Skip to content

Commit

Permalink
feat(ocsf): adapt models to version 1.3.0 (#123)
Browse files Browse the repository at this point in the history
  • Loading branch information
MrCloudSec authored Oct 4, 2024
1 parent df90186 commit f840d0f
Show file tree
Hide file tree
Showing 9 changed files with 107 additions and 90 deletions.
7 changes: 4 additions & 3 deletions examples/detection_finding.py
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,9 @@
name="Account 1", type="Account", type_id="3", uid="123", labels=["Label 1"]
),
zone="Zone 1",
org=Organization(name="Organization 1", ou_id="123", ou_name="OU 1", uid="123"),
org=Organization(
name="Organization 1", ou_uid="123", ou_name="OU 1", uid="123"
),
project_uid="123",
provider="Provider 1",
region="Region 1",
Expand All @@ -177,10 +179,9 @@
size=123,
uid="123",
),
namespace_pid=123,
count=123,
duration=123,
event_time=datetime.now(),
time=datetime.now(),
evidences=[
EvidenceArtifacts(
api=API(
Expand Down
2 changes: 1 addition & 1 deletion py_ocsf_models/__init__.py
Original file line number Diff line number Diff line change
@@ -1 +1 @@
OCSF_VERSION = "1.2.0"
OCSF_VERSION = "1.3.0"
17 changes: 6 additions & 11 deletions py_ocsf_models/events/findings/detection_finding.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@
from py_ocsf_models.events.findings.finding import Finding
from py_ocsf_models.objects.api import API
from py_ocsf_models.objects.cloud import Cloud
from py_ocsf_models.objects.container import Container
from py_ocsf_models.objects.evidence_artifacts import EvidenceArtifacts
from py_ocsf_models.objects.remediation import Remediation
from py_ocsf_models.objects.resource_details import ResourceDetails
Expand Down Expand Up @@ -122,10 +121,10 @@ class DetectionFinding(Finding, BaseModel):
- Class (class_name) [Optional]: The event class name, as defined by class_uid value: Detection Finding.
- Class ID (class_uid): The unique identifier of a class. A Class describes the attributes available in an event.
- Cloud (cloud) [Optional]: Describes details about the Cloud environment where the event was originally created or logged.
- Container (container) [Optional]: Describes the container details.
- Count (count) [Optional]: Number of times similar events occurred within a specified timeframe.
- Duration (duration) [Optional]: Time span of the event, from start to end, in milliseconds.
- Event Time (time) [Required]: The standardized time when the event occurred or the finding was created.
- Event Time (time_dt) [Optional]: The standardized time when the event occurred or the finding was created, in datetime format.
- Evidence Artifacts (evidences) [Optional]: Artifacts related to the security detection activities.
- Impact (impact) [Optional]: The impact, normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.
- Impact Score (impact_score) [Optional]: The impact of the finding, valid range 0-100.
Expand All @@ -135,32 +134,26 @@ class DetectionFinding(Finding, BaseModel):
- Risk Level ID (risk_level_id) [Optional]: The normalized risk level id.
- Risk Score (risk_score) [Optional]: The risk score as reported by the event source.
- Risk Details (risk_details) [Optional]: Additional details about the risk.
- Status ID (status_id) [Optional]: The normalized identifier of the event/finding severity.
- Timezone Offset (timezone_offset) [Optional]: Difference in minutes from UTC.
- Type ID (type_uid): The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.
- Type Name (type_name) [Optional]: The event/finding type name, as defined by the type_uid.
- Vulnerabilities (vulnerabilities) [Optional]: Vulnerabilities identified in the finding.
If the Cloud profile is needed:
- API Details (api) [Optional]: Describes details about a typical API (Application Programming Interface) call.
- Cloud (cloud): Describes details about the Cloud environment where the event was originally created or logged.
If the Container profile is needed:
- Container (container) [Recommended]: The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
- Namespace PID (namespace_pid) [Recommended]: If running under a process namespace (such as in a container), the process identifier within that process namespace.
- Cloud (cloud): Describes details about the Cloud environment where the event was originally created or logged
"""

