Add boot_uid to device.

On Linux systems, the procfs contains a unique per-boot identifier. Certain tools, such as EDR platforms or journald logs contain this identifier in their emitted telemerty. From an analytical perspective, it's useful to extract since it provides an analyst the ability to see activity from a given system across multiple reboots. For more details see: `man 3 sd_id128_get_machine()` Signed-off-by: Hunter Madison <[email protected]>
ocsf · Feb 4, 2025 · a2c7359 · a2c7359
1 parent c736233
commit a2c7359
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -41,6 +41,14 @@ Thankyou! -->
 
 ## [Unreleased]
 
+### Added
+* #### Dictionary Attributes 
+  1. Added `boot_uid` as a `string_t`
+
+### Improved
+* #### Objects
+  1. Added `boot_uid` to `device` objects.
+
 ## [v1.4.0] - January 31st, 2025
 
 ### Added

diff --git a/dictionary.json b/dictionary.json
@@ -401,6 +401,11 @@
       "description": "The time when the system was booted.",
       "type": "timestamp_t"
     },
+    "boot_uid": {
+      "caption": "Boot UID",
+      "description": "A unique identifier of the device that changes after every reboot. For example, the value of <code>/proc/sys/kernel/random/boot_id</code> from Linux's procfs.",
+      "type": "string_t"
+    },
     "boundary": {
       "caption": "Boundary",
       "description": "The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source. <p> For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External.</p>",

diff --git a/objects/device.json b/objects/device.json
@@ -130,6 +130,10 @@
     "vendor_name": {
       "description": "The vendor for the device. For example <code>Dell</code> or <code>Lenovo</code>.",
       "requirement": "recommended"
+    },
+    "boot_uid": {
+      "description": "A unique identifier of the device that changes after every reboot. For example, the value of <code>/proc/sys/kernel/random/boot_id</code> from Linux's procfs.",
+      "requirement": "optional"
     }
   },
   "references": [
@@ -138,4 +142,4 @@
       "url": "https://d3fend.mitre.org/dao/artifact/d3f:Host/"
     }
   ]
-}
+}