feat(ocsf): adapt models to version 1.3.0 (#123)

Author: MrCloudSec

examples/detection_finding.py

@@ -150,7 +150,9 @@
             name="Account 1", type="Account", type_id="3", uid="123", labels=["Label 1"]
         ),
         zone="Zone 1",
-        org=Organization(name="Organization 1", ou_id="123", ou_name="OU 1", uid="123"),
+        org=Organization(
+            name="Organization 1", ou_uid="123", ou_name="OU 1", uid="123"
+        ),
         project_uid="123",
         provider="Provider 1",
         region="Region 1",
@@ -177,10 +179,9 @@
         size=123,
         uid="123",
     ),
-    namespace_pid=123,
     count=123,
     duration=123,
-    event_time=datetime.now(),
+    time=datetime.now(),
     evidences=[
         EvidenceArtifacts(
             api=API(

py_ocsf_models/__init__.py

@@ -1 +1 @@
-OCSF_VERSION = "1.2.0"
+OCSF_VERSION = "1.3.0"

py_ocsf_models/events/findings/detection_finding.py

@@ -7,7 +7,6 @@
 from py_ocsf_models.events.findings.finding import Finding
 from py_ocsf_models.objects.api import API
 from py_ocsf_models.objects.cloud import Cloud
-from py_ocsf_models.objects.container import Container
 from py_ocsf_models.objects.evidence_artifacts import EvidenceArtifacts
 from py_ocsf_models.objects.remediation import Remediation
 from py_ocsf_models.objects.resource_details import ResourceDetails
@@ -122,10 +121,10 @@ class DetectionFinding(Finding, BaseModel):
     - Class (class_name) [Optional]: The event class name, as defined by class_uid value: Detection Finding.
     - Class ID (class_uid): The unique identifier of a class. A Class describes the attributes available in an event.
     - Cloud (cloud) [Optional]: Describes details about the Cloud environment where the event was originally created or logged.
-    - Container (container) [Optional]: Describes the container details.
     - Count (count) [Optional]: Number of times similar events occurred within a specified timeframe.
     - Duration (duration) [Optional]: Time span of the event, from start to end, in milliseconds.
     - Event Time (time) [Required]: The standardized time when the event occurred or the finding was created.
+    - Event Time (time_dt) [Optional]: The standardized time when the event occurred or the finding was created, in datetime format.
     - Evidence Artifacts (evidences) [Optional]: Artifacts related to the security detection activities.
     - Impact (impact) [Optional]: The impact, normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.
     - Impact Score (impact_score) [Optional]: The impact of the finding, valid range 0-100.
@@ -135,32 +134,26 @@ class DetectionFinding(Finding, BaseModel):
     - Risk Level ID (risk_level_id) [Optional]: The normalized risk level id.
     - Risk Score (risk_score) [Optional]: The risk score as reported by the event source.
     - Risk Details (risk_details) [Optional]: Additional details about the risk.
+    - Status ID (status_id) [Optional]: The normalized identifier of the event/finding severity.
     - Timezone Offset (timezone_offset) [Optional]: Difference in minutes from UTC.
     - Type ID (type_uid): The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.
     - Type Name (type_name) [Optional]: The event/finding type name, as defined by the type_uid.
     - Vulnerabilities (vulnerabilities) [Optional]: Vulnerabilities identified in the finding.
 
     If the Cloud profile is needed:
         - API Details (api) [Optional]: Describes details about a typical API (Application Programming Interface) call.
-        - Cloud (cloud): Describes details about the Cloud environment where the event was originally created or logged.
-
-    If the Container profile is needed:
-        - Container (container) [Recommended]: The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
-        - Namespace PID (namespace_pid) [Recommended]: If running under a process namespace (such as in a container), the process identifier within that process namespace.
+        - Cloud (cloud): Describes details about the Cloud environment where the event was originally created or logged
     """
 
