Merge pull request ocsf#980 from shellcromancer/main

feat: add autonomous_system object to network_endpoint

CHANGELOG.md

@@ -21,8 +21,7 @@ Thankyou! -->
 * #### Objects
     1. Added `auth_factor` object. #949
     2. Added `data_security` object. #953
-* #### Attributes
-    1. Added `app_uid` attribute, Issue #966, PR #979
+    3. Added `autonomous_system` object. #978
 * #### Platform Extensions
 
 ### Improved
@@ -31,6 +30,7 @@ Thankyou! -->
     1. Added `auth_factors` array to Authentication event class. #949
     2. Modified all classes such that primary attributes are at least recommended. #974
     3. Added `src_endpoint`, `http_request` attributes to all IAM category classes. #976
+    4. Added `autonomous_system` to `network_endpoint` objects. #978
 * #### Profiles
 * #### Objects 
     1. Expanded `type_id` enum in `analytic` object to account for more use-cases: #953

dictionary.json

@@ -74,7 +74,7 @@
     "action": {
       "caption": "Action",
       "description": "The normalized caption of 'action_id' or the source specific action.",
-      "type": "string_t" 
+      "type": "string_t"
     },
     "action_id": {
       "caption": "Action ID",
@@ -293,6 +293,11 @@
       "is_array": true,
       "type": "authorization"
     },
+    "autonomous_system": {
+      "caption": "Autonomous System",
+      "description": "The Autonomous System details associated with an IP address.",
+      "type": "autonomous_system"
+    },
     "autoscale_uid": {
       "caption": "Autoscale UID",
       "description": "The unique identifier of the cloud autoscale configuration.",
@@ -1210,21 +1215,21 @@
       "type": "databucket"
     },
     "data_type": {
-      "caption":"Data Type",
-      "description":"The name of the data classification category that data matched into, e.g. Financial, Personal, Governmental, etc.",
+      "caption": "Data Type",
+      "description": "The name of the data classification category that data matched into, e.g. Financial, Personal, Governmental, etc.",
       "type": "string_t"
     },
     "data_type_id": {
-      "caption":"Data Type ID",
+      "caption": "Data Type ID",
       "description": "The category or type of sensitive data as assessed or scanned by a data security tool (e.g., Personal, Govermental, Financial).",
       "enum": {
         "0": {
           "caption": "Unknown",
-          "description":"The type is not mapped. See the <code>data_type</code> attribute, which contains a data source specific value."
+          "description": "The type is not mapped. See the <code>data_type</code> attribute, which contains a data source specific value."
         },
         "1": {
           "caption": "Personal",
-          "description":"Any Personally Identifiable Information (PII), Electronic Personal Health Information (ePHI), or similarly personal information. E.g., full name, home address, date of birth, etc."
+          "description": "Any Personally Identifiable Information (PII), Electronic Personal Health Information (ePHI), or similarly personal information. E.g., full name, home address, date of birth, etc."
         },
         "2": {
           "caption": "Governmental",
@@ -1255,8 +1260,8 @@
       "type": "integer_t"
     },
     "data_lifecycle_state": {
-      "caption":"Data Lifecycle State",
-      "description":"The name of the stage or state that the data was in. E.g., Data-at-Rest, Data-in-Transit, etc.",
+      "caption": "Data Lifecycle State",
+      "description": "The name of the stage or state that the data was in. E.g., Data-at-Rest, Data-in-Transit, etc.",
       "type": "string_t"
     },
     "data_lifecycle_state_id": {
@@ -1265,7 +1270,7 @@
       "enum": {
         "0": {
           "caption": "Unknown",
-          "description":"The type is not mapped. See the <code>data_lifecycle_state</code> attribute, which contains a data source specific value."
+          "description": "The type is not mapped. See the <code>data_lifecycle_state</code> attribute, which contains a data source specific value."
         },
         "1": {
           "caption": "Data at-Rest",
@@ -1351,13 +1356,13 @@
       "type": "string_t"
     },
     "detection_pattern": {
-      "caption":"Detection Pattern",
-      "description":"Specific pattern, algorithm, fingerpint, or model used for detection.",
+      "caption": "Detection Pattern",
+      "description": "Specific pattern, algorithm, fingerpint, or model used for detection.",
       "type": "string_t"
     },
     "detection_system": {
-      "caption":"Detection System",
-      "description":"The name of the type of data security tool or system that the finding, detection, or alert originated from. E.g., Endpoint, Secure Email Gateway, etc.",
+      "caption": "Detection System",
+      "description": "The name of the type of data security tool or system that the finding, detection, or alert originated from. E.g., Endpoint, Secure Email Gateway, etc.",
       "type": "string_t"
     },
     "detection_system_id": {
@@ -1366,7 +1371,7 @@
       "enum": {
         "0": {
           "caption": "Unknown",
-          "description":"The type is not mapped. See the <code>detection_system</code> attribute, which contains a data source specific value."
+          "description": "The type is not mapped. See the <code>detection_system</code> attribute, which contains a data source specific value."
         },
