Merge pull request #62 from fabrizio-turchi/issue-#20

Fix #20 issue, adding EventRecordFacet and ObservableAction classes

Author: ajnelson-nist

case.jsonld

@@ -1705,6 +1705,110 @@
                     }
                 }
             ]
+        },
+        {
+            "@id": "kb:63455f6a-3e0a-58d2-b425-68030c41a62a",
+            "@type": "uco-observable:ObservableObject",
+            "uco-core:hasFacet": [
+                {
+                    "@id": "kb:67ecf21e-de3c-5430-84ac-891a81265d51",
+                    "@type": "uco-observable:AccountFacet",
+                    "uco-observable:isActive": {
+                        "@type": "xsd:boolean",
+                        "@value": true
+                    },
+                    "uco-observable:accountIdentifier": "u_moss"
+                },
+                {
+                    "@id": "kb:ab3cd06a-45f4-5067-ada0-646de5548101",
+                    "@type": "uco-observable:ApplicationAccountFacet",
+                    "uco-observable:application": {
+                        "@id": "kb:63455f6a-3e0a-58d2-b425-68030c41a62a"
+                    }
+                }
+            ]
+        },
+        {
+            "@id": "kb:b6326bd9-8691-59c5-b126-9ca2be995d78",
+            "@type": "uco-observable:ObservableObject",
+            "uco-core:hasFacet": [
+                {
+                    "@id": "kb:82bd053b-bb47-5931-a59e-bcb6b451d048",
+                    "@type": "uco-observable:ApplicationFacet",
+                    "uco-observable:applicationIdentifier": "iPhoneNetworkDataUsage"
+                }
+            ]
+        },
+        {
+            "@id": "kb:1b700918-7f2d-55ad-acd8-fba19ce9e7aa",
+            "@type": "uco-observable:ObservableAction",
+            "uco-core:name": "Network log entry",
+            "uco-core:description": "Network log entry extraction of all lines",
+            "uco-action:actionStatus": {
+                "@type": "uco-vocabulary:ActionStatusTypeVocab",
+                "@value": "Complete/Finish"
+            },
+            "uco-action:startTime": {
+                "@type": "xsd:dateTime",
+                "@value": "2024-02-29T12:28:49+00:00"
+            },
+            "uco-action:endTime": {
+                "@type": "xsd:dateTime",
+                "@value": "2024-02-29T12:43:44+00:00"
+            },
+            "uco-action:performer": {
+                "@id": "kb:0db6f576-b92c-520d-9e1a-445eb103254b"
+            },
+            "uco-action:instrument": {
+                "@id": "kb:dae7ab48-4877-5aeb-83be-51c67fa53493"
+            },
+            "uco-action:location": {
+                "@id": "kb:f0e14e08-35aa-5381-b2f2-5822f93163b7"
+            },
+            "uco-action:object": {
+                "@id": "kb:1506e4eb-8c84-5ffc-9329-3cf998ca145b"
+            },
+            "uco-action:participant": {
+                "@id": "kb:0db6f576-b92c-520d-9e1a-445eb103254b"
+            }
+        },
+        {
+            "@id": "kb:28779a1c-3868-5089-9408-e989937cf375",
+            "@type": "uco-observable:ObservableObject",
+            "uco-core:hasFacet": [
+                {
+                    "@id": "kb:075ee909-b08c-5f4a-9c43-08a00829d72d",
+                    "@type": "uco-observable:EventRecordFacet",
+                    "uco-observable:eventRecordID": "geod/AlexisBarreyat.BeReal",
+                    "uco-observable:eventRecordRaw": "Wifi In:0, Wifi Out:0, Wan In:37847, 10689999, Wan Out:18956",
+                    "uco-observable:eventRecordServiceName": "BeReal",
+                    "uco-observable:eventType": "information",
+                    "uco-observable:account": {
+                        "@id": "kb:63455f6a-3e0a-58d2-b425-68030c41a62a"
+                    },
+                    "uco-observable:application": {
+                        "@id": "kb:b6326bd9-8691-59c5-b126-9ca2be995d78"
+                    },
+                    "uco-observable:cyberAction": {
+                        "@id": "kb:1b700918-7f2d-55ad-acd8-fba19ce9e7aa"
+                    },
+                    "uco-observable:eventRecordDevice": {
+                        "@id": "kb:cad54a2d-fb07-50a8-9f71-7d7ea46d0b68"
+                    },
+                    "uco-observable:observableCreatedTime": {
+                        "@type": "xsd:dateTime",
+                        "@value": "2024-04-21T21:38:19+00:00"
+                    },
+                    "uco-observable:startTime": {
+                        "@type": "xsd:dateTime",
+                        "@value": "2024-04-21T21:38:19+00:00"
+                    },
+                    "uco-observable:endTime": {
+                        "@type": "xsd:dateTime",
+                        "@value": "2024-04-21T23:58:19+00:00"
+                    }
+                }
+            ]
         }
     ]
 }

