General cleanup of metaschema (ocsf#1167)

#### Related Issue: n/a

#### Description of changes:

1. Sorting all event class definition files, renaming files wherever
necessary (making things consistent with class_name == file_name
convention)
2. Removing includes folder to simplify reference chains in schema
definition files
3. Updating vscode metadata, metaschema files
4. Updating contribution guide to remove references to includes dir

---------

Signed-off-by: Rajas Panat <[email protected]>

.vscode/settings.json

@@ -24,12 +24,6 @@
             ],
             "url": "./metaschema/event.schema.json"
         },
-        {
-            "fileMatch": [
-                "/includes/**/*.json"
-            ],
-            "url": "./metaschema/include.schema.json"
-        },
         {
             "fileMatch": [
                 "/objects/**/*.json"

CHANGELOG.md

@@ -19,13 +19,15 @@ Thankyou! -->
 * #### Profiles
 * #### Objects
 * #### Platform Extensions
+* #### Dictionary Attributes
 
 ### Improved
 * #### Categories
 * #### Event Classes
 * #### Profiles
 * #### Objects
 * #### Platform Extensions
+* #### Dictionary Attributes
 
 ### Bugfixes
 
@@ -43,20 +45,24 @@ Thankyou! -->
 * #### Event Classes
     1. Added `OSINT Inventory Info` event class to the Discovery category. #1154
     2. Added `Script Activity` event class to the System category. #1159
+* #### Dictionary Attributes
+    1. Added `has_mfa` as a `boolean_t`. #1155
 
 ### Improved
 * #### Objects
     1. Added `phone_number` to `user` and `ldap_person` objects. #1155
     2. Added `has_mfa` to `user` object. #1155
     3. Added `vendor_name` to `cvss` object. #1165
 
+### Deprecated
+1. Deprecated `project_uid` in favor of `account.uid`. #1166
+
 ### Misc
 1. Added `user.uid` as an Observable type - `type_id: 31`. #1155
 2. Added `group.name` and `group.uid` as Observable types - `type_id: 32` and `type_id: 33`, respectively. #1155
 3. Added `account.name` and `account.uid` as Observable types - `type_id: 34` and `type_id: 35`, respectively. #1155
-4. Added `has_mfa` boolean_t to Dictionary. #1155
-5. Deprecate `project_uid`. #1166
-6. Added several new enums to `account.type_id`. #1166
+5. Added new enumeration items to `account.type_id`. #1166
+6. Cleaned up event class definition files, removed /includes dir, simplified definition of `base_event`. #1167
 
 ## [v1.3.0] - August 1st, 2024
 

CONTRIBUTING.md

@@ -179,7 +179,6 @@ Choose a **unique** object you want to add, `vulnerability` in the example above
         ```
         "attributes": {
           "$include": [
-            "includes/occurrence.json",
             "profiles/cloud.json"
           ],
           ...
@@ -325,8 +324,7 @@ The extension's directory structure is the same as the top level schema director
 |-------------------|---------------------------------------------------------------------------|
 | `categories.json` | Create it to define new categories. Note, to avoid collisions with the categories defined in the core schema, the category IDs must be greater than or equal to 30. |
 | `dictionary.json` | Create it to define new attributes.                                       |
-| `events`          | Create it to define new event classes.                                    |
-| `includes`        | Create it to define new shared data.                                      |
+| `events`          | Create it to define new event classes.                                    |                                    |
 | `objects`         | Create it to define new objects.                                          |
 | `profiles`        | Create it to define new profiles.                                         |
 

events/application/api.json → events/application/api_activity.json

@@ -1,8 +1,8 @@
 {
     "uid": 3,
+    "caption": "API Activity",
     "description": "API events describe general CRUD (Create, Read, Update, Delete) API activities, e.g. (AWS Cloudtrail)",
     "extends": "application",
-    "caption": "API Activity",
     "name": "api_activity",
     "attributes": {
         "activity_id": {
@@ -25,6 +25,10 @@
                 }
             }
         },
+        "actor": {
+            "group": "primary",
+            "requirement": "required"
+        },
         "api": {
             "group": "primary",
             "requirement": "required",
@@ -35,14 +39,10 @@
             "requirement": "recommended"
         },
         "http_request": {
-            "description":"Details about the underlying http request.",
+            "description": "Details about the underlying http request.",
             "group": "primary",
             "requirement": "recommended"
         },
-        "actor": {
-            "group": "primary",
-            "requirement": "required"
-        },
         "resources": {
             "description": "Details about resources that were affected by the activity/event.",
             "group": "primary",
@@ -54,4 +54,4 @@
             "requirement": "required"
         }
     }
-}
+}

events/application/application.json

@@ -1,7 +1,7 @@
 {
   "caption": "Application Activity",
-  "name": "application",
   "category": "application",
   "extends": "base_event",
+  "name": "application",
   "attributes": {}
-}
+}

events/application/application_lifecycle.json

@@ -1,12 +1,9 @@
 {
   "uid": 2,
+  "caption": "Application Lifecycle",
   "description": "Application Lifecycle events report installation, removal, start, stop of an application or service.",
   "extends": "application",
-  "caption": "Application Lifecycle",
   "name": "application_lifecycle",
-  "profiles": [
-    "host"
-  ],
   "attributes": {
     "$include": [
       "profiles/host.json"
@@ -53,5 +50,8 @@
       "group": "primary",
       "requirement": "required"
     }
-  }
-}
+  },
+  "profiles": [
+    "host"
+  ]
+}