resources: Optional[list[ResourceDetails]]
category_name: str = CategoryUID.Findings.name
category_uid: int = CategoryUID.Findings.value
class_name: Optional[str] = ClassUID.DetectionFinding.name
class_name: Optional[str] = "Detection Finding"
class_uid: int = ClassUID.DetectionFinding.value
cloud: Optional[Cloud]
api: Optional[API]
container: Optional[Container]
namespace_pid: Optional[int]
count: Optional[int]
duration: Optional[int]
event_time: datetime
evidences: Optional[list[EvidenceArtifacts]]
impact: Optional[str]
impact_score: Optional[int]
Expand All @@ -171,6 +164,8 @@ class DetectionFinding(Finding, BaseModel):
risk_score: Optional[int]
risk_details: Optional[str]
status_id: Optional[StatusID] # type: ignore
time: int
time_dt: Optional[datetime]
timezone_offset: Optional[int]
type_uid: TypeID
type_name: Optional[str]
Expand Down
30 changes: 21 additions & 9 deletions py_ocsf_models/events/findings/finding.py
Original file line number Diff line number Diff line change
Expand Up @@ -79,13 +79,17 @@ class FindingInformation(BaseModel):
Attributes:
- Analytic (analytic) [Recommended]: The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.
- Created Time (created_time) [Optional]: The time when the finding was created.
- Created Time DT (created_time_dt) [Optional]: The time when the finding was created in datetime format.
- Data Sources (data_sources) [Optional]: A list of data sources utilized in generation of the finding.
- Description (desc) [Optional]: The description of the reported finding.
- First Seen (first_seen_time) [Optional]: The time when the finding was first observed. It can differ from the created_time datetime, which reflects the time this finding was created.
- First Seen (first_seen_time) [Optional]: The time when the finding was first observed.
- First Seen DT (first_seen_time_dt) [Optional]: The time when the finding was first observed in datetime format.
- Kill Chain (kill_chain) [Optional]: The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.
- Last Seen (last_seen_time) [Optional]: The time when the finding was most recently observed. It can differ from the modified_time datetime, which reflects the time this finding was last modified.
- Last Seen (last_seen_time) [Optional]: The time when the finding was last observed.
- Last Seen DT (last_seen_time_dt) [Optional]: The time when the finding was last observed in datetime format.
- MITRE ATT&CK® Details (attacks) [Optional]: The MITRE ATT&CK® technique and associated tactics related to the finding.
- Modified Time (modified_time) [Optional]: The time when the finding was last modified.
- Modified Time DT (modified_time_dt) [Optional]: The time when the finding was last modified in datetime format.
- Product Identifier (product_uid) [Optional]: The unique identifier of the product that reported the finding.
- Related Analytics (related_analytics) [Optional]: Other analytics related to this finding.
- Related Events (related_events) [Optional]: Describes events and/or other findings related to the finding as identified by the security product.
Expand All @@ -96,14 +100,18 @@ class FindingInformation(BaseModel):
"""

analytic: Optional[Analytic]
created_time: Optional[datetime]
created_time: Optional[int]
created_time_dt: Optional[datetime]
data_sources: Optional[List[str]]
desc: Optional[str]
first_seen_time: Optional[datetime]
first_seen_time: Optional[int]
first_seen_time_dt: Optional[datetime]
kill_chain: Optional[List[KillChainPhase]]
last_seen_time: Optional[datetime]
last_seen_time: Optional[int]
last_seen_time_dt: Optional[datetime]
attacks: Optional[List[MITREAttack]]
modified_time: Optional[datetime]
modified_time: Optional[int]
modified_time_dt: Optional[datetime]
product_uid: Optional[str]
related_analytics: Optional[List[Analytic]]
related_events: Optional[List[RelatedEvent]]
Expand Down Expand Up @@ -161,9 +169,11 @@ class Finding(BaseEvent, BaseModel):
- Confidence (confidence) [Optional]: The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.
- Confidence ID (confidence_id) [Optional]: Represents the accuracy of the detection rule. A low confidence indicates a broad finding scope that may include benign events.
- Confidence Score (confidence_score) [Optional]: The confidence score as reported by the event source.
- End Time (end_time) [Optional]: datetime of the most recent event included in the finding.
- End Time (end_time) [Optional]: Time of the latest event included in the finding.
- End Time DT (end_time_dt) [Optional]: Time of the latest event included in the finding in datetime format.
- Finding Information (finding_info) [Required]: Describes the supporting information about a generated finding.
- Start Time (start_time) [Optional]: Time of the earliest event included in the finding.
- Start Time DT (start_time_dt) [Optional]: Time of the earliest event included in the finding in datetime
"""