case_mapping/uco/action.py

@@ -1,5 +1,5 @@
 from datetime import datetime
-from typing import Any, List, Optional, Union
+from typing import Any, List, Optional, Sequence, Union
 
 from pytz import timezone
 
@@ -11,19 +11,21 @@ class Action(ObjectEntity):
     def __init__(
         self,
         *args: Any,
-        description: Optional[str] = None,
-        facets: Optional[List[FacetEntity]] = None,
+        action_count: Optional[int] = None,
+        action_status: Optional[str] = None,
         end_time: Optional[datetime] = None,
         environment: Optional[ObjectEntity] = None,
-        instrument: Union[None, ObjectEntity, List[ObjectEntity]] = None,
-        location: Union[None, Location, List[Location]] = None,
-        name: Optional[str] = None,
-        objects: Union[None, ObjectEntity, List[ObjectEntity]] = None,
+        error: Optional[ObjectEntity] = None,
+        instrument: Union[None, ObjectEntity, Sequence[ObjectEntity]] = None,
+        location: Union[None, Location, Sequence[Location]] = None,
+        objects: Union[None, ObjectEntity, Sequence[ObjectEntity]] = None,
+        participant: Union[None, Sequence[ObjectEntity]] = None,
         performer: Optional[ObjectEntity] = None,
-        results: Union[None, ObjectEntity, List[ObjectEntity]] = None,
+        results: Union[None, ObjectEntity, Sequence[ObjectEntity]] = None,
         start_time: Optional[datetime] = None,
+        subaction: Optional[ObjectEntity] = None,
         **kwargs: Any,
-    ):
+    ) -> None:
         """
         An action is something that may be done or performed.
         Actions group the properties characterizing core action-elements (who, how, with what, where, etc.).
@@ -38,21 +40,32 @@ def __init__(
         :param object: The things that the action is performed on/against.
         :param result: The things resulting from performing an action.
         """
-        super().__init__(
-            *args, description=description, facets=facets, name=name, **kwargs
-        )
+        super().__init__(*args, **kwargs)
         self["@type"] = "uco-action:Action"
+        self._nonegative_int_vars(
+            **{
+                "uco-action:actionCount": action_count,
+            }
+        )
+        if action_status:
+            self["uco-action:actionStatus"] = {
+                "@type": "uco-vocabulary:ActionStatusTypeVocab",
+                "@value": action_status,
+            }
         self._datetime_vars(
             **{"uco-action:startTime": start_time, "uco-action:endTime": end_time}
         )
         self._node_reference_vars(
             **{
                 "uco-action:environment": environment,
+                "uco-action:error": error,
                 "uco-action:performer": performer,
                 "uco-action:instrument": instrument,
                 "uco-action:location": location,
                 "uco-action:result": results,
                 "uco-action:object": objects,
+                "uco-action:participant": participant,
+                "uco-action:subaction": subaction,
             }
         )
 

case_mapping/uco/observable.py

@@ -4,8 +4,10 @@
 from cdo_local_uuid import local_uuid
 
 from ..base import FacetEntity, ObjectEntity, UcoInherentCharacterizationThing
+from .action import Action
 from .core import Relationship
 from .identity import Identity
+from .location import Location
 from .types import Dictionary
 
 
@@ -426,6 +428,15 @@ def __init__(self, *args: Any, has_changed=None, state=None, **kwargs: Any) -> N
         self._bool_vars(**{"uco-observable:hasChanged": has_changed})
 
