From 4b841702d0333fc195cd15c72167156831520b21 Mon Sep 17 00:00:00 2001 From: Rajas <89877409+floydtree@users.noreply.github.com> Date: Wed, 28 Aug 2024 13:16:37 -0400 Subject: [PATCH] General cleanup of metaschema (#1167) #### Related Issue: n/a #### Description of changes: 1. Sorting all event class definition files, renaming files wherever necessary (making things consistent with class_name == file_name convention) 2. Removing includes folder to simplify reference chains in schema definition files 3. Updating vscode metadata, metaschema files 4. Updating contribution guide to remove references to includes dir --------- Signed-off-by: Rajas Panat --- .vscode/settings.json | 6 - CHANGELOG.md | 12 +- CONTRIBUTING.md | 4 +- .../{api.json => api_activity.json} | 14 +- events/application/application.json | 4 +- events/application/application_lifecycle.json | 12 +- events/application/datastore_activity.json | 256 +++++++++--------- events/application/file_hosting.json | 4 +- events/application/scan_activity.json | 63 +++-- .../web_resource_access_activity.json | 24 +- .../application/web_resources_activity.json | 29 +- events/base_event.json | 93 ++++++- ...roup_query.json => admin_group_query.json} | 4 +- events/discovery/config_state.json | 22 +- .../discovery/device_config_state_change.json | 2 +- events/discovery/discovery.json | 2 +- events/discovery/discovery_result.json | 12 +- events/discovery/file_query.json | 2 +- events/discovery/folder_query.json | 2 +- events/discovery/inventory_info.json | 16 +- events/discovery/job_query.json | 2 +- events/discovery/kernel_object_query.json | 2 +- events/discovery/module_query.json | 2 +- .../discovery/network_connection_query.json | 16 +- events/discovery/networks_query.json | 2 +- events/discovery/osint_inventory_info.json | 6 +- events/discovery/patch_state.json | 28 +- events/discovery/peripheral_device_query.json | 2 +- events/discovery/process_query.json | 2 +- events/discovery/service_query.json | 6 +- events/discovery/session_query.json | 6 +- ...inventory_info.json => software_info.json} | 30 +- events/discovery/user_inventory.json | 6 +- events/discovery/user_query.json | 2 +- events/findings/compliance_finding.json | 14 +- events/findings/data_security_finding.json | 220 +++++++-------- events/findings/detection_finding.json | 16 +- events/findings/finding.json | 14 +- events/findings/incident_finding.json | 20 +- events/findings/security_finding.json | 34 +-- events/findings/vulnerability_finding.json | 18 +- events/iam/account_change.json | 4 +- events/iam/authentication.json | 36 +-- events/iam/authorize_session.json | 28 +- events/iam/entity_management.json | 24 +- events/iam/group_management.json | 28 +- events/iam/iam.json | 10 +- events/iam/user_access.json | 12 +- .../network/{dhcp.json => dhcp_activity.json} | 28 +- .../network/{dns.json => dns_activity.json} | 2 +- .../{email.json => email_activity.json} | 56 ++-- ...ail_file.json => email_file_activity.json} | 20 +- ...email_url.json => email_url_activity.json} | 20 +- .../network/{ftp.json => ftp_activity.json} | 4 +- .../network/{http.json => http_activity.json} | 14 +- events/network/network.json | 16 +- events/network/network_activity.json | 39 ++- ...tivity.json => network_file_activity.json} | 12 +- .../network/{ntp.json => ntp_activity.json} | 2 +- .../network/{rdp.json => rdp_activity.json} | 4 +- .../network/{smb.json => smb_activity.json} | 4 +- .../network/{ssh.json => ssh_activity.json} | 51 +++- events/network/tunnel_activity.json | 56 ++-- .../file_remediation_activity.json | 14 +- .../network_remediation_activity.json | 14 +- .../process_remediation_activity.json | 14 +- events/remediation/remediation_activity.json | 134 ++++----- events/system/event_log.json | 12 +- .../{filesystem.json => file_activity.json} | 4 +- .../{kernel.json => kernel_activity.json} | 4 +- events/system/kernel_extension.json | 8 +- .../{memory.json => memory_activity.json} | 34 +-- .../{module.json => module_activity.json} | 4 +- .../{process.json => process_activity.json} | 6 +- ...d_job.json => scheduled_job_activity.json} | 4 +- .../{script.json => script_activity.json} | 4 +- events/system/system.json | 18 +- includes/classification.json | 51 ---- includes/occurrence.json | 30 -- 79 files changed, 952 insertions(+), 904 deletions(-) rename events/application/{api.json => api_activity.json} (96%) rename events/discovery/{group_query.json => admin_group_query.json} (99%) rename events/discovery/{software_inventory_info.json => software_info.json} (80%) rename events/network/{dhcp.json => dhcp_activity.json} (92%) rename events/network/{dns.json => dns_activity.json} (99%) rename events/network/{email.json => email_activity.json} (86%) rename events/network/{email_file.json => email_file_activity.json} (92%) rename events/network/{email_url.json => email_url_activity.json} (92%) rename events/network/{ftp.json => ftp_activity.json} (99%) rename events/network/{http.json => http_activity.json} (99%) rename events/network/{file_activity.json => network_file_activity.json} (99%) rename events/network/{ntp.json => ntp_activity.json} (100%) rename events/network/{rdp.json => rdp_activity.json} (99%) rename events/network/{smb.json => smb_activity.json} (99%) rename events/network/{ssh.json => ssh_activity.json} (64%) rename events/system/{filesystem.json => file_activity.json} (99%) rename events/system/{kernel.json => kernel_activity.json} (99%) rename events/system/{memory.json => memory_activity.json} (85%) rename events/system/{module.json => module_activity.json} (99%) rename events/system/{process.json => process_activity.json} (99%) rename events/system/{scheduled_job.json => scheduled_job_activity.json} (99%) rename events/system/{script.json => script_activity.json} (99%) delete mode 100644 includes/classification.json delete mode 100644 includes/occurrence.json diff --git a/.vscode/settings.json b/.vscode/settings.json index a039563c0..d87d274d1 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -24,12 +24,6 @@ ], "url": "./metaschema/event.schema.json" }, - { - "fileMatch": [ - "/includes/**/*.json" - ], - "url": "./metaschema/include.schema.json" - }, { "fileMatch": [ "/objects/**/*.json" diff --git a/CHANGELOG.md b/CHANGELOG.md index 0a6ef991d..175988a70 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ Thankyou! --> * #### Profiles * #### Objects * #### Platform Extensions +* #### Dictionary Attributes ### Improved * #### Categories @@ -26,6 +27,7 @@ Thankyou! --> * #### Profiles * #### Objects * #### Platform Extensions +* #### Dictionary Attributes ### Bugfixes @@ -43,6 +45,8 @@ Thankyou! --> * #### Event Classes 1. Added `OSINT Inventory Info` event class to the Discovery category. #1154 2. Added `Script Activity` event class to the System category. #1159 +* #### Dictionary Attributes + 1. Added `has_mfa` as a `boolean_t`. #1155 ### Improved * #### Objects @@ -50,13 +54,15 @@ Thankyou! --> 2. Added `has_mfa` to `user` object. #1155 3. Added `vendor_name` to `cvss` object. #1165 +### Deprecated +1. Deprecated `project_uid` in favor of `account.uid`. #1166 + ### Misc 1. Added `user.uid` as an Observable type - `type_id: 31`. #1155 2. Added `group.name` and `group.uid` as Observable types - `type_id: 32` and `type_id: 33`, respectively. #1155 3. Added `account.name` and `account.uid` as Observable types - `type_id: 34` and `type_id: 35`, respectively. #1155 -4. Added `has_mfa` boolean_t to Dictionary. #1155 -5. Deprecate `project_uid`. #1166 -6. Added several new enums to `account.type_id`. #1166 +5. Added new enumeration items to `account.type_id`. #1166 +6. Cleaned up event class definition files, removed /includes dir, simplified definition of `base_event`. #1167 ## [v1.3.0] - August 1st, 2024 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 23f2515ef..5aa5e2ae3 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -179,7 +179,6 @@ Choose a **unique** object you want to add, `vulnerability` in the example above ``` "attributes": { "$include": [ - "includes/occurrence.json", "profiles/cloud.json" ], ... @@ -325,8 +324,7 @@ The extension's directory structure is the same as the top level schema director |-------------------|---------------------------------------------------------------------------| | `categories.json` | Create it to define new categories. Note, to avoid collisions with the categories defined in the core schema, the category IDs must be greater than or equal to 30. | | `dictionary.json` | Create it to define new attributes. | -| `events` | Create it to define new event classes. | -| `includes` | Create it to define new shared data. | +| `events` | Create it to define new event classes. | | | `objects` | Create it to define new objects. | | `profiles` | Create it to define new profiles. | diff --git a/events/application/api.json b/events/application/api_activity.json similarity index 96% rename from events/application/api.json rename to events/application/api_activity.json index 7b24e520a..a053ae994 100644 --- a/events/application/api.json +++ b/events/application/api_activity.json @@ -1,8 +1,8 @@ { "uid": 3, + "caption": "API Activity", "description": "API events describe general CRUD (Create, Read, Update, Delete) API activities, e.g. (AWS Cloudtrail)", "extends": "application", - "caption": "API Activity", "name": "api_activity", "attributes": { "activity_id": { @@ -25,6 +25,10 @@ } } }, + "actor": { + "group": "primary", + "requirement": "required" + }, "api": { "group": "primary", "requirement": "required", @@ -35,14 +39,10 @@ "requirement": "recommended" }, "http_request": { - "description":"Details about the underlying http request.", + "description": "Details about the underlying http request.", "group": "primary", "requirement": "recommended" }, - "actor": { - "group": "primary", - "requirement": "required" - }, "resources": { "description": "Details about resources that were affected by the activity/event.", "group": "primary", @@ -54,4 +54,4 @@ "requirement": "required" } } -} +} \ No newline at end of file diff --git a/events/application/application.json b/events/application/application.json index 7efb6e7f0..6de291d20 100644 --- a/events/application/application.json +++ b/events/application/application.json @@ -1,7 +1,7 @@ { "caption": "Application Activity", - "name": "application", "category": "application", "extends": "base_event", + "name": "application", "attributes": {} -} +} \ No newline at end of file diff --git a/events/application/application_lifecycle.json b/events/application/application_lifecycle.json index ab3b01095..c312b3db6 100644 --- a/events/application/application_lifecycle.json +++ b/events/application/application_lifecycle.json @@ -1,12 +1,9 @@ { "uid": 2, + "caption": "Application Lifecycle", "description": "Application Lifecycle events report installation, removal, start, stop of an application or service.", "extends": "application", - "caption": "Application Lifecycle", "name": "application_lifecycle", - "profiles": [ - "host" - ], "attributes": { "$include": [ "profiles/host.json" @@ -53,5 +50,8 @@ "group": "primary", "requirement": "required" } - } -} + }, + "profiles": [ + "host" + ] +} \ No newline at end of file diff --git a/events/application/datastore_activity.json b/events/application/datastore_activity.json index 8c29b2da8..cc6bf20b5 100644 --- a/events/application/datastore_activity.json +++ b/events/application/datastore_activity.json @@ -1,130 +1,130 @@ { - "uid": 5, - "description": "Datastore events describe general activities (Read, Update, Query, Delete, etc.) which affect datastores or data within those datastores, e.g. (AWS RDS, AWS S3).", - "extends": "application", - "caption": "Datastore Activity", - "name": "datastore_activity", + "uid": 5, + "caption": "Datastore Activity", + "description": "Datastore events describe general activities (Read, Update, Query, Delete, etc.) which affect datastores or data within those datastores, e.g. (AWS RDS, AWS S3).", + "extends": "application", + "name": "datastore_activity", + "attributes": { + "$include": [ + "profiles/security_control.json" + ], + "activity_id": { + "enum": { + "1": { + "caption": "Read", + "description": "The 'Read' activity involves accessing specific data record details." + }, + "2": { + "caption": "Update", + "description": "The 'Update' activity pertains to modifying specific data record details." + }, + "3": { + "caption": "Connect", + "description": "The 'Connect' activity involves establishing a connection to the datastore." + }, + "4": { + "caption": "Query", + "description": "The 'Query' activity involves retrieving a filtered subset of data based on specific criteria." + }, + "5": { + "caption": "Write", + "description": "The 'Write' activity involves writing specific data record details." + }, + "6": { + "caption": "Create", + "description": "The 'Create' activity involves generating new data record details." + }, + "7": { + "caption": "Delete", + "description": "The 'Delete' activity involves removing specific data record details." + }, + "8": { + "caption": "List", + "description": "The 