         "1": {
           "caption": "Endpoint",
@@ -2144,7 +2149,7 @@
       "description": "The indication of whether the value is from a default value name. For example, the value name could be missing.",
       "type": "boolean_t"
     },
-    "is_exploit_available":{
+    "is_exploit_available": {
       "caption": "Exploit Availability",
       "description": "Indicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability.",
       "type": "boolean_t"
@@ -2676,6 +2681,11 @@
       "description": "The number of times the policy or rule was violated.",
       "type": "integer_t"
     },
+    "number": {
+      "caption": "Number",
+      "description": "The number of the entity. See specific usage.",
+      "type": "integer_t"
+    },
     "observables": {
       "caption": "Observables",
       "description": "The observables associated with the event or a finding.",
@@ -2843,8 +2853,8 @@
       "type": "string_t"
     },
     "pattern_match": {
-      "caption":"Pattern Match",
-      "description":"A text, binary, file name, or datastore that matched against a detection rule.",
+      "caption": "Pattern Match",
+      "description": "A text, binary, file name, or datastore that matched against a detection rule.",
       "type": "string_t"
     },
     "percentile": {
@@ -2912,9 +2922,9 @@
       "sibling": "phase"
     },
     "phone_number": {
-        "caption": "Phone Number",
-        "description": "The number associated with the phone.",
-        "type": "string_t"
+      "caption": "Phone Number",
+      "description": "The number associated with the phone.",
+      "type": "string_t"
     },
     "phones": {
       "caption": "Phones",
@@ -2965,7 +2975,7 @@
     "precision": {
       "caption": "Precision",
       "description": "The numeric precision. See specific usage.",
-      "type":  "integer_t"
+      "type": "integer_t"
     },
     "prev_security_level": {
       "caption": "Previous Security Level",
@@ -3117,7 +3127,7 @@
       "description": "The proxy (server) in a network connection.",
       "type": "network_proxy"
     },
-    "purl":{
+    "purl": {
       "caption": "Package URL",
       "description": "A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.",
       "type": "string_t"
@@ -3534,10 +3544,10 @@
       "type": "string_t"
     },
     "security_questions": {
-        "caption": "Security Questions",
-        "description": "The question(s) provided to user for a question-based authentication factor.",
-        "is_array": true,
-        "type": "string_t"
+      "caption": "Security Questions",
+      "description": "The question(s) provided to user for a question-based authentication factor.",
+      "is_array": true,
+      "type": "string_t"
     },
     "sequence": {
       "caption": "Sequence Number",
@@ -3706,7 +3716,7 @@
       "description": "The URL pointing towards the source of an entity. See specific usage.",
       "type": "url_t"
     },
-    "standards":{
+    "standards": {
       "caption": "Security Standards",
       "description": "Security standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. <code>NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001</code>",
       "is_array": true,
@@ -3796,7 +3806,7 @@
       "enum": {
         "0": {
           "caption": "Unknown",
-          "description":  "Unspecified or invalid."
+          "description": "Unspecified or invalid."
         },
         "1": {
           "caption": "Primary Server",
@@ -4151,8 +4161,8 @@
           "description": "The incident is a duplicate."
         },
         "99": {
-        "caption": "Other",
-        "description": "The type is not mapped. See the <code>type</code> attribute, which contains a data source specific value."
+          "caption": "Other",
+          "description": "The type is not mapped. See the <code>type</code> attribute, which contains a data source specific value."
         }
       },
       "sibling": "verdict",
@@ -4367,7 +4377,7 @@
       },
       "subnet_t": {
         "caption": "Subnet",
-      "description": "The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet. <div>For example:<ul><li>192.168.1.0/24</li><li>2001:0db8:85a3:0000::/64</li></ul></div>",
+        "description": "The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet. <div>For example:<ul><li>192.168.1.0/24</li><li>2001:0db8:85a3:0000::/64</li></ul></div>",
         "max_len": 42,
         "type": "string_t",
         "type_name": "String"

objects/autonomous_system.json

@@ -0,0 +1,25 @@
+{
+  "caption": "Autonomous System",
+  "description": "An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.",
+  "extends": "object",
+  "name": "autonomous_system",
+  "attributes": {
+    "number": {
+      "description": "Unique number that the AS is identified by.",
+      "requirement": "recommended",
+      "group": "context",
+      "type": "integer_t"
+    },
+    "name": {
+      "description": "Organization name for the Autonomous System.",
+      "requirement": "recommended",
+      "group": "context"
+    }
+  },
+  "constraints": {
+    "at_least_one": [
+      "number",
+      "name"
+    ]
+  }
+}

objects/network_endpoint.json

@@ -4,6 +4,9 @@
   "extends": "endpoint",
   "name": "network_endpoint",
   "attributes": {
+    "autonomous_system": {
+      "requirement": "optional"
+    },
     "intermediate_ips": {
       "requirement": "optional"
     },