ocsf · pagbabian-splunk · Oct 4, 2024 · Oct 8, 2024 · Oct 16, 2024 · Oct 29, 2024
@@ -4,6 +4,7 @@
   "description": "Admin Group Query events report information about administrative groups.",
   "extends": "discovery_result",
   "name": "admin_group_query",
+  "family": "Query",
   "attributes": {
     "group": {
       "description": "The administrative group.",

@@ -4,6 +4,7 @@
   "description": "Cloud Resources Inventory Info events report cloud asset inventory data that is either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.",
   "extends": "discovery",
   "name": "cloud_resources_inventory_info",
+  "family": "Inventory",
   "attributes": {
     "cloud": {
       "profile": null,

@@ -4,6 +4,7 @@
   "description": "Device Config State events report device configuration data and CIS Benchmark results.",
   "extends": "discovery",
   "name": "config_state",
+  "family": "State",
   "attributes": {
     "actor": {
       "group": "context",

@@ -4,6 +4,7 @@
     "description": "Device Config State Change events report state changes that impact the security of the device.",
     "extends": "discovery",
     "name": "device_config_state_change",
+    "family": "State",
     "attributes": {
         "actor": {
             "group": "context",

@@ -4,6 +4,7 @@
   "description": "Discovery Result events report the results of a discovery request.",
   "extends": "base_event",
   "name": "discovery_result",
+  "family": "Query",
   "attributes": {
     "activity_id": {
       "enum": {

@@ -4,6 +4,7 @@
   "description": "File Query events report information about files that are present on the system.",
   "extends": "discovery_result",
   "name": "file_query",
+  "family": "Query",
   "attributes": {
     "file": {
       "description": "The file that is the target of the query.",

@@ -4,6 +4,7 @@
   "description": "Folder Query events report information about folders that are present on the system.",
   "extends": "discovery_result",
   "name": "folder_query",
+  "family": "Query",
   "attributes": {
     "folder": {
       "description": "The folder that is the target of the query.",

@@ -4,6 +4,7 @@
   "description": "Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.",
   "extends": "discovery",
   "name": "inventory_info",
+  "family": "Inventory",
   "attributes": {
     "actor": {
       "group": "context",

@@ -4,6 +4,7 @@
   "description": "Job Query events report information about scheduled jobs.",
   "extends": "discovery_result",
   "name": "job_query",
+  "family": "Query",
   "attributes": {
     "job": {
       "group": "primary",

@@ -4,6 +4,7 @@
   "description": "Kernel Object Query events report information about discovered kernel resources.",
   "extends": "discovery_result",
   "name": "kernel_object_query",
+  "family": "Query",
   "attributes": {
     "kernel": {
       "description": "The kernel object that pertains to the event.",

@@ -4,6 +4,7 @@
   "description": "Module Query events report information about loaded modules.",
   "extends": "discovery_result",
   "name": "module_query",
+  "family": "Query",
   "attributes": {
     "module": {
       "group": "primary",

@@ -4,6 +4,7 @@
   "description": "Network Connection Query events report information about active network connections.",
   "extends": "discovery_result",
   "name": "network_connection_query",
+  "family": "Query",
   "attributes": {
     "connection_info": {
       "group": "primary",

@@ -4,6 +4,7 @@
   "description": "Networks Query events report information about network adapters.",
   "extends": "discovery_result",
   "name": "networks_query",
+  "family": "Query",
   "attributes": {
     "network_interfaces": {
       "group": "primary",

@@ -4,6 +4,7 @@
     "description": "OSINT Inventory Info events report open source intelligence or threat intelligence inventory data that is either logged or proactively collected. For example, when collecting OSINT information from Threat Intelligence Platforms (TIPs) or Extended Detection and Response (XDR) platforms, or collecting data from OSINT or other generic threat intelligence and enrichment feeds such as APIs and datastores.",
     "extends": "discovery",
     "name": "osint_inventory_info",
+    "family": "Inventory",
     "attributes": {
         "actor": {
             "description": "The actor describes the process that was the source of the inventory activity. In the case of OSINT inventory data, that could be a particular process or script that is run to scrape the OSINT or threat intelligence data. For example, it could be a Python process that runs to pull data from a MISP or Shodan API.",

@@ -4,6 +4,7 @@
   "description": "Operating System Patch State reports the installation of an OS patch to a device and any associated knowledgebase articles.",
   "extends": "discovery",
   "name": "patch_state",
+  "family": "State",
   "attributes": {
     "device": {
       "group": "primary",

@@ -4,6 +4,7 @@
   "description": "Peripheral Device Query events report information about peripheral devices.",
   "extends": "discovery_result",
   "name": "peripheral_device_query",
+  "family": "Query",
   "attributes": {
     "peripheral_device": {
       "group": "primary",

@@ -4,6 +4,7 @@
   "description": "Process Query events report information about running processes.",
   "extends": "discovery_result",
   "name": "process_query",
+  "family": "Query",
   "attributes": {
     "process": {
       "group": "primary",

@@ -4,6 +4,7 @@
   "description": "Service Query events report information about running services.",
   "extends": "discovery_result",
   "name": "service_query",
+  "family": "Query",
   "attributes": {
     "service": {
       "group": "primary",

@@ -4,6 +4,7 @@
   "description": "User Session Query events report information about existing user sessions.",
   "extends": "discovery_result",
   "name": "session_query",
+  "family": "Query",
   "attributes": {
     "session": {
       "group": "primary",

@@ -4,6 +4,7 @@
   "description": "Software Inventory Info events report device software inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.",
   "extends": "discovery",
   "name": "software_info",
+  "family": "Inventory",
   "attributes": {
     "actor": {
       "group": "context",

@@ -4,6 +4,7 @@
   "extends": "discovery_result",
   "name": "startup_item_query",
   "uid": 22,
+  "family": "Query",
   "attributes": {
     "startup_item": {
       "group": "primary",

@@ -4,6 +4,7 @@
     "description": "User Inventory Info events report user inventory data that is either logged or proactively collected. For example, when collecting user information from Active Directory entries.",
     "extends": "discovery",
     "name": "user_inventory",
+    "family": "Inventory",
     "attributes": {
         "actor": {
             "description": "The actor describes the process that was the source of the inventory activity. In the case of user inventory data, that could be a particular process or script that is run to scrape the user data. For example, it could be a powershell process that runs to pull data from the Azure AD graph API.",

@@ -4,6 +4,7 @@
   "description": "User Query events report user data that have been discovered, queried, polled or searched. This event differs from User Inventory as it describes the result of a targeted search by filtering a subset of user attributes.",
   "extends": "discovery_result",
   "name": "user_query",
+  "family": "Query",
   "attributes": {
     "user": {
       "group": "primary",

@@ -33,6 +33,10 @@
                     "type": "string",
                     "description": "The category that the event belongs to."
                 },
+                "family": {
+                    "type:": "string",
+                    "description": "The family or sub-category that the event belongs to, usually with a common suffix in its name."
+                },
                 "uid": {
                     "type": "integer",
                     "description": "A unique identifier for this event, must be unique within the category.",