'List' activity provides an overview of existing data records." + }, + "9": { + "caption": "Encrypt", + "description": "The 'Encrypt' activity involves securing data by encrypting a specific data record." + }, + "10": { + "caption": "Decrypt", + "description": "The 'Decrypt' activity involves converting encrypted data back to its original format." + } + } + }, + "actor": { + "group": "primary", + "requirement": "required" + }, + "database": { + "group": "primary", + "requirement": "recommended" + }, + "databucket": { + "group": "primary", + "requirement": "recommended" + }, + "dst_endpoint": { + "description": "Details about the endpoint hosting the datastore application or service.", + "group": "primary", + "requirement": "recommended" + }, + "http_request": { + "description": "Details about the underlying http request.", + "group": "primary", + "requirement": "recommended" + }, + "query_info": { + "group": "primary", + "requirement": "recommended" + }, + "src_endpoint": { + "description": "Details about the source of the activity.", + "group": "primary", + "requirement": "required" + }, + "table": { + "group": "primary", + "requirement": "recommended" + }, + "type": { + "caption": "Datastore Type", + "description": "The datastore resource type (e.g. database, datastore, or table).", + "requirement": "optional" + }, + "type_id": { + "caption": "Datastore Type ID", + "description": "The normalized datastore resource type identifier.", + "requirement": "recommended", + "enum": { + "0": { + "caption": "Unknown", + "description": "The datastore resource type is unknown." + }, + "1": { + "caption": "Database" + }, + "2": { + "caption": "Databucket" + }, + "3": { + "caption": "Table" + }, + "99": { + "caption": "Other", + "description": "The datastore resource type is not mapped." + } + } + } + }, + "constraints": { + "at_least_one": [ + "database", + "databucket", + "table" + ] + }, "profiles": [ - "security_control" - ], - "attributes": { - "$include": [ - "profiles/security_control.json" - ], - "activity_id": { - "enum": { - "1": { - "caption": "Read", - "description": "The 'Read' activity involves accessing specific data record details." - }, - "2": { - "caption": "Update", - "description": "The 'Update' activity pertains to modifying specific data record details." - }, - "3": { - "caption": "Connect", - "description": "The 'Connect' activity involves establishing a connection to the datastore." - }, - "4": { - "caption": "Query", - "description": "The 'Query' activity involves retrieving a filtered subset of data based on specific criteria." - }, - "5": { - "caption": "Write", - "description": "The 'Write' activity involves writing specific data record details." - }, - "6": { - "caption": "Create", - "description": "The 'Create' activity involves generating new data record details." - }, - "7": { - "caption": "Delete", - "description": "The 'Delete' activity involves removing specific data record details." - }, - "8": { - "caption": "List", - "description": "The 'List' activity provides an overview of existing data records." - }, - "9": { - "caption": "Encrypt", - "description": "The 'Encrypt' activity involves securing data by encrypting a specific data record." - }, - "10": { - "caption": "Decrypt", - "description": "The 'Decrypt' activity involves converting encrypted data back to its original format." - } - } - }, - "database": { - "group": "primary", - "requirement": "recommended" - }, - "databucket": { - "group": "primary", - "requirement": "recommended" - }, - "table": { - "group": "primary", - "requirement": "recommended" - }, - "type": { - "caption": "Datastore Type", - "description": "The datastore resource type (e.g. database, datastore, or table).", - "requirement": "optional" - }, - "type_id": { - "caption": "Datastore Type ID", - "description": "The normalized datastore resource type identifier.", - "enum": { - "99": { - "caption": "Other", - "description": "The datastore resource type is not mapped." - }, - "0": { - "caption": "Unknown", - "description": "The datastore resource type is unknown." - }, - "1": { - "caption": "Database" - }, - "2": { - "caption": "Databucket" - }, - "3": { - "caption": "Table" - } - }, - "requirement": "recommended" - }, - "query_info": { - "group": "primary", - "requirement": "recommended" - }, - "dst_endpoint": { - "description": "Details about the endpoint hosting the datastore application or service.", - "group": "primary", - "requirement": "recommended" - }, - "http_request": { - "description": "Details about the underlying http request.", - "group": "primary", - "requirement": "recommended" - }, - "actor": { - "group": "primary", - "requirement": "required" - }, - "src_endpoint": { - "description": "Details about the source of the activity.", - "group": "primary", - "requirement": "required" - } - }, - "constraints": { - "at_least_one": [ - "database", - "databucket", - "table" - ] - } -} + "security_control" + ] +} \ No newline at end of file diff --git a/events/application/file_hosting.json b/events/application/file_hosting.json index 32c9c2e6d..722ba5ba9 100644 --- a/events/application/file_hosting.json +++ b/events/application/file_hosting.json @@ -1,9 +1,9 @@ { + "uid": 6, "caption": "File Hosting Activity", "description": "File Hosting Activity events report the actions taken by file management applications, including file sharing servers like Sharepoint and services such as Box, MS OneDrive, or Google Drive.", "extends": "application", "name": "file_hosting", - "uid": 6, "attributes": { "activity_id": { "enum": { @@ -107,4 +107,4 @@ "requirement": "required" } } -} +} \ No newline at end of file diff --git a/events/application/scan_activity.json b/events/application/scan_activity.json index 518a0757a..88bd5dbe6 100644 --- a/events/application/scan_activity.json +++ b/events/application/scan_activity.json @@ -1,66 +1,62 @@ { + "uid": 7, "caption": "Scan Activity", "description": "Scan events report the start, completion, and results of a scan job. The scan event includes the number of items that were scanned and the number of detections that were resolved.", - "extends": "base_event", - "category": "application", + "extends": "application", "name": "scan_activity", - "profiles": [ - "host" - ], - "uid": 7, "attributes": { "$include": [ "profiles/host.json" ], - "command_uid": { - "description": "The command identifier that is associated with this scan event. This ID uniquely identifies the proactive scan command, e.g., if remotely initiated.", - "group": "primary", - "requirement": "recommended" - }, "activity_id": { "enum": { "1": { - "description": "The scan was started.", - "caption": "Started" + "caption": "Started", + "description": "The scan was started." }, "2": { - "description": "The scan was completed.", - "caption": "Completed" + "caption": "Completed", + "description": "The scan was completed." }, "3": { - "description": "The scan was cancelled.", - "caption": "Cancelled" + "caption": "Cancelled", + "description": "The scan was cancelled." }, "4": { - "description": "The allocated scan time was insufficient to complete the requested scan.", - "caption": "Duration Violation" + "caption": "Duration Violation", + "description": "The allocated scan time was insufficient to complete the requested scan." }, "5": { - "description": "The scan was paused, either by the user or by program constraints (e.g. scans that are suspended during certain time intervals), and not resumed within the allotted time.", - "caption": "Pause Violation" + "caption": "Pause Violation", + "description": "The scan was paused, either by the user or by program constraints (e.g. scans that are suspended during certain time intervals), and not resumed within the allotted time." }, "6": { - "description": "The scan could not be completed due to an internal error.", - "caption": "Error" + "caption": "Error", + "description": "The scan could not be completed due to an internal error." }, "7": { - "description": "The scan was paused.", - "caption": "Paused" + "caption": "Paused", + "description": "The scan was paused." }, "8": { - "description": "The scan was resumed from the pause point.", - "caption": "Resumed" + "caption": "Resumed", + "description": "The scan was resumed from the pause point." }, "9": { - "description": "The scan restarted from the beginning of the file enumeration.", - "caption": "Restarted" + "caption": "Restarted", + "description": "The scan restarted from the beginning of the file enumeration." }, "10": { - "description": "The user delayed the scan.", - "caption": "Delayed" + "caption": "Delayed", + "description": "The user delayed the scan." } } }, + "command_uid": { + "description": "The command identifier that is associated with this scan event. This ID uniquely identifies the proactive scan command, e.g., if remotely initiated.", + "group": "primary", + "requirement": "recommended" + }, "duration": { "description": "The duration of the scan", "requirement": "recommended" @@ -128,5 +124,8 @@ "group": "primary", "requirement": "recommended" } - } + }, + "profiles": [ + "host" + ] } \ No newline at end of file diff --git a/events/application/web_resource_access_activity.json b/events/application/web_resource_access_activity.json index ccb95292c..ea37c76c0 100644 --- a/events/application/web_resource_access_activity.json +++ b/events/application/web_resource_access_activity.json @@ -1,17 +1,13 @@ { + "uid": 4, "caption": "Web Resource Access Activity", "description": "Web Resource Access Activity events describe successful/failed attempts to access a web resource over HTTP.", "extends": "application", "name": "web_resource_access_activity", - "uid": 4, "@deprecated": { "message": "Use the Web Resources Activity class with the Security Control and/or Network Proxy profile instead.", "since": "1.0.0" }, - "profiles": [ - "host", - "network_proxy" - ], "attributes": { "$include": [ "profiles/host.json", @@ -52,11 +48,6 @@ "group": "context", "requirement": "optional" }, - "web_resources": { - "description": "Details about the resource that is the target of the activity.", - "group": "primary", - "requirement": "required" - }, "src_endpoint": { "description": "Details about the source endpoint of the request.", "group": "primary", @@ -66,6 +57,15 @@ "description": "The Transport Layer Security (TLS) attributes, if available.", "group": "context", "requirement": "optional" + }, + "web_resources": { + "description": "Details about the resource that is the target of the activity.", + "group": "primary", + "requirement": "required" } - } -} + }, + "profiles": [ + "host", + "network_proxy" + ] +} \ No newline at end of file diff --git a/events/application/web_resources_activity.json b/events/application/web_resources_activity.json index c7dd496ac..92d34f200 100644 --- a/events/application/web_resources_activity.json +++ b/events/application/web_resources_activity.json @@ -1,15 +1,9 @@ { "uid": 1, - "description": "Web Resources Activity events describe actions executed on a set of Web Resources.", - "extends": "base_event", - "category": "application", "caption": "Web Resources Activity", + "description": "Web Resources Activity events describe actions executed on a set of Web Resources.", + "extends": "application", "name": "web_resources_activity", - "profiles": [ - "host", - "network_proxy", - "security_control" - ], "attributes": { "$include": [ "profiles/host.json", @@ -53,10 +47,10 @@ } }, "dst_endpoint": { - "description":"Details about server providing the web resources.", - "group": "primary", - "requirement": "recommended" - }, + "description": "Details about server providing the web resources.", + "group": "primary", + "requirement": "recommended" + }, "http_request": { "description": "Details about the underlying HTTP request.", "group": "context", @@ -77,7 +71,7 @@ "group": "context", "requirement": "optional" }, - "web_resources": { + "web_resources": { "group": "primary", "requirement": "required" }, @@ -85,5 +79,10 @@ "group": "primary", "requirement": "recommended" } - } -} + }, + "profiles": [ + "host", + "network_proxy", + "security_control" + ] +} \ No newline at end of file diff --git a/events/base_event.json b/events/base_event.json index e2c9d32a8..247ff8ffa 100644 --- a/events/base_event.json +++ b/events/base_event.json @@ -3,19 +3,68 @@ "category": "other", "description": "The base event is a generic and concrete event. It also defines a set of attributes available in most event classes. As a generic event that does not belong to any event category, it could be used to log events that are not otherwise defined by the schema.", "name": "base_event", - "profiles": [ - "cloud", - "datetime", - "osint" - ], "attributes": { "$include": [ - "includes/classification.json", - "includes/occurrence.json", "profiles/cloud.json", "profiles/datetime.json", "profiles/osint.json" ], + "activity_id": { + "group": "classification", + "requirement": "required", + "enum": { + "0": { + "caption": "Unknown" + }, + "99": { + "caption": "Other" + } + } + }, + "activity_name": { + "group": "classification", + "requirement": "optional" + }, + "category_name": { + "group": "classification", + "requirement": "optional" + }, + "category_uid": { + "group": "classification", + "requirement": "required", + "enum": { + "0": { + "caption": "Uncategorized" + } + } + }, + "class_name": { + "group": "classification", + "requirement": "optional" + }, + "class_uid": { + "group": "classification", + "requirement": "required", + "enum": { + "0": { + "caption": "Base Event" + } + } + }, + "count": { + "group": "occurrence", + "requirement": "optional" + }, + "duration": { + "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", + "group": "occurrence", + "requirement": "optional" + }, + "end_time": { + "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", + "group": "occurrence", + "requirement": "optional" + }, "enrichments": { "group": "context", "requirement": "optional" @@ -44,6 +93,11 @@ "group": "classification", "requirement": "required" }, + "start_time": { + "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", + "group": "occurrence", + "requirement": "optional" + }, "status": { "group": "primary", "requirement": "recommended" @@ -60,9 +114,30 @@ "group": "primary", "requirement": "recommended" }, + "time": { + "group": "occurrence", + "requirement": "required" + }, + "timezone_offset": { + "group": "occurrence", + "requirement": "recommended" + }, + "type_name": { + "group": "classification", + "requirement": "optional" + }, + "type_uid": { + "group": "classification", + "requirement": "required" + }, "unmapped": { "group": "context", "requirement": "optional" } - } -} + }, + "profiles": [ + "cloud", + "datetime", + "osint" + ] +} \ No newline at end of file diff --git a/events/discovery/group_query.json b/events/discovery/admin_group_query.json similarity index 99% rename from events/discovery/group_query.json rename to events/discovery/admin_group_query.json index ee4f750ae..58e93ef8f 100644 --- a/events/discovery/group_query.json +++ b/events/discovery/admin_group_query.json @@ -1,9 +1,9 @@ { + "uid": 9, "caption": "Admin Group Query", "description": "Admin Group Query events report information about administrative groups.", "extends": "discovery_result", "name": "admin_group_query", - "uid": 9, "attributes": { "group": { "description": "The administrative group.", @@ -16,4 +16,4 @@ "requirement": "recommended" } } -} +} \ No newline at end of file diff --git a/events/discovery/config_state.json b/events/discovery/config_state.json index 01c4c9203..5cd879c01 100644 --- a/events/discovery/config_state.json +++ b/events/discovery/config_state.json @@ -1,25 +1,25 @@ { + "uid": 2, "caption": "Device Config State", "description": "Device Config State events report device configuration data and CIS Benchmark results.", "extends": "discovery", "name": "config_state", - "uid": 2, - "profiles": [ - "host" - ], "attributes": { "actor": { "group": "context", "requirement": "optional" }, - "device": { - "group": "primary", - "requirement": "required", - "description": "The device that is being discovered by an inventory process." - }, "cis_benchmark_result": { "group": "primary", "requirement": "recommended" + }, + "device": { + "description": "The device that is being discovered by an inventory process.", + "group": "primary", + "requirement": "required" } - } -} + }, + "profiles": [ + "host" + ] +} \ No newline at end of file diff --git a/events/discovery/device_config_state_change.json b/events/discovery/device_config_state_change.json index 9862d7396..b6e6ab964 100644 --- a/events/discovery/device_config_state_change.json +++ b/events/discovery/device_config_state_change.json @@ -72,4 +72,4 @@ "profiles": [ "host" ] -} +} \ No newline at end of file diff --git a/events/discovery/discovery.json b/events/discovery/discovery.json index 8d7626253..bd0db171a 100644 --- a/events/discovery/discovery.json +++ b/events/discovery/discovery.json @@ -18,4 +18,4 @@ } } } -} +} \ No newline at end of file diff --git a/events/discovery/discovery_result.json b/events/discovery/discovery_result.json index 6719b92d0..9e3869be0 100644 --- a/events/discovery/discovery_result.json +++ b/events/discovery/discovery_result.json @@ -1,12 +1,9 @@ { "caption": "Discovery Result", - "name": "discovery_result", - "extends": "base_event", "category": "discovery", "description": "Discovery Result events report the results of a discovery request.", - "profiles": [ - "host" - ], + "extends": "base_event", + "name": "discovery_result", "attributes": { "$include": [ "profiles/host.json" @@ -32,5 +29,8 @@ "group": "primary", "requirement": "required" } - } + }, + "profiles": [ + "host" + ] } \ No newline at end of file diff --git a/events/discovery/file_query.json b/events/discovery/file_query.json index 84bdbd84b..733a456f5 100644 --- a/events/discovery/file_query.json +++ b/events/discovery/file_query.json @@ -1,9 +1,9 @@ { + "uid": 7, "caption": "File Query", "description": "File Query events report information about files that are present on the system.", "extends": "discovery_result", "name": "file_query", - "uid": 7, "attributes": { "file": { "description": "The file that is the target of the query.", diff --git a/events/discovery/folder_query.json b/events/discovery/folder_query.json index 686465711..02229c2bb 100644 --- a/events/discovery/folder_query.json +++ b/events/discovery/folder_query.json @@ -1,9 +1,9 @@ { + "uid": 8, "caption": "Folder Query", "description": "Folder Query events report information about folders that are present on the system.", "extends": "discovery_result", "name": "folder_query", - "uid": 8, "attributes": { "folder": { "description": "The folder that is the target of the query.", diff --git a/events/discovery/inventory_info.json b/events/discovery/inventory_info.json index 919e1386c..e9726a69c 100644 --- a/events/discovery/inventory_info.json +++ b/events/discovery/inventory_info.json @@ -1,21 +1,21 @@ { + "uid": 1, "caption": "Device Inventory Info", "description": "Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.", "extends": "discovery", "name": "inventory_info", - "uid": 1, - "profiles": [ - "host" - ], "attributes": { "actor": { "group": "context", "requirement": "optional" }, "device": { + "description": "The device that is being discovered by an inventory process.", "group": "primary", - "requirement": "required", - "description": "The device that is being discovered by an inventory process." + "requirement": "required" } - } -} + }, + "profiles": [ + "host" + ] +} \ No newline at end of file diff --git a/events/discovery/job_query.json b/events/discovery/job_query.json index f036e3759..7c21be81c 100644 --- a/events/discovery/job_query.json +++ b/events/discovery/job_query.json @@ -1,9 +1,9 @@ { + "uid": 10, "caption": "Job Query", "description": "Job Query events report information about scheduled jobs.", "extends": "discovery_result", "name": "job_query", - "uid": 10, "attributes": { "job": { "group": "primary", diff --git a/events/discovery/kernel_object_query.json b/events/discovery/kernel_object_query.json index ea38f6ac9..73faae79a 100644 --- a/events/discovery/kernel_object_query.json +++ b/events/discovery/kernel_object_query.json @@ -1,9 +1,9 @@ { + "uid": 6, "caption": "Kernel Object Query", "description": "Kernel Object Query events report information about discovered kernel resources.", "extends": "discovery_result", "name": "kernel_object_query", - "uid": 6, "attributes": { "kernel": { "description": "The kernel object that pertains to the event.", diff --git a/events/discovery/module_query.json b/events/discovery/module_query.json index a8832bd80..1f9406be0 100644 --- a/events/discovery/module_query.json +++ b/events/discovery/module_query.json @@ -1,9 +1,9 @@ { + "uid": 11, "caption": "Module Query", "description": "Module Query events report information about loaded modules.", "extends": "discovery_result", "name": "module_query", - "uid": 11, "attributes": { "module": { "group": "primary", diff --git a/events/discovery/network_connection_query.json b/events/discovery/network_connection_query.json index e923c0fa2..18da1a607 100644 --- a/events/discovery/network_connection_query.json +++ b/events/discovery/network_connection_query.json @@ -1,28 +1,28 @@ { + "uid": 12, "caption": "Network Connection Query", "description": "Network Connection Query events report information about active network connections.", "extends": "discovery_result", "name": "network_connection_query", - "uid": 12, "attributes": { "connection_info": { - "requirement": "required", - "group": "primary" + "group": "primary", + "requirement": "required" }, "process": { "description": "The process that owns the socket.", - "requirement": "required", - "group": "primary" + "group": "primary", + "requirement": "required" }, "state": { "description": "The state of the socket, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the event source.", - "requirement": "recommended", - "group":"primary" + "group": "primary", + "requirement": "recommended" }, "state_id": { "description": "The state of the socket.", - "requirement": "required", "group": "primary", + "requirement": "required", "enum": { "0": { "caption": "Unknown", diff --git a/events/discovery/networks_query.json b/events/discovery/networks_query.json index 11e81b3ea..b486a2190 100644 --- a/events/discovery/networks_query.json +++ b/events/discovery/networks_query.json @@ -1,9 +1,9 @@ { + "uid": 13, "caption": "Networks Query", "description": "Networks Query events report information about network adapters.", "extends": "discovery_result", "name": "networks_query", - "uid": 13, "attributes": { "network_interfaces": { "group": "primary", diff --git a/events/discovery/osint_inventory_info.json b/events/discovery/osint_inventory_info.json index a00cf5c3e..9ee41fe4c 100644 --- a/events/discovery/osint_inventory_info.json +++ b/events/discovery/osint_inventory_info.json @@ -1,9 +1,9 @@ { + "uid": 21, "caption": "OSINT Inventory Info", "description": "OSINT Inventory Info events report open source intelligence or threat intelligence inventory data that is either logged or proactively collected. For example, when collecting OSINT information from Threat Intelligence Platforms (TIPs) or Extended Detection and Response (XDR) platforms, or collecting data from OSINT or other generic threat intelligence and enrichment feeds such as APIs and datastores.", "extends": "discovery", "name": "osint_inventory_info", - "uid": 21, "attributes": { "actor": { "description": "The actor describes the process that was the source of the inventory activity. In the case of OSINT inventory data, that could be a particular process or script that is run to scrape the OSINT or threat intelligence data. For example, it could be a Python process that runs to pull data from a MISP or Shodan API.", @@ -11,9 +11,9 @@ "requirement": "optional" }, "osint": { + "description": "The OSINT that is being discovered by an inventory process.", "group": "primary", - "requirement": "required", - "description": "The OSINT that is being discovered by an inventory process." + "requirement": "required" } } } \ No newline at end of file diff --git a/events/discovery/patch_state.json b/events/discovery/patch_state.json index 25afd9cb9..db0240c4a 100644 --- a/events/discovery/patch_state.json +++ b/events/discovery/patch_state.json @@ -1,31 +1,31 @@ { + "uid": 4, "caption": "Operating System Patch State", "description": "Operating System Patch State reports the installation of an OS patch to a device and any associated knowledgebase articles.", "extends": "discovery", "name": "patch_state", - "uid": 4, - "profiles": [ - "host" - ], "attributes": { "$include": [ "profiles/host.json" - ], + ], "device": { - "profile": null, "group": "primary", - "requirement": "required" + "requirement": "required", + "profile": null }, "kb_article_list": { "group": "primary", "requirement": "recommended" } }, - "constraints": { - "at_least_one": [ - "device.os.sp_name", - "device.os.sp_ver", - "device.os.version" + "constraints": { + "at_least_one": [ + "device.os.sp_name", + "device.os.sp_ver", + "device.os.version" ] - } -} + }, + "profiles": [ + "host" + ] +} \ No newline at end of file diff --git a/events/discovery/peripheral_device_query.json b/events/discovery/peripheral_device_query.json index 1ed901fa8..bd0207e0d 100644 --- a/events/discovery/peripheral_device_query.json +++ b/events/discovery/peripheral_device_query.json @@ -1,9 +1,9 @@ { + "uid": 14, "caption": "Peripheral Device Query", "description": "Peripheral Device Query events report information about peripheral devices.", "extends": "discovery_result", "name": "peripheral_device_query", - "uid": 14, "attributes": { "peripheral_device": { "group": "primary", diff --git a/events/discovery/process_query.json b/events/discovery/process_query.json index cfae5c88d..fbb9d9935 100644 --- a/events/discovery/process_query.json +++ b/events/discovery/process_query.json @@ -1,9 +1,9 @@ { + "uid": 15, "caption": "Process Query", "description": "Process Query events report information about running processes.", "extends": "discovery_result", "name": "process_query", - "uid": 