Updated event classes, added missing categories. (ocsf#1163)

#### Related Issue: ocsf#1162 #### Description of changes: Updated event classes, added missing categories. It is not a critical problem, since all events that were missing category were extending higher level event. All higher level events have categories specified. This update is for a consistency.
maxhotta · Aug 23, 2024 · eff55eb · eff55eb
1 parent d90dcfc
commit eff55eb
Show file tree

Hide file tree

Showing 16 changed files with 6 additions and 16 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -43,4 +43,4 @@
             "url": "./metaschema/profile.schema.json"
         }
     ]
-}
+}
diff --git a/events/application/file_hosting.json b/events/application/file_hosting.json
@@ -1,7 +1,6 @@
 {
   "caption": "File Hosting Activity",
   "description": "File Hosting Activity events report the actions taken by file management applications, including file sharing servers like Sharepoint and services such as Box, MS OneDrive, or Google Drive.",
-  "category": "application",
   "extends": "application",
   "name": "file_hosting",
   "uid": 6,

diff --git a/events/application/scan_activity.json b/events/application/scan_activity.json
@@ -1,8 +1,8 @@
 {
   "caption": "Scan Activity",
-  "category": "application",
   "description": "Scan events report the start, completion, and results of a scan job. The scan event includes the number of items that were scanned and the number of detections that were resolved.",
   "extends": "base_event",
+  "category": "application",
   "name": "scan_activity",
   "profiles": [
     "host"

diff --git a/events/application/web_resource_access_activity.json b/events/application/web_resource_access_activity.json
@@ -1,6 +1,5 @@
 {
   "caption": "Web Resource Access Activity",
-  "category": "application",
   "description": "Web Resource Access Activity events describe successful/failed attempts to access a web resource over HTTP.",
   "extends": "application",
   "name": "web_resource_access_activity",

diff --git a/events/application/web_resources_activity.json b/events/application/web_resources_activity.json
@@ -2,9 +2,9 @@
     "uid": 1,
     "description": "Web Resources Activity events describe actions executed on a set of Web Resources.",
     "extends": "base_event",
+    "category": "application",
     "caption": "Web Resources Activity",
     "name": "web_resources_activity",
-    "category": "application",
     "profiles": [
         "host",
         "network_proxy",

diff --git a/events/discovery/discovery_result.json b/events/discovery/discovery_result.json
@@ -1,8 +1,8 @@
 {
   "caption": "Discovery Result",
-  "category": "discovery",
   "name": "discovery_result",
   "extends": "base_event",
+  "category": "discovery",
   "description": "Discovery Result events report the results of a discovery request.",
   "profiles": [
     "host"

diff --git a/events/findings/compliance_finding.json b/events/findings/compliance_finding.json
@@ -1,7 +1,6 @@
 {
   "uid": 3,
   "caption": "Compliance Finding",
-  "category": "findings",
   "description": "Compliance Finding events describe results of evaluations performed against resources, to check compliance with various Industry Frameworks or Security Standards such as <code>NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001</code> etc.",
   "extends": "finding",
   "name": "compliance_finding",

diff --git a/events/findings/data_security_finding.json b/events/findings/data_security_finding.json
@@ -1,7 +1,6 @@
 {
     "uid": 6,
     "caption": "Data Security Finding",
-    "category": "findings",
     "description":"A Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools. These detections or alerts can be created using fingerprinting, statistical analysis, machine learning or other methodologies. The finding describes the actors and endpoints who accessed or own the sensitive data, as well as the resources which store the sensitive data.",
     "extends": "finding",
     "name": "data_security_finding",

diff --git a/events/findings/detection_finding.json b/events/findings/detection_finding.json
@@ -1,7 +1,6 @@
 {
   "uid": 4,
   "caption": "Detection Finding",
-  "category": "findings",
   "description": "A Detection Finding describes detections or alerts generated by security products using correlation engines, detection engines or other methodologies. Note: if the product is a security control, the <code>security_control</code> profile should be applied and its <code>attacks</code> information should be duplicated into the <code>finding_info</code> object.",
   "extends": "finding",
   "name": "detection_finding",

diff --git a/events/findings/incident_finding.json b/events/findings/incident_finding.json
@@ -1,9 +1,9 @@
 {
   "uid": 5,
   "caption": "Incident Finding",
-  "category": "findings",
   "description": "An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics.",
   "extends": "base_event",
+  "category": "findings",
   "name": "incident_finding",
   "attributes": {
     "activity_id": {

diff --git a/events/findings/security_finding.json b/events/findings/security_finding.json
@@ -4,9 +4,9 @@
     "since": "1.1.0"
   },
   "caption": "Security Finding",
-  "category": "findings",
   "description": "Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products",
   "extends": "base_event",
+  "category": "findings",
   "name": "security_finding",
   "uid": 1,
   "attributes": {

diff --git a/events/network/dhcp.json b/events/network/dhcp.json
@@ -1,6 +1,5 @@
 {
   "caption": "DHCP Activity",
-  "category": "network",
   "description": "DHCP Activity events report MAC to IP assignment via DHCP from a client or server.",
   "extends": "network",
   "name": "dhcp_activity",

diff --git a/events/network/file_activity.json b/events/network/file_activity.json
@@ -5,7 +5,6 @@
   },
   "caption": "Network File Activity",
   "description": "Network File Activity events report file activities traversing the network, including file storage services such as Box, MS OneDrive, or Google Drive.",
-  "category": "network",
   "extends": "network",
   "name": "network_file_activity",
   "uid": 10,

diff --git a/events/network/http.json b/events/network/http.json
@@ -1,6 +1,5 @@
 {
   "caption": "HTTP Activity",
-  "category": "network",
   "description": "HTTP Activity events report HTTP connection and traffic information.",
   "extends": "network",
   "name": "http_activity",

diff --git a/events/network/network_activity.json b/events/network/network_activity.json
@@ -1,6 +1,5 @@
 {
   "caption": "Network Activity",
-  "category": "network",
   "description": "Network Activity events report network connection and traffic activity.",
   "extends": "network",
   "name": "network_activity",

diff --git a/events/network/tunnel_activity.json b/events/network/tunnel_activity.json
@@ -1,6 +1,5 @@
 {
   "caption": "Tunnel Activity",
-  "category": "network",
   "description": "Tunnel Activity events report secure tunnel establishment (such as VPN), teardowns, renewals, and other network tunnel specific actions.",
   "extends": "network",
   "name": "tunnel_activity",