - Added new
Email Account
enum toaccount.type_id
. #1179 - Removing regex for
hostname_t
, considering the vast variance in its values. #1182 - In the metaschema, added support for additional metadata fields:
source
andreferences
. #1189 #1237- The
source
attribute is a string for describing the location where an attribute's value comes from. - The
references
attribute is a list objects withurl
anddescription
fields. These are intended to for reference to external resources. Theurl
anddescription
attributes are used to construct anchor (a
) tags with theurl
used in the anchor'shref
attribute, anddescription
used in the entity portion of the tag. - The
source
field can be used in attributes defined anywhere in the schema, specifically:- Dictionary attributes
- Event class attributes
- Object attributes
- Profile attributes
- Enum values in all places where attributes occur (the 4 cases above)
- The
references
field can also be used in attributes anywhere in the schema, as well as for event classes, objects, and enum values; specifically:- Dictionary attributes
- Event class attributes
- Object attributes
- Profile attributes
- Enum values in all places where attributes occur
- Event classes; top level attribute allowing link(s) about an event class
- Objects; top level attribute allowing link(s) about an object
- The
source
andreferences
attributes are also supported in when extending or patching event classes and objects.
- The
- Fixed minor spelling mistakes in attribute descriptions in
dictionary.json
. #1213 - In the metaschema, added support for
@deprecated
in enum values. #1237 - Fixed some more formatting of attribute descriptions in
dictionary.json
andidp.json
. #1239 - Added
resource_details.name
as an Observable typetype_id: 38
. #1250
-
- Added
Remediation
category. #1066
- Added
-
- Added
Event Log Activity
event class to the System Activity category. #1014 - Added
Remediation Activity
,File Remediation Activity
,Process Remediation Activity
,Network Remediation Activity
event classes to the Remediation category. #1066 - Added
Windows Service Activity
event class to the System Activity category via Windows extension. #1103 - Added
Software Inventory Info
event class to the Discovery category. #1134
- Added
-
- Added
osint
Profile based on theosint
object. #992
- Added
-
- Added
d3fend
,d3f_tactic
,d3f_technique
MITRE objects. #1066 - Added
ja4_fingerprint
object. #834 - Added
ja4_fingerprint_list
as a list ofja4_fingerprint
objects. #834 - Added
ticket
object. #1068 - Added
osint
object. #992 - Added
signatures
object, an array ofsignature
objects. #992 - Added
whois
object. #992 - Added
domain_contact
and array-typeddomain_contacts
object for use withwhois
object. #992 - Added
Windows Service
object to the Windows extension. #1103 - Added
timespan
object. #1125
- Added
- n/a
-
- Added
file_result
to File Hosting Activity. #1045 - Added entries to
injection_type_id
enum (Process Activity
) andactivity_id
enum (Memory Activity
). #1060 - Added a
Restart
,Enable
,Disable
, andUpdate
activity_id
to theApplication Lifecycle
class. #1064 - Added
ja4_fingerprint_list
to base network event class. #834 - Added
ticket
toIncident Finding
event class. #1068 - Added new activities
Enroll
,Activate
,Deactivate
,Suspend
, andResume
to theEntity Management
class. #1095 - Added new activity
Listen
toNetwork Activity
and relax requirement ofsrc_endpoint
. #1147 - Added
state
,state_id
toDevice Config State Change
. #1143 - Added
resources
attribute toVulnerability Finding
andCompliance Finding
. #1150
- Added
- n/a
-
- Added
ext
toFile
object. #1046 - Added
account
,device
,email
,url
,user
toevidences
in detection finding. #1000 - Added
state_id
,state
toDigital Signature
object. #1069 - Added
domain
toUniform Resource Locator
object. #1096 - Added
reg_key
andreg_value
toEvidence Artifacts
object. #1078 - Added
type_id
and associated entity objects toManaged Entity
. #1094 - Added
vendor_name
,type
,type_id
to objectpackage
. #1093 - Added
router
,ids
, andips
entries totype_id
enum in theEndpoint
object. #1121 - Added
job
toEvidence Artifacts
object. #1130 - Added
ip
to objectload_balancer
. #1138 - Added
cpe_name
andhash
toSoftware Package
object. #1142 - Added
avg_timespan
to thekb_article
object. #1125 - Added
created_time
,desc
,short_desc
,reputation
,src_url
toenrichment
object. #1149 - Added
compliance_references
,compliance_standards
to thecompliance
object. #1110
- Added
- Fixed the host profile construction in
patch_state
event class. #1087 - Removed the optional requirement overrides for
name
anduid
in_resource
as they are part of a constraint. #1087 - Fixed declarations of
data_lifecycle_state_id
,integrity
,opcode_id
,risk_level
, andanalytic.type_id
. #1111
- Deprecated
resource
inVulnerability Finding
andCompliance Finding
event classes in favor ofresources
. #1150
n/a
- Colorized validator output #1048
- Updated the GitHub workflow for the
ocsf-validator
to print colorized output.