15, "attributes": { "process": { "group": "primary", diff --git a/events/discovery/service_query.json b/events/discovery/service_query.json index 825d95906..1b13784c7 100644 --- a/events/discovery/service_query.json +++ b/events/discovery/service_query.json @@ -1,13 +1,13 @@ { + "uid": 16, "caption": "Service Query", "description": "Service Query events report information about running services.", "extends": "discovery_result", "name": "service_query", - "uid": 16, "attributes": { "service": { - "requirement": "required", - "group": "primary" + "group": "primary", + "requirement": "required" } } } \ No newline at end of file diff --git a/events/discovery/session_query.json b/events/discovery/session_query.json index 0eb3d330d..4293993b4 100644 --- a/events/discovery/session_query.json +++ b/events/discovery/session_query.json @@ -1,13 +1,13 @@ { + "uid": 17, "caption": "User Session Query", "description": "User Session Query events report information about existing user sessions.", "extends": "discovery_result", "name": "session_query", - "uid": 17, "attributes": { "session": { - "requirement": "required", - "group": "primary" + "group": "primary", + "requirement": "required" } } } \ No newline at end of file diff --git a/events/discovery/software_inventory_info.json b/events/discovery/software_info.json similarity index 80% rename from events/discovery/software_inventory_info.json rename to events/discovery/software_info.json index 86e3f7aa2..c0d9b6e54 100644 --- a/events/discovery/software_inventory_info.json +++ b/events/discovery/software_info.json @@ -1,31 +1,31 @@ { + "uid": 20, "caption": "Software Inventory Info", "description": "Software Inventory Info events report device software inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.", "extends": "discovery", "name": "software_info", - "uid": 20, - "profiles": [ - "host" - ], "attributes": { "actor": { "group": "context", "requirement": "optional" }, "device": { + "description": "The device that is being discovered by an inventory process.", "group": "primary", - "requirement": "required", - "description": "The device that is being discovered by an inventory process." + "requirement": "required" }, - "package": { + "package": { + "description": "The device software that is being discovered by an inventory process.", "group": "primary", - "requirement": "required", - "description": "The device software that is being discovered by an inventory process." + "requirement": "required" }, - "product": { + "product": { + "description": "Additional product attributes that have been discovered or enriched from a catalog or other external source.", "group": "context", - "requirement": "optional", - "description": "Additional product attributes that have been discovered or enriched from a catalog or other external source." - } - } -} + "requirement": "optional" + } + }, + "profiles": [ + "host" + ] +} \ No newline at end of file diff --git a/events/discovery/user_inventory.json b/events/discovery/user_inventory.json index 695c2d4ee..fcc11d16a 100644 --- a/events/discovery/user_inventory.json +++ b/events/discovery/user_inventory.json @@ -1,9 +1,9 @@ { + "uid": 3, "caption": "User Inventory Info", "description": "User Inventory Info events report user inventory data that is either logged or proactively collected. For example, when collecting user information from Active Directory entries.", "extends": "discovery", "name": "user_inventory", - "uid": 3, "attributes": { "actor": { "description": "The actor describes the process that was the source of the inventory activity. In the case of user inventory data, that could be a particular process or script that is run to scrape the user data. For example, it could be a powershell process that runs to pull data from the Azure AD graph API.", @@ -11,9 +11,9 @@ "requirement": "optional" }, "user": { + "description": "The user that is being discovered by an inventory process.", "group": "primary", - "requirement": "required", - "description": "The user that is being discovered by an inventory process." + "requirement": "required" } } } \ No newline at end of file diff --git a/events/discovery/user_query.json b/events/discovery/user_query.json index 9f3f3cce8..4976adb1b 100644 --- a/events/discovery/user_query.json +++ b/events/discovery/user_query.json @@ -1,9 +1,9 @@ { + "uid": 18, "caption": "User Query", "description": "User Query events report user data that have been discovered, queried, polled or searched. This event differs from User Inventory as it describes the result of a targeted search by filtering a subset of user attributes.", "extends": "discovery_result", "name": "user_query", - "uid": 18, "attributes": { "user": { "group": "primary", diff --git a/events/findings/compliance_finding.json b/events/findings/compliance_finding.json index d42564e22..95260cab2 100644 --- a/events/findings/compliance_finding.json +++ b/events/findings/compliance_finding.json @@ -14,18 +14,18 @@ "requirement": "recommended" }, "resource": { + "description": "Describes details about the resource that is the subject of the compliance check.", + "group": "primary", + "requirement": "recommended", "@deprecated": { "message": "Use the resources attribute instead.", "since": "1.3.0" - }, - "description": "Describes details about the resource that is the subject of the compliance check.", - "group": "primary", - "requirement": "recommended" + } }, "resources": { - "description": "Describes details about the resource/resouces that are the subject of the compliance check.", - "group": "primary", - "requirement": "recommended" + "description": "Describes details about the resource/resouces that are the subject of the compliance check.", + "group": "primary", + "requirement": "recommended" } } } \ No newline at end of file diff --git a/events/findings/data_security_finding.json b/events/findings/data_security_finding.json index c52c5a3f0..cecebac57 100644 --- a/events/findings/data_security_finding.json +++ b/events/findings/data_security_finding.json @@ -1,116 +1,116 @@ { "uid": 6, "caption": "Data Security Finding", - "description":"A Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools. These detections or alerts can be created using fingerprinting, statistical analysis, machine learning or other methodologies. The finding describes the actors and endpoints who accessed or own the sensitive data, as well as the resources which store the sensitive data.", + "description": "A Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools. These detections or alerts can be created using fingerprinting, statistical analysis, machine learning or other methodologies. The finding describes the actors and endpoints who accessed or own the sensitive data, as well as the resources which store the sensitive data.", "extends": "finding", "name": "data_security_finding", - "profiles": [ - "security_control" - ], "attributes": { - "$include": [ - "profiles/security_control.json" - ], - "activity_id": { - "description": "The normalized identifier of the Data Security Finding activity.", - "enum": { - "1": { - "caption": "Create", - "description": "A new Data Security finding is created." - }, - "2": { - "caption": "Update", - "description": "An existing Data Security finding is updated with more information." - }, - "3": { - "caption": "Close", - "description": "An existing Data Security finding is closed, this can be due to any resolution (e.g., True Positive, False Positive, etc.)." - }, - "4": { - "caption": "Suppressed", - "description": "An existing Data Security finding is suppressed due to inaccurate detection techniques or a known true negative." - } - }, - "requirement": "required" - }, - "activity_name": { - "description": "The Data Security finding activity name, as defined by the activity_id.", - "requirement": "optional" - }, - "impact": { - "group": "context", - "requirement": "optional" - }, - "impact_id": { - "group": "context", - "requirement": "optional" - }, - "impact_score": { - "group": "context", - "requirement": "optional" - }, - "resources": { - "caption": "Affected Resources", - "description": "Describes details about resources where classified or sensitive data is stored in, or was accessed from.", - "group": "context", - "requirement": "recommended" - }, - "actor": { - "description": "Describes details about the actor implicated in the data security finding. Either an actor that owns a particular digital file or information store, or an actor which accessed classified or sensitive data.", - "group": "context", - "requirement": "recommended" - }, - "database": { - "description": "Describes the database where classified or sensitive data is stored in, or was accessed from. Databases are typically datastore services that contain an organized collection of structured and/or semi-structured data.", - "group": "context", - "requirement": "recommended" - }, - "databucket": { - "description": "Describes the databucket where classified or sensitive data is stored in, or was accessed from. The data bucket object is a basic container that holds data, typically organized through the use of data partitions.", - "group": "context", - "requirement": "recommended" - }, - "table": { - "description": "Describes the table where classified or sensitive data is stored in, or was accessed from. The table object represents a table within a structured relational database, warehouse, lake, or similar.", - "group": "context", - "requirement": "recommended" - }, - "device": { - "description": "Describes the device where classified or sensitive data is stored in, or was accessed from.", - "group": "context", - "requirement": "recommended" - }, - "dst_endpoint": { - "description": "Describes the endpoint where classified or sensitive data is stored in, or was accessed from.", - "group": "context", - "requirement": "recommended" - }, - "file": { - "description": "Describes a file that contains classified or sensitive data.", - "group": "context", - "requirement": "recommended" - }, - "src_endpoint": { - "caption": "Affected Resources", - "description": "Details about the source endpoint where classified or sensitive data was accessed from.", - "group": "context", - "requirement": "recommended" - }, - "risk_level": { - "group": "context", - "requirement": "optional" - }, - "risk_level_id": { - "group": "context", - "requirement": "optional" - }, - "risk_score": { - "group": "context", - "requirement": "optional" - }, - "data_security": { - "group": "context", - "requirement": "recommended" - } - } - } \ No newline at end of file + "$include": [ + "profiles/security_control.json" + ], + "activity_id": { + "description": "The normalized identifier of the Data Security Finding activity.", + "requirement": "required", + "enum": { + "1": { + "caption": "Create", + "description": "A new Data Security finding is created." + }, + "2": { + "caption": "Update", + "description": "An existing Data Security finding is updated with more information." + }, + "3": { + "caption": "Close", + "description": "An existing Data Security finding is closed, this can be due to any resolution (e.g., True Positive, False Positive, etc.)