From 4fa2cbacb342ab5766bc8d86a036cfd90d4bc9b0 Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Wed, 14 Aug 2024 10:37:09 -0400
Subject: [PATCH] Observable removal, changelog
---
CHANGELOG.md | 1 +
objects/grandparent_process.json | 9 ++++-----
objects/parent_process.json | 9 ++++-----
3 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index b7e427fa4..77e71d5ac 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -47,6 +47,7 @@ Thankyou! -->
* #### Objects
1. Added `phone_number` to `user` and `ldap_person` objects. #1155
2. Added `has_mfa` to `user` object. #1155
+ 3. Added `parent_process` and `grandparent_process` as standalone objects, distinct from `process`.
### Misc
1. Added `user.uid` as an Observable type - `type_id: 31`. #1155
diff --git a/objects/grandparent_process.json b/objects/grandparent_process.json
index ff51890bc..8d8d1ed07 100644
--- a/objects/grandparent_process.json
+++ b/objects/grandparent_process.json
@@ -3,7 +3,6 @@
"description": "The Grandparent Process object signifies the originating process that indirectly initiates a chain of descendant processes. By tracing back through Parent Processes, the Grandparent Process object helps to map out the broader process tree, establishing a clearer picture of process lineage and inheritance. Defined by D3FEND d3f:Process.",
"extends": "_entity",
"name": "grandparent_process",
- "observable": 25,
"profiles": [
"container"
],
@@ -15,11 +14,11 @@
"requirement": "recommended"
},
"created_time": {
- "description": "The time when the process was created/started.",
+ "description": "The time when the grandparent process was created/started.",
"requirement": "recommended"
},
"file": {
- "description": "The process file object.",
+ "description": "the grandparent process file object.",
"requirement": "recommended"
},
"integrity": {
@@ -35,7 +34,7 @@
"requirement": "optional"
},
"name": {
- "description": "The friendly name of the process, for example: Notepad++.",
+ "description": "The friendly name of the grandparent process, for example: Notepad++.",
"type": "process_name_t"
},
"pid": {
@@ -49,7 +48,7 @@
"requirement": "optional"
},
"terminated_time": {
- "description": "The time when the process was terminated.",
+ "description": "The time when the grandparent process was terminated.",
"requirement": "optional"
},
"tid": {
diff --git a/objects/parent_process.json b/objects/parent_process.json
index f03f37b96..006923550 100644
--- a/objects/parent_process.json
+++ b/objects/parent_process.json
@@ -3,7 +3,6 @@
"description": "The Parent Process object represents the process that initiates or spawns a new child process. This object tracks the lineage and origin of child processes, providing visibility into the hierarchical structure of process execution. Defined by D3FEND d3f:Process.",
"extends": "_entity",
"name": "parent_process",
- "observable": 25,
"profiles": [
"container"
],
@@ -15,11 +14,11 @@
"requirement": "recommended"
},
"created_time": {
- "description": "The time when the process was created/started.",
+ "description": "The time when the parent process was created/started.",
"requirement": "recommended"
},
"file": {
- "description": "The process file object.",
+ "description": "the parent process file object.",
"requirement": "recommended"
},
"integrity": {
@@ -35,7 +34,7 @@
"requirement": "optional"
},
"name": {
- "description": "The friendly name of the process, for example: Notepad++.",
+ "description": "The friendly name of the parent process, for example: Notepad++.",
"type": "process_name_t"
},
"pid": {
@@ -49,7 +48,7 @@
"requirement": "optional"
},
"terminated_time": {
- "description": "The time when the process was terminated.",
+ "description": "The time when the parent process was terminated.",
"requirement": "optional"
},
"tid": {