- Updated the GitHub workflow for the
- Clarify how to reference profiles in metadata #1056
- Updated the description of
metadata.profiles
to clarify the correct way to reference a profile in that list.
- Updated the description of
- Added a
gitignore
file. #1071 - New Extension registration for Cisco #1074
- Cleaned up MITRE trademarks and registrations for captions and descriptions.
- Declared enums in dictionary.json have sane "0" (Unknown) and "99" (Other) declarations and descriptions where appropriate #1111
- Adds support for
suppress_checks
controls in attributes to allow tools to automatically validate conventions #1063- Updated several attributes that do not follow conventions to disable linting for them
- Added
credential_uid
as an Observable type -type_id: 19
. #1137 - New Extension registration for US Gov #1140
- Enum definitions are now refactored such that generic enum descriptions have "See specific usage" in the description #1146
-
n/a
-
- Added
Data Security Finding
event class. #953 - Added
File Query
event class. #967 - Added
Folder Query
event class. #967 - Added
Group Query
event class. #967 - Added
Job Query
event class. #967 - Added
Kernel Object Query
event class. #967 - Added
Module Query
event class. #967 - Added
Network Connection Query
event class. #967 - Added
Networks Query
event class. #967 - Added
Peripheral Device Query
event class. #967 - Added
Prefetch Query
event class. #967 - Added
Process Query
event class. #967 - Added
Registry Key Query
event class. #967 - Added
Registry Value Query
event class. #967 - Added
Service Query
event class. #967 - Added
Session Query
event class. #967 - Added
User Query
event class. #967 - Added
Tunnel Activity
event class. #1012
- Added
-
- Added
data_classification
profile. #998
- Added
-
- Added
auth_factor
object. #949 - Added
data_security
object. #953 - Added
autonomous_system
object. #978 - Added
agent
object. #987 - Added
data_classification
object. #998
- Added
-
- Added
port_t
subnet_t
cmd_line
country
pid
cwe.uid
cve.uid
user_agent
enum items. #1035
- Added
-
n/a
-
- Added
auth_factors
array to Authentication event class. #949 - Modified all classes such that primary attributes are at least recommended. #974
- Added
src_endpoint
,http_request
attributes to all IAM category classes. #976 - Added
autonomous_system
tonetwork_endpoint
objects. #978 - Added
List
,Encrypt
andDecrypt
activities todatastore
event class. #989 - Added
file
attribute tohttp
,rdp
,ssh
, andftp
event classes. #985 - Added a
Preauth
activity_id
to theAuthentication
class. #1018 - Added the
Security Control
profile to theDatastore Activity
class. #1030 - Added
risk_details
to Detection Finding. #1032 - Added
access_mask
to Entity Management class. #1090 - Added
access_list
to Entity Management class. #1090
- Added
-
n/a
-
- Expanded
type_id
enum inanalytic
object to account for more use-cases: #9535 - Fingerprinting
6 - Tagging
7 - Keyword Match
8 - Regular Expressions
9 - Exact Data Match
10 - Partial Data Match
11 - Indexed Data Match
- Added
lat
,long
,geohash
attributes tolocation
object. #971. - Added
risk_score
,risk_level_id
,risk_level
touser
object. Issue #972. - Added
app_name
,app_uid
toactor
object. Issue #966, PR #979. - Added
container
,database
,databucket
to theevidences
object. #984 - Added
owner
toendpoint
object. #987 - Added
is_applied