     resources: Optional[list[ResourceDetails]]
     category_name: str = CategoryUID.Findings.name
     category_uid: int = CategoryUID.Findings.value
-    class_name: Optional[str] = ClassUID.DetectionFinding.name
+    class_name: Optional[str] = "Detection Finding"
     class_uid: int = ClassUID.DetectionFinding.value
     cloud: Optional[Cloud]
     api: Optional[API]
-    container: Optional[Container]
-    namespace_pid: Optional[int]
     count: Optional[int]
     duration: Optional[int]
-    event_time: datetime
     evidences: Optional[list[EvidenceArtifacts]]
     impact: Optional[str]
     impact_score: Optional[int]
@@ -171,6 +164,8 @@ class DetectionFinding(Finding, BaseModel):
     risk_score: Optional[int]
     risk_details: Optional[str]
     status_id: Optional[StatusID]  # type: ignore
+    time: int
+    time_dt: Optional[datetime]
     timezone_offset: Optional[int]
     type_uid: TypeID
     type_name: Optional[str]

py_ocsf_models/events/findings/finding.py

@@ -79,13 +79,17 @@ class FindingInformation(BaseModel):
     Attributes:
     - Analytic (analytic) [Recommended]: The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.
     - Created Time (created_time) [Optional]: The time when the finding was created.
+    - Created Time DT (created_time_dt) [Optional]: The time when the finding was created in datetime format.
     - Data Sources (data_sources) [Optional]: A list of data sources utilized in generation of the finding.
     - Description (desc) [Optional]: The description of the reported finding.
-    - First Seen (first_seen_time) [Optional]: The time when the finding was first observed. It can differ from the created_time datetime, which reflects the time this finding was created.
+    - First Seen (first_seen_time) [Optional]: The time when the finding was first observed.
+    - First Seen DT (first_seen_time_dt) [Optional]: The time when the finding was first observed in datetime format.
     - Kill Chain (kill_chain) [Optional]: The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.
-    - Last Seen (last_seen_time) [Optional]: The time when the finding was most recently observed. It can differ from the modified_time datetime, which reflects the time this finding was last modified.
+    - Last Seen (last_seen_time) [Optional]: The time when the finding was last observed.
+    - Last Seen DT (last_seen_time_dt) [Optional]: The time when the finding was last observed in datetime format.
     - MITRE ATT&CK® Details (attacks) [Optional]: The MITRE ATT&CK® technique and associated tactics related to the finding.
     - Modified Time (modified_time) [Optional]: The time when the finding was last modified.
+    - Modified Time DT (modified_time_dt) [Optional]: The time when the finding was last modified in datetime format.
     - Product Identifier (product_uid) [Optional]: The unique identifier of the product that reported the finding.
     - Related Analytics (related_analytics) [Optional]: Other analytics related to this finding.
     - Related Events (related_events) [Optional]: Describes events and/or other findings related to the finding as identified by the security product.
@@ -96,14 +100,18 @@ class FindingInformation(BaseModel):
     """
 
     analytic: Optional[Analytic]
-    created_time: Optional[datetime]
+    created_time: Optional[int]
+    created_time_dt: Optional[datetime]
     data_sources: Optional[List[str]]
     desc: Optional[str]
-    first_seen_time: Optional[datetime]
+    first_seen_time: Optional[int]
+    first_seen_time_dt: Optional[datetime]
     kill_chain: Optional[List[KillChainPhase]]
-    last_seen_time: Optional[datetime]
+    last_seen_time: Optional[int]
+    last_seen_time_dt: Optional[datetime]
     attacks: Optional[List[MITREAttack]]
-    modified_time: Optional[datetime]
+    modified_time: Optional[int]
+    modified_time_dt: Optional[datetime]
     product_uid: Optional[str]
     related_analytics: Optional[List[Analytic]]
     related_events: Optional[List[RelatedEvent]]
@@ -161,9 +169,11 @@ class Finding(BaseEvent, BaseModel):
     - Confidence (confidence) [Optional]: The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.
     - Confidence ID (confidence_id) [Optional]: Represents the accuracy of the detection rule. A low confidence indicates a broad finding scope that may include benign events.
     - Confidence Score (confidence_score) [Optional]: The confidence score as reported by the event source.
-    - End Time (end_time) [Optional]: datetime of the most recent event included in the finding.
+    - End Time (end_time) [Optional]: Time of the latest event included in the finding.
+    - End Time DT (end_time_dt) [Optional]: Time of the latest event included in the finding in datetime format.
     - Finding Information (finding_info) [Required]: Describes the supporting information about a generated finding.
     - Start Time (start_time) [Optional]: Time of the earliest event included in the finding.
+    - Start Time DT (start_time_dt) [Optional]: Time of the earliest event included in the finding in datetime
 