Expand All @@ -173,6 +183,8 @@ class Finding(BaseEvent, BaseModel):
confidence: Optional[str]
confidence_id: Optional[ConfidenceID]
confidence_score: Optional[int]
end_time: Optional[datetime]
end_time: Optional[int]
end_time_dt: Optional[datetime]
finding_info: FindingInformation
start_time: Optional[datetime]
start_time: Optional[int]
start_time_dt: Optional[datetime]
6 changes: 4 additions & 2 deletions py_ocsf_models/objects/kb_article.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,8 @@ class KBArticle(BaseModel):
Attributes:
- classification: Vendor's classification of the KB article.
- created_time: Release date of the KB article.
- created_time: Time the KB article was created.
- created_time_dt: Time the KB article was created in datetime
- os: Operating system the KB article applies to.
- bulletin: Bulletin identifier of the KB article.
- product: Product details the KB article applies to.
Expand All @@ -28,7 +29,8 @@ class KBArticle(BaseModel):
"""

classification: Optional[str]
created_time: Optional[datetime]
created_time: Optional[int]
created_time_dt: Optional[datetime]
os: OperatingSystem
bulletin: Optional[str]
product: Optional[Product]
Expand Down
2 changes: 1 addition & 1 deletion py_ocsf_models/objects/organization.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,6 @@ class Organization(BaseModel):
"""

name: Optional[str]
ou_id: Optional[str]
ou_uid: Optional[str]
ou_name: Optional[str]
uid: Optional[str]
8 changes: 6 additions & 2 deletions py_ocsf_models/objects/vulnerability_details.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,10 @@ class VulnerabilityDetails(BaseModel):
- Description (desc) [Optional]: The description of the vulnerability.
- Exploit Availability (is_exploit_available) [Optional]: Indicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability.
- First Seen (first_seen_time) [Optional]: The time when the vulnerability was first observed.
- First Seen (first_seen_time_dt) [Optional]: The time when the vulnerability was first observed in datetime format.
- Knowledgebase Articles (kb_article_list) [Optional]: A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.
- Last Seen (last_seen_time) [Optional]: The time when the vulnerability was most recently observed.
- Last Seen (last_seen_time_dt) [Optional]: The time when the vulnerability was most recently observed in datetime format.
- References (references) [Recommended]: A list of reference URLs with additional information about the vulnerability.
- Related Vulnerabilities (related_vulnerabilities) [Optional]: List of vulnerabilities that are related to this vulnerability.
- Remediation Guidance (remediation) [Optional]: The remediation recommendations on how to mitigate the identified vulnerability.
Expand All @@ -36,9 +38,11 @@ class VulnerabilityDetails(BaseModel):
# cwe: Optional[CWE]
desc: Optional[str]
is_exploit_available: Optional[bool]
first_seen_time: Optional[datetime]
first_seen_time: Optional[int]
first_seen_time_dt: Optional[datetime]
kb_article_list: Optional[List[KBArticle]]
last_seen_time: Optional[datetime]
last_seen_time: Optional[int]
last_seen_time_dt: Optional[datetime]
references: Optional[List[str]]
related_vulnerabilities: Optional[List[str]]
remediation: Optional[Remediation]
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ packages = [
{include = "py_ocsf_models"}
]
readme = "README.md"
version = "0.1.1"
version = "0.2.0"

[tool.poetry.dependencies]
cryptography = "43.0.1"
Expand Down
Loading

0 comments on commit f840d0f

Please sign in to comment.