Boolean attribute topolicy
object. #987 - Added
agent_list
as an array ofagent
objects. #987 - Added
policies
object as an array ofpolicy
objects. #987 - Added
agent_list
toendpoint
object. #987 - Added
labels
to theAccount
object. #1028 - Added
data_classification
profile todatabase
,databucket
,email
,file
,metadata
,product
,resource_details
andweb_resource
objects. #998
- Expanded
-
n/a
- Changed datatype of
priority
attribute, frominteger_t
tostring_t
#959 - Extended
email_t
regexp to allow characters from RFC5322 before @. - Updated
logon_type_id
enum to include0
asUnknown
. Added enum item1
asSystem
. #1055
- Deprecated
coordinates
attribute in favor of specificlat
,long
attributes. #971 - Deprecated
invoked_by
attribute in theActor
object in favor ofapp_name
. #979.
n/a
- New Extension registration for Sedara. #951
- Corrected punctuation for the
transmit_time
attribute. #1001 - New ways to define observables in the metaschema. #982 and #993
- (Current) Dictionary types using
observable
property in dictionary types. This allows defining all occurrences of attributes of this type as an observable. - (Current) Objects using top-level
observable
property. This allows defining all occurrences attributes whose type is this object as an observable. - (New) Dictionary attributes using
observable
property in attribute. This allows defining all occurrences of this attribute as an observable. - (New) Object-specific attributes using
observable
property class's attributes. This allows defining object attributes as observables only within instances of this specific object. - (New) Event class-specific attributes using
observable
property class's attributes. This allows defining class attributes as observables only within instances of this specific class. - (New) Event class-specific attribute paths using top-level
observables
property. Theobservables
property holds an object mapping from an dotted attribute path to an observabletype_id
. This allows defining an observables only within instances of this specific class, and only for the attributes at these paths, even for attributes that are within nested objects and arrays. This can also be used for top-level class attributes, which can be more convenient that defining a class attribute observable for classes that extend another, but don't otherwise change a attribute definition.
- (Current) Dictionary types using
- Metaschema improvements. #993
- Detect unexpected top-level properties in object and event class definitions. This was added at this point to detect invalid observable definitions: invalid
observable
property in event classes, and invalidobservables
property in objects. - Remove hard-coded list of categories from
metaschema/categories.schema.json
, leaving this to theocsf-validator
. This change makes testing with alternate schemas that may add extra categories easier, as well as making it possible to validate private extensions that contain new categories.
- Detect unexpected top-level properties in object and event class definitions. This was added at this point to detect invalid observable definitions: invalid
- Metaschema error reporting #1027
- Updated the definition of
object
andevent
so that metaschema errors reported by the validator with nested properties correctly attribute the error to the property with the error, rather than the top-level class.