." + }, + "4": { + "caption": "Suppressed", + "description": "An existing Data Security finding is suppressed due to inaccurate detection techniques or a known true negative." + } + } + }, + "activity_name": { + "description": "The Data Security finding activity name, as defined by the activity_id.", + "requirement": "optional" + }, + "actor": { + "description": "Describes details about the actor implicated in the data security finding. Either an actor that owns a particular digital file or information store, or an actor which accessed classified or sensitive data.", + "group": "context", + "requirement": "recommended" + }, + "data_security": { + "group": "context", + "requirement": "recommended" + }, + "database": { + "description": "Describes the database where classified or sensitive data is stored in, or was accessed from. Databases are typically datastore services that contain an organized collection of structured and/or semi-structured data.", + "group": "context", + "requirement": "recommended" + }, + "databucket": { + "description": "Describes the databucket where classified or sensitive data is stored in, or was accessed from. The data bucket object is a basic container that holds data, typically organized through the use of data partitions.", + "group": "context", + "requirement": "recommended" + }, + "device": { + "description": "Describes the device where classified or sensitive data is stored in, or was accessed from.", + "group": "context", + "requirement": "recommended" + }, + "dst_endpoint": { + "description": "Describes the endpoint where classified or sensitive data is stored in, or was accessed from.", + "group": "context", + "requirement": "recommended" + }, + "file": { + "description": "Describes a file that contains classified or sensitive data.", + "group": "context", + "requirement": "recommended" + }, + "impact": { + "group": "context", + "requirement": "optional" + }, + "impact_id": { + "group": "context", + "requirement": "optional" + }, + "impact_score": { + "group": "context", + "requirement": "optional" + }, + "resources": { + "caption": "Affected Resources", + "description": "Describes details about resources where classified or sensitive data is stored in, or was accessed from.", + "group": "context", + "requirement": "recommended" + }, + "risk_level": { + "group": "context", + "requirement": "optional" + }, + "risk_level_id": { + "group": "context", + "requirement": "optional" + }, + "risk_score": { + "group": "context", + "requirement": "optional" + }, + "src_endpoint": { + "caption": "Affected Resources", + "description": "Details about the source endpoint where classified or sensitive data was accessed from.", + "group": "context", + "requirement": "recommended" + }, + "table": { + "description": "Describes the table where classified or sensitive data is stored in, or was accessed from. The table object represents a table within a structured relational database, warehouse, lake, or similar.", + "group": "context", + "requirement": "recommended" + } + }, + "profiles": [ + "security_control" + ] +} \ No newline at end of file diff --git a/events/findings/detection_finding.json b/events/findings/detection_finding.json index 549c26731..0158f929f 100644 --- a/events/findings/detection_finding.json +++ b/events/findings/detection_finding.json @@ -4,9 +4,6 @@ "description": "A Detection Finding describes detections or alerts generated by security products using correlation engines, detection engines or other methodologies. Note: if the product is a security control, the security_control profile should be applied and its attacks information should be duplicated into the finding_info object.", "extends": "finding", "name": "detection_finding", - "profiles": [ - "security_control" - ], "attributes": { "$include": [ "profiles/security_control.json" @@ -37,19 +34,19 @@ "group": "context", "requirement": "recommended" }, - "risk_level": { + "risk_details": { "group": "context", "requirement": "optional" }, - "risk_level_id": { + "risk_level": { "group": "context", "requirement": "optional" }, - "risk_score": { + "risk_level_id": { "group": "context", "requirement": "optional" }, - "risk_details": { + "risk_score": { "group": "context", "requirement": "optional" }, @@ -58,5 +55,8 @@ "group": "context", "requirement": "optional" } - } + }, + "profiles": [ + "security_control" + ] } \ No newline at end of file diff --git a/events/findings/finding.json b/events/findings/finding.json index d49eea822..7021bccb9 100644 --- a/events/findings/finding.json +++ b/events/findings/finding.json @@ -4,16 +4,10 @@ "description": "The Finding event is a generic event that defines a set of attributes available in the Findings category.", "extends": "base_event", "name": "finding", - "profiles": [ - "host" - ], "attributes": { "$include": [ "profiles/host.json" ], - "activity_name": { - "description": "The finding activity name, as defined by the activity_id." - }, "activity_id": { "description": "The normalized identifier of the finding activity.", "enum": { @@ -31,6 +25,9 @@ } } }, + "activity_name": { + "description": "The finding activity name, as defined by the activity_id." + }, "comment": { "description": "A user provided comment about the finding.", "group": "context", @@ -93,5 +90,8 @@ } } } - } + }, + "profiles": [ + "host" + ] } \ No newline at end of file diff --git a/events/findings/incident_finding.json b/events/findings/incident_finding.json index 435beddea..45873ab2a 100644 --- a/events/findings/incident_finding.json +++ b/events/findings/incident_finding.json @@ -1,13 +1,14 @@ { "uid": 5, "caption": "Incident Finding", + "category": "findings", "description": "An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics.", "extends": "base_event", - "category": "findings", "name": "incident_finding", "attributes": { "activity_id": { "description": "The normalized identifier of the Incident activity.", + "requirement": "required", "enum": { "1": { "caption": "Create", @@ -21,8 +22,7 @@ "caption": "Close", "description": "Reports closure of an Incident ." } - }, - "requirement": "required" + } }, "activity_name": { "description": "The Incident activity name, as defined by the activity_id.", @@ -83,6 +83,10 @@ "group": "primary", "requirement": "recommended" }, + "is_suspected_breach": { + "group": "context", + "requirement": "optional" + }, "priority": { "group": "context", "requirement": "optional" @@ -107,6 +111,8 @@ }, "status_id": { "description": "The normalized status identifier of the Incident.", + "group": "primary", + "requirement": "required", "enum": { "1": { "caption": "New", @@ -128,18 +134,12 @@ "caption": "Closed", "description": "The incident is resolved and no further action is necessary." } - }, - "group": "primary", - "requirement": "required" + } }, "ticket": { "group": "context", "requirement": "optional" }, - "is_suspected_breach": { - "group": "context", - "requirement": "optional" - }, "verdict": { "group": "primary", "requirement": "recommended" diff --git a/events/findings/security_finding.json b/events/findings/security_finding.json index 44e21f74b..f1b5a4a14 100644 --- a/events/findings/security_finding.json +++ b/events/findings/security_finding.json @@ -1,14 +1,14 @@ { - "@deprecated": { - "message": "Use the new specific classes according to the use-case: Vulnerability Finding, Compliance Finding, Detection Finding, Incident Finding.", - "since": "1.1.0" - }, + "uid": 1, "caption": "Security Finding", + "category": "findings", "description": "Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products", "extends": "base_event", - "category": "findings", "name": "security_finding", - "uid": 1, + "@deprecated": { + "message": "Use the new specific classes according to the use-case: Vulnerability Finding, Compliance Finding, Detection Finding, Incident Finding.", + "since": "1.1.0" + }, "attributes": { "activity_id": { "enum": { @@ -45,16 +45,16 @@ }, "confidence": { "group": "primary", - "requirement":"recommended" + "requirement": "recommended" }, "confidence_id": { "group": "primary", "requirement": "recommended", "sibling": "confidence" }, - "confidence_score": { + "confidence_score": { "group": "primary", - "requirement":"recommended" + "requirement": "recommended" }, "data_sources": { "group": "context", @@ -70,7 +70,7 @@ }, "impact": { "group": "primary", - "requirement":"recommended" + "requirement": "recommended" }, "impact_id": { "group": "primary", @@ -79,7 +79,7 @@ }, "impact_score": { "group": "primary", - "requirement":"recommended" + "requirement": "recommended" }, "kill_chain": { "group": "context", @@ -91,7 +91,7 @@ }, "nist": { "group": "context", - "requirement":"optional" + "requirement": "optional" }, "process": { "group": "context", @@ -103,7 +103,7 @@ }, "risk_level": { "group": "primary", - "requirement":"recommended" + "requirement": "recommended" }, "risk_level_id": { "group": "primary", @@ -121,6 +121,8 @@ }, "state_id": { "description": "The normalized state identifier of a security finding.", + "group": "context", + "requirement": "required", "enum": { "1": { "caption": "New", @@ -138,13 +140,11 @@ "caption": "Resolved", "description": "The finding was reviewed and remediated and is now considered resolved." } - }, - "group": "context", - "requirement": "required" + } }, "vulnerabilities": { "group": "context", "requirement": "optional" } } -} +} \ No newline at end of file diff --git a/events/findings/vulnerability_finding.json b/events/findings/vulnerability_finding.json index cf0af64ae..f83e9aba8 100644 --- a/events/findings/vulnerability_finding.json +++ b/events/findings/vulnerability_finding.json @@ -1,24 +1,24 @@ { + "uid": 2, "caption": "Vulnerability Finding", "description": "The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.", "extends": "finding", "name": "vulnerability_finding", - "uid": 2, "attributes": { "resource": { + "description": "Describes details about the resource that is affected by the vulnerability/vulnerabilities.", + "group": "primary", + "requirement": "recommended", "@deprecated": { "message": "Use the resources attribute instead.", "since": "1.3.0" - }, - "description": "Describes details about the resource that is affected by the vulnerability/vulnerabilities.", - "group": "primary", - "requirement": "recommended" + } }, "resources": { - "caption": "Affected Resources", - "description": "Describes details about the resource/resources that are affected by the vulnerability/vulnerabilities.", - "group": "primary", - "requirement": "recommended" + "caption": "Affected Resources", + "description": "Describes details about the resource/resources that are affected by the vulnerability/vulnerabilities.", + "group": "primary", + "requirement": "recommended" }, "vulnerabilities": { "group": "primary", diff --git a/events/iam/account_change.json b/events/iam/account_change.json index be5e25cc5..d8a93f5d8 100644 --- a/events/iam/account_change.json +++ b/events/iam/account_change.json @@ -1,9 +1,9 @@ { + "uid": 1, "caption": "Account Change", "description": "Account Change events report when specific user account management tasks are performed, such as a user/role being created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.", "extends": "iam", "name": "account_change", - "uid": 1, "attributes": { "activity_id": { "enum": { @@ -73,4 +73,4 @@ "requirement": "recommended" } } -} +} \ No newline at end of file diff --git a/events/iam/authentication.json b/events/iam/authentication.json index d02864ae5..f8a6e7634 100644 --- a/events/iam/authentication.json +++ b/events/iam/authentication.json @@ -1,9 +1,23 @@ { + "uid": 2, "caption": "Authentication", "description": "Authentication events report authentication session activities such as user attempts a logon or logoff, successfully or otherwise.", "extends": "iam", "name": "authentication", - "uid": 2, + "associations": { + "actor.user": [ + "src_endpoint" + ], + "dst_endpoint": [ + "user" + ], + "src_endpoint": [ + "actor.user" + ], + "user": [ + "dst_endpoint" + ] + }, "attributes": { "activity_id": { "enum": { @@ -73,9 +87,9 @@ "requirement": "optional" }, "is_remote": { + "description": "The attempted authentication is over a remote connection.", "group": "primary", - "requirement": "recommended", - "description": "The attempted authentication is over a remote connection." + "requirement": "recommended" }, "logon_process": { "group": "context", @@ -107,24 +121,10 @@ "requirement": "required" } }, - "associations": { - "actor.user": [ - "src_endpoint" - ], - "dst_endpoint": [ - "user" - ], - "src_endpoint": [ - "actor.user" - ], - "user": [ - "dst_endpoint" - ] - }, "constraints": { "at_least_one": [ "service", "dst_endpoint" ] } -} +} \ No newline at end of file diff --git a/events/iam/authorize_session.json b/events/iam/authorize_session.json index c46edbcea..5a1f14377 100644 --- a/events/iam/authorize_session.json +++ b/events/iam/authorize_session.json @@ -1,19 +1,27 @@ { + "uid": 3, "caption": "Authorize Session", "description": "Authorize Session events report privileges or groups assigned to a new user session, usually at login time.", "extends": "iam", "name": "authorize_session", - "uid": 3, + "associations": { + "session": [ + "user" + ], + "user": [ + "session" + ] + }, "attributes": { "activity_id": { "enum": { "1": { - "description": "Assign special privileges to a new logon.", - "caption": "Assign Privileges" + "caption": "Assign Privileges", + "description": "Assign special privileges to a new logon." }, "2": { - "description": "Assign special groups to a new logon.", - "caption": "Assign Groups" + "caption": "Assign Groups", + "description": "Assign special groups to a new logon." } } }, @@ -43,18 +51,10 @@ "requirement": "required" } }, - "associations": { - "session": [ - "user" - ], - "user": [ - "session" - ] - }, "constraints": { "just_one": [ "privileges", "group" ] } -} +} \ No newline at end of file diff --git a/events/iam/entity_management.json b/events/iam/entity_management.json index c33d0cfff..ba04c4f96 100644 --- a/events/iam/entity_management.json +++ b/events/iam/entity_management.json @@ -1,10 +1,18 @@ { - "caption": "Entity Management", "uid": 4, - "name": "entity_management", - "extends": "iam", + "caption": "Entity Management", "description": "Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.", + "extends": "iam", + "name": "entity_management", "attributes": { + "access_list": { + "group": "context", + "requirement": "optional" + }, + "access_mask": { + "group": "context", + "requirement": "optional" + }, "activity_id": { "enum": { "1": { @@ -77,14 +85,6 @@ "entity_result": { "group": "primary", "requirement": "recommended" - }, - "access_mask": { - "group": "context", - "requirement": "optional" - }, - "access_list": { - "group": "context", - "requirement": "optional" } } -} +} \ No newline at end of file diff --git a/events/iam/group_management.json b/events/iam/group_management.json index ae4717407..b5b873c50 100644 --- a/events/iam/group_management.json +++ b/events/iam/group_management.json @@ -1,35 +1,35 @@ { + "uid": 6, "caption": "Group Management", "description": "Group Management events report management updates to a group, including updates to membership and permissions.", "extends": "iam", "name": "group_management", - "uid": 6, "attributes": { "activity_id": { "enum": { "1": { - "description": "Assign privileges to a group.", - "caption": "Assign Privileges" + "caption": "Assign Privileges", + "description": "Assign privileges to a group." }, "2": { - "description": "Revoke privileges from a group.", - "caption": "Revoke Privileges" + "caption": "Revoke Privileges", + "description": "Revoke privileges from a group." }, "3": { - "description": "Add user to a group.", - "caption": "Add User" + "caption": "Add User", + "description": "Add user to a group." }, "4": { - "description": "Remove user from a group.", - "caption": "Remove User" + "caption": "Remove User", + "description": "Remove user from a group." }, "5": { - "description": "A group was deleted.", - "caption": "Delete" + "caption": "Delete", + "description": "A group was deleted." }, "6": { - "description": "A group was created.", - "caption": "Create" + "caption": "Create", + "description": "A group was created." } } }, @@ -60,4 +60,4 @@ "user" ] } -} +} \ No newline at end of file diff --git a/events/iam/iam.json b/events/iam/iam.json index 07c9f51e0..5c366937c 100644 --- a/events/iam/iam.json +++ b/events/iam/iam.json @@ -4,9 +4,6 @@ "description": "The Identity & Access Management event is a generic event that defines a set of attributes available in the access control events. As a generic event, it could be used to log events that are not otherwise defined by the IAM category.", "extends": "base_event", "name": "iam", - "profiles": [ - "host" - ], "attributes": { "$include": [ "profiles/host.json" @@ -21,5 +18,8 @@ "group": "primary", "requirement": "recommended" } - } -} + }, + "profiles": [ + "host" + ] +} \ No newline at end of file diff --git a/events/iam/user_access.json b/events/iam/user_access.json index 6d8d05ea7..e898f557e 100644 --- a/events/iam/user_access.json +++ b/events/iam/user_access.json @@ -1,19 +1,19 @@ { + "uid": 5, "caption": "User Access Management", "description": "User Access Management events report management updates to a user's privileges.", "extends": "iam", "name": "user_access", - "uid": 5, "attributes": { "activity_id": { "enum": { "1": { - "description": "Assign privileges to a user.", - "caption": "Assign Privileges" + "caption": "Assign Privileges", + "description": "Assign privileges to a user." }, "2": { - "description": "Revoke privileges from a user.", - "caption": "Revoke Privileges" + "caption": "Revoke Privileges", + "description": "Revoke privileges from a user." } } }, @@ -33,4 +33,4 @@ "requirement": "required" } } -} +} \ No newline at end of file diff --git a/events/network/dhcp.json b/events/network/dhcp_activity.json similarity index 92% rename from events/network/dhcp.json rename to events/network/dhcp_activity.json index a9e42412d..b60715b05 100644 --- a/events/network/dhcp.json +++ b/events/network/dhcp_activity.json @@ -1,18 +1,16 @@ { + "uid": 4, "caption": "DHCP Activity", "description": "DHCP Activity events report MAC to IP assignment via DHCP from a client or server.", "extends": "network", "name": "dhcp_activity", - "profiles": [ - "host" - ], - "uid": 4, "attributes": { "$include": [ "profiles/cloud.json", "profiles/host.json" ], "activity_id": { + "requirement": "required", "enum": { "1": { "caption": "Discover", @@ -50,13 +48,12 @@ "caption": "Expire", "description": "DHCPEXPIRE: A DHCP lease expired." } - }, - "requirement": "required" + } }, "dst_endpoint": { "description": "The responder (server) of the DHCP connection.", - "requirement": "recommended", - "group": "primary" + "group": "primary", + "requirement": "recommended" }, "is_renewal": { "group": "primary", @@ -66,12 +63,12 @@ "group": "primary", "requirement": "recommended" }, + "relay": { + "group": "primary", + "requirement": "recommended" + }, "src_endpoint": { "description": "The initiator (client) of the DHCP connection.", - "requirement": "recommended", - "group": "primary" - }, - "relay": { "group": "primary", "requirement": "recommended" }, @@ -80,5 +77,8 @@ "group": "primary", "requirement": "recommended" } - } -} + }, + "profiles": [ + "host" + ] +} \ No newline at end of file diff --git a/events/network/dns.json b/events/network/dns_activity.json similarity index 99% rename from events/network/dns.json rename to events/network/dns_activity.json index d4e0d7870..a3edb9c95 100644 --- a/events/network/dns.json +++ b/events/network/dns_activity.json @@ -154,4 +154,4 @@ "requirement": "optional" } } -} +} \ No newline at end of file diff --git a/events/network/email.json b/events/network/email_activity.json similarity index 86% rename from events/network/email.json rename to events/network/email_activity.json index 744314d7b..ae87db42f 100644 --- a/events/network/email.json +++ b/events/network/email_activity.json @@ -1,14 +1,10 @@ { + "uid": 9, + "caption": "Email Activity", + "category": "network", "description": "Email events report activities of emails.", "extends": "base_event", - "caption": "Email Activity", "name": "email_activity", - "category": "network", - "uid": 9, - "profiles": [ - "host", - "security_control" - ], "attributes": { "$include": [ "profiles/host.json", @@ -30,13 +26,13 @@ } }, "attempt": { - "requirement": "optional", "description": "The attempt number for attempting to deliver the email.", - "group": "context" + "group": "context", + "requirement": "optional" }, "banner": { - "requirement": "optional", - "group": "context" + "group": "context", + "requirement": "optional" }, "direction": { "description": "The direction of the email, as defined by the direction_id value.", @@ -45,6 +41,8 @@ }, "direction_id": { "description": "

The direction of the email relative to the scanning host or organization.

Email scanned at an internet gateway might be characterized as inbound to the organization from the Internet, outbound from the organization to the Internet, or internal within the organization. Email scanned at a workstation might be characterized as inbound to, or outbound from the workstation.", + "group": "context", + "requirement": "required", "enum": { "0": { "caption": "Unknown", @@ -65,32 +63,34 @@ "99": { "caption": "Other" } - }, - "group": "context", - "requirement": "required" + } }, "dst_endpoint": { "description": "The responder (server) receiving the email.", - "requirement": "recommended", - "group": "primary" + "group": "primary", + "requirement": "recommended" }, "email": { - "requirement": "required", - "group": "primary" + "group": "primary", + "requirement": "required" }, "email_auth": { - "requirement": "recommended", - "group": "primary" - }, - "src_endpoint": { - "description": "The initiator (client) sending the email.", - "requirement": "recommended", - "group": "primary" + "group": "primary", + "requirement": "recommended" }, "smtp_hello": { "description": "The value of the SMTP HELO or EHLO command sent by the initiator (client).", - "requirement": "recommended", - "group": "primary" + "group": "primary", + "requirement": "recommended" + }, + "src_endpoint": { + "description": "The initiator (client) sending the email.", + "group": "primary", + "requirement": "recommended" } - } + }, + "profiles": [ + "host", + "security_control" + ] } \ No newline at end of file diff --git a/events/network/email_file.json b/events/network/email_file_activity.json similarity index 92% rename from events/network/email_file.json rename to events/network/email_file_activity.json index cb4e9fa80..f99953b37 100644 --- a/events/network/email_file.json +++ b/events/network/email_file_activity.json @@ -1,14 +1,10 @@ { + "uid": 11, + "caption": "Email File Activity", + "category": "network", "description": "Email File Activity events report files within emails.", "extends": "base_event", - "caption": "Email File Activity", "name": "email_file_activity", - "category": "network", - "uid": 11, - "profiles": [ - "host", - "security_control" - ], "attributes": { "$include": [ "profiles/host.json", @@ -30,13 +26,17 @@ } }, "email_uid": { - "requirement": "required", - "group": "primary" + "group": "primary", + "requirement": "required" }, "file": { "description": "The email file attachment.", "group": "primary", "requirement": "required" } - } + }, + "profiles": [ + "host", + "security_control" + ] } \ No newline at end of file diff --git a/events/network/email_url.json b/events/network/email_url_activity.json similarity index 92% rename from events/network/email_url.json rename to events/network/email_url_activity.json index cc2734d03..8877af62f 100644 --- a/events/network/email_url.json +++ b/events/network/email_url_activity.json @@ -1,14 +1,10 @@ { + "uid": 12, + "caption": "Email URL Activity", + "category": "network", "description": "Email URL Activity events report URLs within an email.", "extends": "base_event", - "caption": "Email URL Activity", "name": "email_url_activity", - "category": "network", - "uid": 12, - "profiles": [ - "host", - "security_control" - ], "attributes": { "$include": [ "profiles/host.json", @@ -30,13 +26,17 @@ } }, "email_uid": { - "requirement": "required", - "group": "primary" + "group": "primary", + "requirement": "required" }, "url": { "description": "The URL included in the email content.", "group": "primary", "requirement": "required" } - } + }, + "profiles": [ + "host", + "security_control" + ] } \ No newline at end of file diff --git a/events/network/ftp.json b/events/network/ftp_activity.json similarity index 99% rename from events/network/ftp.json rename to events/network/ftp_activity.json index b96f762e4..0f20d796f 100644 --- a/events/network/ftp.json +++ b/events/network/ftp_activity.json @@ -1,9 +1,9 @@ { + "uid": 8, "caption": "FTP Activity", "description": "File Transfer Protocol (FTP) Activity events report file transfers between a server and a client as seen on the network.", "extends": "network", "name": "ftp_activity", - "uid": 8, "attributes": { "activity_id": { "enum": { @@ -69,4 +69,4 @@ "requirement": "recommended" } } -} +} \ No newline at end of file diff --git a/events/network/http.json b/events/network/http_activity.json similarity index 99% rename from events/network/http.json rename to events/network/http_activity.json index d6f7976b1..f4ac0878d 100644 --- a/events/network/http.json +++ b/events/network/http_activity.json @@ -1,9 +1,9 @@ { + "uid": 2, "caption": "HTTP Activity", "description": "HTTP Activity events report HTTP connection and traffic information.", "extends": "network", "name": "http_activity", - "uid": 2, "attributes": { "activity_id": { "enum": { @@ -41,6 +41,11 @@ } } }, + "file": { + "description": "The file that is the target of the HTTP activity.", + "group": "context", + "requirement": "optional" + }, "http_cookies": { "group": "primary", "requirement": "recommended" @@ -56,11 +61,6 @@ "http_status": { "group": "primary", "requirement": "recommended" - }, - "file": { - "description": "The file that is the target of the HTTP activity.", - "group": "context", - "requirement": "optional" } } -} +} \ No newline at end of file diff --git a/events/network/network.json b/events/network/network.json index b49ee9b37..89b0c1782 100644 --- a/events/network/network.json +++ b/events/network/network.json @@ -4,12 +4,6 @@ "description": "Network event is a generic event that defines a set of attributes available in the Network category.", "extends": "base_event", "name": "network", - "profiles": [ - "host", - "network_proxy", - "security_control", - "load_balancer" - ], "attributes": { "$include": [ "profiles/host.json", @@ -51,5 +45,11 @@ "group": "primary", "requirement": "recommended" } - } -} + }, + "profiles": [ + "host", + "network_proxy", + "security_control", + "load_balancer" + ] +} \ No newline at end of file diff --git a/events/network/network_activity.json b/events/network/network_activity.json index dd4967a3c..2f21ac76d 100644 --- a/events/network/network_activity.json +++ b/events/network/network_activity.json @@ -1,17 +1,46 @@ { + "uid": 1, "caption": "Network Activity", "description": "Network Activity events report network connection and traffic activity.", "extends": "network", "name": "network_activity", - "uid": 1, "attributes": { - "$include": [ - "includes/network/network_activities.json" - ], + "activity_id": { + "enum": { + "1": { + "caption": "Open", + "description": "A new network connection was opened." + }, + "2": { + "caption": "Close", + "description": "The network connection was closed." + }, + "3": { + "caption": "Reset", + "description": "The network connection was abnormally terminated or closed by a middle device like firewalls." + }, + "4": { + "caption": "Fail", + "description": "The network connection failed. For example a connection timeout or no route to host." + }, + "5": { + "caption": "Refuse", + "description": "The network connection was refused. For