From 203d70cb3508f4decf1479229fbbda99c95c07e5 Mon Sep 17 00:00:00 2001
From: Manoj Sudhakara <02manoj92@gmail.com>
Date: Fri, 13 Dec 2024 08:23:15 -0700
Subject: [PATCH] Added  drive_type and drive_type_id for file object (#1287)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

#### Related Issue:
1286 - Add drive_type and drive_type_id under File Object
https://github.com/ocsf/ocsf-schema/issues/1286
#### Description of changes:
The proposal is to extend the File Object by adding details about the
type of drive where the file is located. This enrichment would offer
greater security insight, assisting the SOC team in determining whether
files are created off a network drive or say a USB thumb drive.

The below list was inspired by a Win32 API :
https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-getdrivetypea

I have added two optional fields called drive_type and drive_type_id
under File Object to take care of this.
drive_type_id can take one of the following values :
```0 = "Unknown", 1 = "Removable", 2 = "Fixed", 3 = "Remote", 4 = "CD-ROM", 5 = "RAM Disk", 99 = "Other" ```
and the drive_type would be string equivalent.

<img width="1297" alt="Screenshot 2024-12-12 at 9 03 49 PM" src="https://github.com/user-attachments/assets/ff14b6b6-94f3-4efe-a635-c711180ba993" />

---------

Signed-off-by: 02manoj92@gmail.com <manojs2@cisco.com>
Co-authored-by: 02manoj92@gmail.com <manojs2@cisco.com>
---
 CHANGELOG.md      |  2 ++
 dictionary.json   | 41 +++++++++++++++++++++++++++++++++++++++++
 objects/file.json |  6 ++++++
 3 files changed, 49 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 77da2d332..f40abe5ab 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -92,6 +92,7 @@ Thankyou! -->
     1. Added `vendor_attributes` object. #1257
     1. Added `aircraft` object. #1253
     1. Added `software_component` and `sbom` objects. #1262
+    1. Added `drive_type` and `drive_type_id` objects. #1287
 
 ### Improved
 * #### Event Classes
@@ -156,6 +157,7 @@ Thankyou! -->
     1. Added `cloud_partition` to the `cloud` object. #1271
     1. Added `product`, `related_events_count`, `uid_alt`, `tags` to `finding_info` object. #1271
     1. Added `count`, `created_time`, `desc`, `first_seen_time`, `last_seen_time`, `modified_time`, `product`, `severity`, `severity_id`, `tags` & `title` to `related_event` object. #1271
+    1. Added `drive_type` and `drive_type_id` to the `file` object. #1287
 
 ### Bugfixes
 1. Added sibling definition to `confidence_id` in dictionary, accurately associating `confidence` as its sibling. #1180
diff --git a/dictionary.json b/dictionary.json
index 744f622d2..a77128909 100644
--- a/dictionary.json
+++ b/dictionary.json
@@ -1818,6 +1818,47 @@
       "type": "string_t",
       "is_array": true
     },
+    "drive_type": {
+      "caption": "Drive Type",
+      "description": "The drive type, normalized to the caption of the <code>drive_type_id</code> value. In the case of <code>Other</code>, it is defined by the source.",
+      "type": "string_t"
+    },
+    "drive_type_id" : {
+      "caption": "Drive Type ID",
+      "description": "Identifies the type of a disk drive, i.e. fixed, removable, etc.",
+      "sibling": "drive_type",
+      "type": "integer_t",
+      "enum": {
+        "0": {
+          "caption": "Unknown",
+          "description": "The drive type is unknown."
+        },
+        "1": {
+          "caption": "Removable",
+          "description": "The drive has removable media; for example, a floppy drive, thumb drive, or flash card reader."
+        },
+        "2": {
+          "caption": "Fixed",
+          "description": "The drive has fixed media; for example, a hard disk drive or flash drive."
+        },
+        "3": {
+          "caption": "Remote",
+          "description": "The drive is a remote (network) drive."
+        },
+        "4": {
+          "caption": "CD-ROM",
+          "description": "The drive is a CD-ROM drive."
+        },
+        "5": {
+          "caption": "RAM Disk",
+          "description": "The drive is a RAM disk."
+        },
+        "99": {
+          "caption": "Other",
+          "description": "The drive type is not mapped. See the <code>drive_type</code> attribute, which contains a data source specific value."
+        }
+      }
+    },
     "driver": {
       "caption": "Kernel Driver",
       "description": "The driver that was loaded/unloaded into the kernel",
diff --git a/objects/file.json b/objects/file.json
index c01680bc0..f5f9fdddf 100644
--- a/objects/file.json
+++ b/objects/file.json
@@ -42,6 +42,12 @@
       "description": "The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.",
       "requirement": "optional"
     },
+    "drive_type": {
+      "requirement": "optional"
+    },
+    "drive_type_id" : {
+      "requirement": "optional"
+    },
     "encryption_details": {
       "description": "The encryption details of the file. Should be populated if the file is encrypted.",
       "requirement": "optional"