- Updated the definition of
-
n/a
-
- Added
User Inventory Info
event class. #667 - Added
Vulnerability Finding
event class. #698 - Added
NTP Activity
event class #705 - Added
OS Patch State
event class. #746 - Added
Datastore Activity
event class 6005. #874 - Added
Detection Finding
event class. #877 - Added
Incident Finding
event class. #903 - Added
Device Config Sate Change
event class. #914 - Added
Scan Activity
event class. #915 - Added
File Hosting Activity
event class. #917
- Added
-
- Added
Network Proxy
Profile for theNetwork Activity
andApplication Activity
classes. #705 - Added
Load Balancer
Profile for the Network Activity classes. #897
- Added
-
- Added new
cwe
object tocve
andvulnerability
objects. #678 - Added Firewall Rule object. #685
- Added new
kb_article
object to house Knowledgebase Article info. #709 #862 #924 - Added new
epss
object to thecve
object. #741
- Added new
-
- Improved Findings Category, with new and domain specific event classes (Vulnerability Finding, Compliance Finding, Detection Finding, Incident Finding), description updates across the board. #895 #907 #903 #698 #718
-
- Added
MFA Enable
andDisable
toactivity_id
to the Account Change event class. #724 - Added
Service Ticket Renew
toactivity_id
of the Authentication event class. #765 - Added
url
attribute to Network Activity event class. #857 - Added
http_request
,http_response
,tls
attributes,network_proxy
profile to Web Resources Activity event class. #895 - Adjusted requirement of
dst_endpoint
fromrequired
torecommended
in the DNS Activity event class. #901 - Added
Create
andDelete
toactivity_id
of the Group Management event class. #929
- Added
-
- Improved
security_control
profile to include access control semantics, firewall properties. #851 #888 #889 #906
- Improved
-
- Added
url_string
attribute to theproduct
and theweb_resource
objects. #675 - Added
type
andtype_id
attributes to theendpoint
object. #690 - Added
cwe
,desc
,references
andtitle
tocve
object. #698 - Added
affected_package
object andaffected_packages
attribute tovulnerability
object. #698 - Added
purl
topackage
object. #698 - Added
cpe_name
attribute to theproduct
and os objects. #713 #731 - Added
container
anddata
toresponse
andrequest
objects. #738 - Added
group
to theapi
object. #738 - Added
namespace
to theresource_details
object. #738 - Added
log_level
to themetadata
object. #738 - Added
length
to thehttp_request
object. #768 - Added
is_exploit_available
to thevulnerability
object. #777 - Added
domain
attribute to thegroup
object. #871 - Adjusted attribute requirements in
dns_query
,dns_answer
objects. #879 - Added firewall, router, switch, hub to endpoint
type_id
enum. #921 - Added
is_vpn
to thesession
object. #922 - Added
state
tonetwork_connection_info
object. #932 - Added
community_uid
tonetwork_connection_info
object. #1202
- Added
n/a
- Deprecated
cwe_uid
andcwe_url
attributes and removed fromcve
object. #678 - Deprecated
http_status
attribute fromHTTP Activity
event to be replaced byhttp_response.code
. #767 - Deprecated
finding
object in favor offinding_info
object. #769 - Deprecated
proxy
attribute from the dictionary, in favor ofNetwork Proxy
profile. #856 - Deprecated
group_name
attribute. #873 - Deprecated
Security Finding
class to be replaced by the new specific classes according to the use-case:Vulnerability Finding
,Compliance Finding
,Detection Finding
,Incident Finding
. #877 - Deprecated
Web Resources Access Activity
event class. #890 - Deprecated
Network File Activity
event class in favor ofFile Hosting Activity
#917 - Deprecated
extension_list
in TLS object in favor oftls_extension_list
. #936
n/a
- New Extension registration for SentinelOne. #706
- Added json-schema based metaschema validation to ensure correctness, consistency of the JSON definitions. #736 #830 #867 #892
- Increased
max_len
forsubnet_t
type from40
to42
. #745 - Improved the regex for
ip_t
type. #745 - Updated the
datetime_t
validation regex to enable validation of timestamps, and to ensure that timestamps not matchingRFC-3339
are not considered valid. #753 - Added version information to the native extensions. #881
- Updated caption and description of Observable type -
File Hash
to readHash
. #900 - New Extension registration for DataBee. #912
- Changed data-type of
type_uid
tolong_t
fromint_t
. #928
Initial release of OCSF.