ocsf-schema icon indicating copy to clipboard operation
ocsf-schema copied to clipboard

Published 20 hours ago verified publisher icon ocsf

Add `owner` to `device`, create `agent` object

Open jonrau-at-queryai opened this issue 11 months ago • 0 comments

BLUF

Add owner (user) to device and network_endpoint to match its presence within the resource object. Create a new agent object that captures various agent/sensor details.

Details

The [resource_details](https://schema.ocsf.io/1.1.0/objects/resource_details?extensions=) object has owner within, we should add this to device, and optionally to network_endpoint as there is typically ownership data for the former from various EDR, EPP, MDM, etc. type of tools.

Next, create an agent object that can extend device, and optionally resource and network_endpoint that captures the data of various agents and sensor - e.g., MDATP, Falcon Sensor, Wazuh, Azure Monitor, AWS SSM, Amazon Inspector V1, etc - details, who created it, what it's called, uid and uid_alt data, as well as add policy to it to denote various EDR policies, Conditional Access policies, or otherwise.

Additionally, we should add a Boolean applied attribute to policy to account for the usage in agent and any future authorization related objects (such as applied OPA/Cedar/Envoy/K8s Network Policy).

Proposed sensor/agent object

  • type_id (Enum-backed that identifies the type of sensor it is. E.g., Vulnerability Management, DLP, EDR, Log Monitor, etc.)
  • type
  • creator - the company or project who created the sensor, e.g., Wazuh, Crowdstrike, Microsoft, Amazon Web Services name - The name or label of the sensor, e.g, "Falcon Agent", "Azure Monitor Agent", "SSM Agent", "Amazon Inspector V1 Agent", etc.
  • uid - the actual Sensor ID, if it has one such as the aid/sensor_id from Crowdstrike or the id from SentinelOne Sentinels
  • uid_alt - an alternative ID if there is additional metadata such as a Config ID, Org ID (MDE/mdatp has this), etc.
  • version the Semver of the agent or sensor like Crowdstrike 7.07.16206.0 or aws-ssm v2.05.56
  • policy[] - this is the actual Policy object that can define any sort of policies applied like prevention, tamper protection, logging interval, backup interval, etc. This will be an array as multiple policies can exist per agent/sensor.

Will open a PR after the larger group discusses

jonrau-at-queryai avatar Mar 14 '24 19:03 jonrau-at-queryai