diff --git a/events/discovery/discovery_result.json b/events/discovery/discovery_result.json new file mode 100644 index 000000000..03df83d6a --- /dev/null +++ b/events/discovery/discovery_result.json @@ -0,0 +1,39 @@ +{ + "caption": "Discovery Result", + "category": "discovery", + "name": "discovery_result", + "extends": "base_event", + "description": "Discovery Result events report the results of a discovery request.", + "profiles": [ + "host" + ], + "attributes": { + "$include": [ + "profiles/host.json" + ], + "activity_id": { + "enum": { + "1": { + "caption": "Exists", + "description": "The target was found." + }, + "2": { + "caption": "Partial", + "description": "The target was partially found." + }, + "3": { + "caption": "Does not exist", + "description": "The target was not found." + }, + "4": { + "caption": "Error", + "description": "The discovery attempt failed." + }, + "5": { + "caption": "Unsupported", + "description": "Discovery of the target was not supported." + } + } + } + } +} \ No newline at end of file diff --git a/events/discovery/user_info.json b/events/discovery/user_info.json new file mode 100644 index 000000000..b4a5ced4a --- /dev/null +++ b/events/discovery/user_info.json @@ -0,0 +1,13 @@ +{ + "caption": "User Info", + "description": "User Info events report user data that have been discovered, queried, polled or searched. This event differs from User Inventory as it describes the result of a targeted search by filtering a subset of user attributes.", + "extends": "discovery_result", + "name": "user_info", + "uid": 18, + "attributes": { + "user": { + "group": "primary", + "requirement": "required" + } + } +} \ No newline at end of file diff --git a/objects/metadata.json b/objects/metadata.json index 3125bbce5..f117f92e7 100644 --- a/objects/metadata.json +++ b/objects/metadata.json @@ -4,13 +4,28 @@ "extends": "object", "name": "metadata", "attributes": { - "correlation_uid": {}, + "correlation_uid": { + "requirement": "optional" + }, "event_code": { "requirement": "optional" }, - "extension": {}, + "extension": { + "requirement": "optional", + "@deprecated": { + "message": "Use the extensions attribute instead.", + "since": "v1.0.0" + } + }, + "extensions": { + "requirement": "optional" + }, "labels": { - "description": "

The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.

For example: [\"network\", \"connection.ip:destination\", \"device.ip:source\"]" + "description": "

The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.

For example: [\"network\", \"connection.ip:destination\", \"device.ip:source\"]", + "requirement": "optional" + }, + "log_level": { + "requirement": "optional" }, "log_name": { "requirement": "recommended" @@ -21,26 +36,38 @@ "log_version": { "requirement": "optional" }, - "logged_time": {}, + "logged_time": { + "requirement": "optional" + }, "modified_time": { - "description": "The time when the event was last modified or enriched." + "description": "The time when the event was last modified or enriched.", + "requirement": "optional" }, + "loggers": {}, "original_time": { "requirement": "recommended" }, - "processed_time": {}, + "processed_time": { + "requirement": "optional" + }, "product": { "requirement": "required" }, - "profiles": {}, - "sequence": {}, + "profiles": { + "requirement": "optional" + }, + "sequence": { + "requirement": "optional" + }, + "tenant_uid": { + "requirement": "recommended" + }, "uid": { "caption": "Event UID", "description": "The logging system-assigned unique identifier of an event instance.", "requirement": "optional" }, "version": { - "default": "1.0.0", "description": "The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.", "requirement": "required" }