 
+class ObservableAction(Action):
+    def __init__(self, *args: Any, **kwargs: Any) -> None:
+        """
+        An observable action is a grouping of characteristics unique to something that may be done or performed within the digital domain.
+        """
+        super().__init__(*args, **kwargs)
+        self["@type"] = "uco-observable:ObservableAction"
+
+
 class FacetApplication(FacetEntity):
     def __init__(
         self,
@@ -1342,42 +1353,61 @@ def __init__(self, path: str) -> None:
         self._str_vars(**{"uco-observable:path": path})
 
 
-class FacetEvent(FacetEntity):
+class EventRecordFacet(FacetEntity):
     def __init__(
         self,
-        event_type=None,
-        event_text=None,
-        event_id=None,
-        cyber_action=None,
-        computer_name=None,
-        created_time=None,
-        start_time=None,
-        end_time=None,
+        account: Union[None, ObjectEntity] = None,
+        application: Union[None, ObjectEntity] = None,
+        cyber_action: Union[None, ObjectEntity] = None,
+        end_time: Optional[datetime] = None,
+        event_record_device: Union[None, ObjectEntity] = None,
+        event_record_id: Optional[str] = None,
+        event_record_raw: Optional[str] = None,
+        event_record_service_name: Optional[str] = None,
+        event_record_text: Optional[str] = None,
+        event_type: Optional[str] = None,
+        observable_created_time: Optional[datetime] = None,
+        start_time: Optional[datetime] = None,
     ):
         """
          An event facet is a grouping of characteristics unique to something that happens in a digital context
          (e.g., operating system events).
-        :param event_type: The type of the event, for example 'information', 'warning' or 'error'.
-        :param event_text: The textual representation of the event.
-        :param event_id: The identifier of the event.
+        :param account: Specifies the account referenced in an event log entry or
+                        used to run the scheduled task.
+        :param application: The application associated with this object.
         :param cyber_action: The action taken in response to the event.
-        :param created_time: The date and time at which the observable object being characterized was created.
-        :param start_time: The date and time at which the observable object being characterized started.
         :param end_time: The date and time at which the observable object being characterized ended.
+        :param event_record_device: The device where the event has been registered.
+        :param event_record_id: The identifier of the event.
+        :param event_record_raw: The complete raw content of the event record.
+        :param event_record_service_name: The service that generated the event record.
+        :param event_record_text: The textual representation of the event.
+        :param event_type: The type of the event, for example 'information', 'warning' or 'error'.
+        :param observable_created_time: The date and time at which the observable object being characterized was created.
+        :param start_time: The date and time at which the observable object being characterized started.
         """
         super().__init__()
         self["@type"] = "uco-observable:EventRecordFacet"
         self._str_vars(
             **{
+                "uco-observable:eventRecordID": event_record_id,
+                "uco-observable:eventRecordRaw": event_record_raw,
+                "uco-observable:eventRecordServiceName": event_record_service_name,
+                "uco-observable:eventRecordText": event_record_text,
                 "uco-observable:eventType": event_type,
-                "uco-observable:eventText": event_text,
-                "uco-observable:eventID": event_id,
-                "uco-observable:computerName": computer_name,
             }
         )
-        self._node_reference_vars(**{"uco-observable:cyberAction": cyber_action})
+        self._node_reference_vars(
+            **{
+                "uco-observable:account": account,
+                "uco-observable:application": application,
+                "uco-observable:cyberAction": cyber_action,
+                "uco-observable:eventRecordDevice": event_record_device,
+            }
+        )
         self._datetime_vars(
             **{
+                "uco-observable:observableCreatedTime": observable_created_time,
                 "uco-observable:startTime": start_time,
                 "uco-observable:endTime": end_time,
             }
@@ -1719,7 +1749,7 @@ def __init__(self, disk_type=None, size=None, partition=None):
     "uco-observable:SIMCardFacet": FacetSimCard,
     "uco-observable:OperatingSystemFacet": FacetOperatingSystem,
     "uco-observable:PathRelationFacet": FacetPathRelation,
-    "uco-observable:EventFacet": FacetEvent,
+    "uco-observable:EventRecordFacet": EventRecordFacet,
     "uco-observable:ObservableRelationship": ObservableRelationship,
     "uco-observable:ApplicationAccountFacet": FacetApplicationAccount,
     "uco-observable:DigitalAccountFacet": FacetDigitalAccount,