     """
 
@@ -173,6 +183,8 @@ class Finding(BaseEvent, BaseModel):
     confidence: Optional[str]
     confidence_id: Optional[ConfidenceID]
     confidence_score: Optional[int]
-    end_time: Optional[datetime]
+    end_time: Optional[int]
+    end_time_dt: Optional[datetime]
     finding_info: FindingInformation
-    start_time: Optional[datetime]
+    start_time: Optional[int]
+    start_time_dt: Optional[datetime]

py_ocsf_models/objects/kb_article.py

@@ -15,7 +15,8 @@ class KBArticle(BaseModel):
 
     Attributes:
     - classification: Vendor's classification of the KB article.
-    - created_time: Release date of the KB article.
+    - created_time: Time the KB article was created.
+    - created_time_dt: Time the KB article was created in datetime
     - os: Operating system the KB article applies to.
     - bulletin: Bulletin identifier of the KB article.
     - product: Product details the KB article applies to.
@@ -28,7 +29,8 @@ class KBArticle(BaseModel):
     """
 
     classification: Optional[str]
-    created_time: Optional[datetime]
+    created_time: Optional[int]
+    created_time_dt: Optional[datetime]
     os: OperatingSystem
     bulletin: Optional[str]
     product: Optional[Product]

py_ocsf_models/objects/organization.py

@@ -15,6 +15,6 @@ class Organization(BaseModel):
     """
 
     name: Optional[str]
-    ou_id: Optional[str]
+    ou_uid: Optional[str]
     ou_name: Optional[str]
     uid: Optional[str]

py_ocsf_models/objects/vulnerability_details.py

@@ -19,8 +19,10 @@ class VulnerabilityDetails(BaseModel):
     - Description (desc) [Optional]: The description of the vulnerability.
     - Exploit Availability (is_exploit_available) [Optional]: Indicates if an exploit or a PoC (proof-of-concept) is available for the reported vulnerability.
     - First Seen (first_seen_time) [Optional]: The time when the vulnerability was first observed.
+    - First Seen (first_seen_time_dt) [Optional]: The time when the vulnerability was first observed in datetime format.
     - Knowledgebase Articles (kb_article_list) [Optional]: A list of KB articles or patches related to an endpoint. A KB Article contains metadata that describes the patch or an update.
     - Last Seen (last_seen_time) [Optional]: The time when the vulnerability was most recently observed.
+    - Last Seen (last_seen_time_dt) [Optional]: The time when the vulnerability was most recently observed in datetime format.
     - References (references) [Recommended]: A list of reference URLs with additional information about the vulnerability.
     - Related Vulnerabilities (related_vulnerabilities) [Optional]: List of vulnerabilities that are related to this vulnerability.
     - Remediation Guidance (remediation) [Optional]: The remediation recommendations on how to mitigate the identified vulnerability.
@@ -36,9 +38,11 @@ class VulnerabilityDetails(BaseModel):
     # cwe: Optional[CWE]
     desc: Optional[str]
     is_exploit_available: Optional[bool]
-    first_seen_time: Optional[datetime]
+    first_seen_time: Optional[int]
+    first_seen_time_dt: Optional[datetime]
     kb_article_list: Optional[List[KBArticle]]
-    last_seen_time: Optional[datetime]
+    last_seen_time: Optional[int]
+    last_seen_time_dt: Optional[datetime]
     references: Optional[List[str]]
     related_vulnerabilities: Optional[List[str]]
     remediation: Optional[Remediation]

pyproject.toml

@@ -25,7 +25,7 @@ packages = [
   {include = "py_ocsf_models"}
 ]
 readme = "README.md"
-version = "0.1.1"
+version = "0.2.0"
 
 [tool.poetry.dependencies]
 cryptography = "43.0.1"