example an attempt to connect to a server port which is not open." + }, + "6": { + "caption": "Traffic", + "description": "Network traffic report." + }, + "7": { + "caption": "Listen", + "description": "A network endpoint began listening for new network connections." + } + } + }, "url": { "description": "The URL details relevant to the network traffic.", "group": "primary", "requirement": "recommended" } } -} +} \ No newline at end of file diff --git a/events/network/file_activity.json b/events/network/network_file_activity.json similarity index 99% rename from events/network/file_activity.json rename to events/network/network_file_activity.json index 814e940c0..d98efaa0a 100644 --- a/events/network/file_activity.json +++ b/events/network/network_file_activity.json @@ -1,13 +1,13 @@ { - "@deprecated": { - "message": "Use the new class: 'File Hosting Activity' in the 'Application' category.", - "since": "1.1.0" - }, + "uid": 10, "caption": "Network File Activity", "description": "Network File Activity events report file activities traversing the network, including file storage services such as Box, MS OneDrive, or Google Drive.", "extends": "network", "name": "network_file_activity", - "uid": 10, + "@deprecated": { + "message": "Use the new class: 'File Hosting Activity' in the 'Application' category.", + "since": "1.1.0" + }, "attributes": { "activity_id": { "enum": { @@ -106,4 +106,4 @@ "requirement": "required" } } -} +} \ No newline at end of file diff --git a/events/network/ntp.json b/events/network/ntp_activity.json similarity index 100% rename from events/network/ntp.json rename to events/network/ntp_activity.json index 692872d74..d6dd9b22a 100644 --- a/events/network/ntp.json +++ b/events/network/ntp_activity.json @@ -1,9 +1,9 @@ { + "uid": 13, "caption": "NTP Activity", "description": "The Network Time Protocol (NTP) Activity events report instances of remote clients synchronizing their clocks with an NTP server, as observed on the network.", "extends": "network", "name": "ntp_activity", - "uid": 13, "attributes": { "activity_id": { "enum": { diff --git a/events/network/rdp.json b/events/network/rdp_activity.json similarity index 99% rename from events/network/rdp.json rename to events/network/rdp_activity.json index db8c3fe93..b73509c3c 100644 --- a/events/network/rdp.json +++ b/events/network/rdp_activity.json @@ -1,9 +1,9 @@ { + "uid": 5, "caption": "RDP Activity", "description": "Remote Desktop Protocol (RDP) Activity events report remote client connections to a server as seen on the network.", "extends": "network", "name": "rdp_activity", - "uid": 5, "attributes": { "activity_id": { "enum": { @@ -74,4 +74,4 @@ "requirement": "recommended" } } -} +} \ No newline at end of file diff --git a/events/network/smb.json b/events/network/smb_activity.json similarity index 99% rename from events/network/smb.json rename to events/network/smb_activity.json index 20deb09a3..0bb2c519d 100644 --- a/events/network/smb.json +++ b/events/network/smb_activity.json @@ -1,9 +1,9 @@ { + "uid": 6, "caption": "SMB Activity", "description": "Server Message Block (SMB) Protocol Activity events report client/server connections sharing resources within the network.", "extends": "network", "name": "smb_activity", - "uid": 6, "attributes": { "activity_id": { "enum": { @@ -85,4 +85,4 @@ "requirement": "recommended" } } -} +} \ No newline at end of file diff --git a/events/network/ssh.json b/events/network/ssh_activity.json similarity index 64% rename from events/network/ssh.json rename to events/network/ssh_activity.json index dd2b9cb85..b8dbae48b 100644 --- a/events/network/ssh.json +++ b/events/network/ssh_activity.json @@ -1,13 +1,42 @@ { + "uid": 7, "caption": "SSH Activity", "description": "SSH Activity events report remote client connections to a server using the Secure Shell (SSH) Protocol.", "extends": "network", "name": "ssh_activity", - "uid": 7, "attributes": { - "$include": [ - "includes/network/network_activities.json" - ], + "activity_id": { + "enum": { + "1": { + "caption": "Open", + "description": "A new network connection was opened." + }, + "2": { + "caption": "Close", + "description": "The network connection was closed." + }, + "3": { + "caption": "Reset", + "description": "The network connection was abnormally terminated or closed by a middle device like firewalls." + }, + "4": { + "caption": "Fail", + "description": "The network connection failed. For example a connection timeout or no route to host." + }, + "5": { + "caption": "Refuse", + "description": "The network connection was refused. For example an attempt to connect to a server port which is not open." + }, + "6": { + "caption": "Traffic", + "description": "Network traffic report." + }, + "7": { + "caption": "Listen", + "description": "A network endpoint began listening for new network connections." + } + } + }, "auth_type": { "description": "The SSH authentication type, normalized to the caption of 'auth_type_id'. In the case of 'Other', it is defined by the event source.", "group": "primary", @@ -15,10 +44,9 @@ }, "auth_type_id": { "description": "The normalized identifier of the SSH authentication type.", + "group": "primary", + "requirement": "recommended", "enum": { - "99": { - "caption": "Other" - }, "0": { "caption": "Unknown" }, @@ -45,10 +73,11 @@ "6": { "caption": "Public Key", "description": "Paired public key authentication." + }, + "99": { + "caption": "Other" } - }, - "group": "primary", - "requirement": "recommended" + } }, "client_hassh": { "group": "primary", @@ -70,4 +99,4 @@ "requirement": "recommended" } } -} +} \ No newline at end of file diff --git a/events/network/tunnel_activity.json b/events/network/tunnel_activity.json index 1069b1566..c444fd6cb 100644 --- a/events/network/tunnel_activity.json +++ b/events/network/tunnel_activity.json @@ -1,11 +1,20 @@ { + "uid": 14, "caption": "Tunnel Activity", "description": "Tunnel Activity events report secure tunnel establishment (such as VPN), teardowns, renewals, and other network tunnel specific actions.", "extends": "network", "name": "tunnel_activity", - "uid": 14, + "associations": { + "src_endpoint": [ + "user" + ], + "user": [ + "src_endpoint" + ] + }, "attributes": { "activity_id": { + "requirement": "required", "enum": { "0": { "caption": "Unknown", @@ -27,23 +36,22 @@ "caption": "Other", "description": "The event activity is not mapped. See the activity_name attribute, which contains a data source specific value." } - }, - "requirement": "required" + } }, "connection_info": { "description": "The tunnel connection information.", "group": "context", "requirement": "optional" }, - "dst_endpoint": { - "description": "The server responding to the tunnel connection.", - "group": "primary", - "requirement": "recommended" - }, "device": { "description": "The device that reported the event.", "group": "primary", - "profile": null, + "requirement": "recommended", + "profile": null + }, + "dst_endpoint": { + "description": "The server responding to the tunnel connection.", + "group": "primary", "requirement": "recommended" }, "protocol_name": { @@ -52,17 +60,17 @@ "group": "context", "requirement": "optional" }, - "src_endpoint": { - "description": "The initiator (client) of the tunnel connection.", - "group": "primary", - "requirement": "recommended" - }, "session": { "caption": "Tunnel Session", "description": "The session associated with the tunnel.", "group": "primary", "requirement": "recommended" }, + "src_endpoint": { + "description": "The initiator (client) of the tunnel connection.", + "group": "primary", + "requirement": "recommended" + }, "traffic": { "description": "Traffic refers to the amount of data moving across the tunnel at a given point of time. Ex: bytes_in and bytes_out.", "group": "context", @@ -81,6 +89,8 @@ }, "tunnel_type_id": { "description": "The normalized tunnel type ID.", + "group": "primary", + "requirement": "recommended", "enum": { "0": { "caption": "Unknown" @@ -94,9 +104,7 @@ "99": { "caption": "Other" } - }, - "group": "primary", - "requirement": "recommended" + } }, "user": { "description": "The user associated with the tunnel activity.", @@ -104,14 +112,6 @@ "requirement": "recommended" } }, - "associations": { - "user": [ - "src_endpoint" - ], - "src_endpoint": [ - "user" - ] - }, "constraints": { "at_least_one": [ "connection_info", @@ -120,6 +120,6 @@ "traffic", "tunnel_interface", "tunnel_type_id" - ] - } -} + ] + } +} \ No newline at end of file diff --git a/events/remediation/file_remediation_activity.json b/events/remediation/file_remediation_activity.json index e6c63fa2c..9b8d3ca17 100644 --- a/events/remediation/file_remediation_activity.json +++ b/events/remediation/file_remediation_activity.json @@ -1,14 +1,14 @@ { + "uid": 2, "caption": "File Remediation Activity", "description": "File Remediation Activity events report on attempts at remediating files. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Sub-techniques will include File, such as File Removal or Restore File.", "extends": "remediation_activity", "name": "file_remediation_activity", - "uid": 2, "attributes": { - "file": { - "description": "The file that pertains to the remediation event.", - "group": "primary", - "requirement": "required" - } + "file": { + "description": "The file that pertains to the remediation event.", + "group": "primary", + "requirement": "required" + } } - } \ No newline at end of file +} \ No newline at end of file diff --git a/events/remediation/network_remediation_activity.json b/events/remediation/network_remediation_activity.json index f5455ff92..70fac73a7 100644 --- a/events/remediation/network_remediation_activity.json +++ b/events/remediation/network_remediation_activity.json @@ -1,14 +1,14 @@ { + "uid": 4, "caption": "Network Remediation Activity", "description": "Network Remediation Activity events report on attempts at remediating computer networks. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Techniques and Sub-techniques will include Network, such as Network Isolation or Network Traffic Filtering.", "extends": "remediation_activity", "name": "network_remediation_activity", - "uid": 4, "attributes": { - "connection_info": { - "description": "The network connection that pertains to the remediation event.", - "requirement": "required", - "group": "primary" - } + "connection_info": { + "description": "The network connection that pertains to the remediation event.", + "group": "primary", + "requirement": "required" + } } - } \ No newline at end of file +} \ No newline at end of file diff --git a/events/remediation/process_remediation_activity.json b/events/remediation/process_remediation_activity.json index feb15b938..24930ca8b 100644 --- a/events/remediation/process_remediation_activity.json +++ b/events/remediation/process_remediation_activity.json @@ -1,14 +1,14 @@ { + "uid": 3, "caption": "Process Remediation Activity", "description": "Process Remediation Activity events report on attempts at remediating processes. It follows the MITRE countermeasures defined by the D3FEND™ Matrix. Sub-techniques will include Process, such as Process Termination or Kernel-based Process Isolation.", "extends": "remediation_activity", "name": "process_remediation_activity", - "uid": 3, "attributes": { - "process": { - "description": "The process that pertains to the remediation event.", - "group": "primary", - "requirement": "required" - } + "process": { + "description": "The process that pertains to the remediation event.", + "group": "primary", + "requirement": "required" + } } - } \ No newline at end of file +} \ No newline at end of file diff --git a/events/remediation/remediation_activity.json b/events/remediation/remediation_activity.json index 6c9384560..0f4995db5 100644 --- a/events/remediation/remediation_activity.json +++ b/events/remediation/remediation_activity.json @@ -1,75 +1,75 @@ { + "uid": 1, "caption": "Remediation Activity", - "description": "Remediation Activity events report on attempts at remediating a compromised device or computer network. It follows the MITRE countermeasures defined by the D3FEND™ Matrix.", - "name": "remediation_activity", "category": "remediation", + "description": "Remediation Activity events report on attempts at remediating a compromised device or computer network. It follows the MITRE countermeasures defined by the D3FEND™ Matrix.", "extends": "base_event", - "uid": 1, - "profiles": [ - "host" - ], + "name": "remediation_activity", "attributes": { - "$include": [ - "profiles/host.json" - ], - "activity_id": { - "enum": { - "1": { - "caption": "Isolate", - "description": "Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND™ d3f:Isolate." - }, - "2": { - "caption": "Evict", - "description": "Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND™ d3f:Evict." - }, - "3": { - "caption": "Restore", - "description": "Returns the system to a better state. Defined by D3FEND™ d3f:Restore." - }, - "4": { - "caption": "Harden", - "description": " Increases the opportunity cost of computer network exploitation. Defined by D3FEND™ d3f:Harden." - } + "$include": [ + "profiles/host.json" + ], + "activity_id": { + "description": "Matches the MITRE D3FEND™ Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class.", + "enum": { + "1": { + "caption": "Isolate", + "description": "Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND™ d3f:Isolate." + }, + "2": { + "caption": "Evict", + "description": "Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND™ d3f:Evict." + }, + "3": { + "caption": "Restore", + "description": "Returns the system to a better state. Defined by D3FEND™ d3f:Restore." + }, + "4": { + "caption": "Harden", + "description": " Increases the opportunity cost of computer network exploitation. Defined by D3FEND™ d3f:Harden." + } + } }, - "description": "Matches the MITRE D3FEND™ Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class." - }, - "command_uid": { - "description": "The unique identifier of the remediation command that pertains to this event.", - "group": "primary", - "requirement": "required" - }, - "countermeasures": { - "group": "primary", - "requirement": "recommended" - }, - "remediation": { - "group": "context", - "requirement": "optional" - }, - "scan": { - "group": "context", - "description": "The remediation scan that pertains to this event.", - "requirement": "optional" - }, - "status_id": { - "enum": { - "3": { - "caption": "Does Not Exist", - "description": "The target of the remediation does not exist." - }, - "4": { - "caption": "Partial", - "description": "The remediation was partially completed." - }, - "5": { - "caption": "Unsupported", - "description": "The remediation was not supported." - }, - "6": { - "caption": "Error", - "description": "There was an error during the remediation process." + "command_uid": { + "description": "The unique identifier of the remediation command that pertains to this event.", + "group": "primary", + "requirement": "required" + }, + "countermeasures": { + "group": "primary", + "requirement": "recommended" + }, + "remediation": { + "group": "context", + "requirement": "optional" + }, + "scan": { + "description": "The remediation scan that pertains to this event.", + "group": "context", + "requirement": "optional" + }, + "status_id": { + "enum": { + "3": { + "caption": "Does Not Exist", + "description": "The target of the remediation does not exist." + }, + "4": { + "caption": "Partial", + "description": "The remediation was partially completed." + }, + "5": { + "caption": "Unsupported", + "description": "The remediation was not supported." + }, + "6": { + "caption": "Error", + "description": "There was an error during the remediation process." + } } } - } - } - } \ No newline at end of file + }, + "profiles": [ + "host" + ] +} \ No newline at end of file diff --git a/events/system/event_log.json b/events/system/event_log.json index 993d7e793..be867c8ad 100644 --- a/events/system/event_log.json +++ b/events/system/event_log.json @@ -1,9 +1,9 @@ { + "uid": 8, "caption": "Event Log Activity", "description": "Event Log Activity events report actions pertaining to the system's event logging service(s), such as disabling logging or clearing the log data.", "extends": "system", "name": "event_log", - "uid": 8, "attributes": { "activity_id": { "enum": { @@ -52,14 +52,14 @@ "actor": { "description": "The actor that performed the activity.", "group": "primary", - "profile": null, - "requirement": "recommended" + "requirement": "recommended", + "profile": null }, "device": { "description": "The device that reported the event.", "group": "primary", - "profile": null, - "requirement": "recommended" + "requirement": "recommended", + "profile": null }, "dst_endpoint": { "description": "The

targeted

endpoint for the event log activity.", @@ -114,4 +114,4 @@ "log_type_id" ] } -} +} \ No newline at end of file diff --git a/events/system/filesystem.json b/events/system/file_activity.json similarity index 99% rename from events/system/filesystem.json rename to events/system/file_activity.json index 2d5486667..7cbc9b017 100644 --- a/events/system/filesystem.json +++ b/events/system/file_activity.json @@ -1,9 +1,9 @@ { + "uid": 1, "caption": "File System Activity", "description": "File System Activity events report when a process performs an action on a file or folder.", "extends": "system", "name": "file_activity", - "uid": 1, "attributes": { "access_mask": { "group": "context", @@ -101,4 +101,4 @@ "requirement": "recommended" } } -} +} \ No newline at end of file diff --git a/events/system/kernel.json b/events/system/kernel_activity.json similarity index 99% rename from events/system/kernel.json rename to events/system/kernel_activity.json index 50cd4768a..94cade9a0 100644 --- a/events/system/kernel.json +++ b/events/system/kernel_activity.json @@ -1,9 +1,9 @@ { + "uid": 3, "caption": "Kernel Activity", "description": "Kernel Activity events report when an process creates, reads, or deletes a kernel resource.", "extends": "system", "name": "kernel_activity", - "uid": 3, "attributes": { "activity_id": { "enum": { @@ -27,4 +27,4 @@ "requirement": "required" } } -} +} \ No newline at end of file diff --git a/events/system/kernel_extension.json b/events/system/kernel_extension.json index ab1282ea5..cfcc9d17b 100644 --- a/events/system/kernel_extension.json +++ b/events/system/kernel_extension.json @@ -1,9 +1,9 @@ { - "caption": "Kernel Extension Activity", "uid": 2, - "name": "kernel_extension", - "extends": "system", + "caption": "Kernel Extension Activity", "description": "Kernel Extension events report when a driver/extension is loaded or unloaded into the kernel", + "extends": "system", + "name": "kernel_extension", "attributes": { "activity_id": { "enum": { @@ -26,4 +26,4 @@ "requirement": "required" } } -} +} \ No newline at end of file diff --git a/events/system/memory.json b/events/system/memory_activity.json similarity index 85% rename from events/system/memory.json rename to events/system/memory_activity.json index 6890fc9d5..cae140c0e 100644 --- a/events/system/memory.json +++ b/events/system/memory_activity.json @@ -1,9 +1,9 @@ { + "uid": 4, "caption": "Memory Activity", "description": "Memory Activity events report when a process has memory allocated, read/modified, or other manipulation activities - such as a buffer overflow or turning off data execution protection (DEP).", "extends": "system", "name": "memory_activity", - "uid": 4, "attributes": { "activity_id": { "enum": { @@ -20,24 +20,24 @@ "caption": "Buffer Overflow" }, "5": { - "description": "Data Execution Permission", - "caption": "Disable DEP" + "caption": "Disable DEP", + "description": "Data Execution Permission" }, "6": { - "description": "Data Execution Permission", - "caption": "Enable DEP" + "caption": "Enable DEP", + "description": "Data Execution Permission" }, "7": { - "description": "Read (Example: ReadProcessMemory)", - "caption": "Read" + "caption": "Read", + "description": "Read (Example: ReadProcessMemory)" }, "8": { - "description": "Write (Example: WriteProcessMemory)", - "caption": "Write" + "caption": "Write", + "description": "Write (Example: WriteProcessMemory)" }, "9": { - "description": "Map View (Example: MapViewOfFile2)", - "caption": "Map View" + "caption": "Map View", + "description": "Map View (Example: MapViewOfFile2)" } } }, @@ -51,6 +51,11 @@ "group": "primary", "requirement": "recommended" }, + "process": { + "description": "The process that had memory allocated, read/written, or had other manipulation activities performed on it.", + "group": "primary", + "requirement": "required" + }, "requested_permissions": { "description": "The permissions mask that was requested to access memory.", "group": "primary", @@ -60,11 +65,6 @@ "description": "The memory size that was access or requested.", "group": "primary", "requirement": "recommended" - }, - "process": { - "description": "The process that had memory allocated, read/written, or had other manipulation activities performed on it.", - "group": "primary", - "requirement": "required" } } -} +} \ No newline at end of file diff --git a/events/system/module.json b/events/system/module_activity.json similarity index 99% rename from events/system/module.json rename to events/system/module_activity.json index d8cf6a702..761bfdf1c 100644 --- a/events/system/module.json +++ b/events/system/module_activity.json @@ -1,9 +1,9 @@ { + "uid": 5, "caption": "Module Activity", "description": "Module Activity events report when a process loads or unloads the module.", "extends": "system", "name": "module_activity", - "uid": 5, "attributes": { "activity_id": { "enum": { @@ -25,4 +25,4 @@ "requirement": "required" } } -} +} \ No newline at end of file diff --git a/events/system/process.json b/events/system/process_activity.json similarity index 99% rename from events/system/process.json rename to events/system/process_activity.json index c439b46bd..2e7020573 100644 --- a/events/system/process.json +++ b/events/system/process_activity.json @@ -1,9 +1,9 @@ { - "name": "process_activity", + "uid": 7, "caption": "Process Activity", "description": "Process Activity events report when a process launches, injects, opens or terminates another process, successful or otherwise.", "extends": "system", - "uid": 7, + "name": "process_activity", "attributes": { "activity_id": { "enum": { @@ -60,4 +60,4 @@ "requirement": "recommended" } } -} +} \ No newline at end of file diff --git a/events/system/scheduled_job.json b/events/system/scheduled_job_activity.json similarity index 99% rename from events/system/scheduled_job.json rename to events/system/scheduled_job_activity.json index ba6ccde9a..37991a070 100644 --- a/events/system/scheduled_job.json +++ b/events/system/scheduled_job_activity.json @@ -1,9 +1,9 @@ { + "uid": 6, "caption": "Scheduled Job Activity", "description": "Scheduled Job Activity events report activities related to scheduled jobs or tasks.", "extends": "system", "name": "scheduled_job_activity", - "uid": 6, "attributes": { "activity_id": { "enum": { @@ -37,4 +37,4 @@ "requirement": "required" } } -} +} \ No newline at end of file diff --git a/events/system/script.json b/events/system/script_activity.json similarity index 99% rename from events/system/script.json rename to events/system/script_activity.json index 06830137d..d098c7839 100644 --- a/events/system/script.json +++ b/events/system/script_activity.json @@ -1,9 +1,9 @@ { + "uid": 9, "caption": "Script Activity", "description": "Script Activity events report when a process executes a script.", "extends": "system", "name": "script_activity", - "uid": 9, "attributes": { "activity_id": { "enum": { @@ -18,4 +18,4 @@ "requirement": "required" } } -} +} \ No newline at end of file diff --git a/events/system/system.json b/events/system/system.json index 99ec1b1e9..f62d79025 100644 --- a/events/system/system.json +++ b/events/system/system.json @@ -4,16 +4,12 @@ "description": "The System Activity event is a generic event that defines a set of attributes available in the system activity events. As a generic event, it could be used to log events that are not otherwise defined by the System Activity category.", "extends": "base_event", "name": "system", - "profiles": [ - "host", - "security_control" - ], "associations": { - "device": [ - "actor.user" - ], "actor.user": [ "device" + ], + "device": [ + "actor.user" ] }, "attributes": { @@ -28,5 +24,9 @@ "group": "primary", "requirement": "required" } - } -} + }, + "profiles": [ + "host", + "security_control" + ] +} \ No newline at end of file diff --git a/includes/classification.json b/includes/classification.json deleted file mode 100644 index d7e0b2d73..000000000 --- a/includes/classification.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "caption": "Classification", - "description": "The attributes that identify the event category and class.", - "annotations": { - "group": "classification" - }, - "attributes": { - "activity_name": { - "requirement": "optional" - }, - "activity_id": { - "enum": { - "0": { - "caption": "Unknown" - }, - "99": { - "caption": "Other" - } - }, - "requirement": "required" - }, - "category_name": { - "requirement": "optional" - }, - "category_uid": { - "enum": { - "0": { - "caption": "Uncategorized" - } - }, - "requirement": "required" - }, - "class_name": { - "requirement": "optional" - }, - "class_uid": { - "enum": { - "0": { - "caption": "Base Event" - } - }, - "requirement": "required" - }, - "type_name": { - "requirement": "optional" - }, - "type_uid": { - "requirement": "required" - } - } -} diff --git a/includes/occurrence.json b/includes/occurrence.json deleted file mode 100644 index 04f292c34..000000000 --- a/includes/occurrence.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "caption": "Occurrence", - "description": "The attributes that specify when the event occurred, duration, and aggregations.", - "annotations": { - "group": "occurrence" - }, - "attributes": { - "count": { - "requirement": "optional" - }, - "duration": { - "description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.", - "requirement": "optional" - }, - "end_time": { - "description": "The end time of a time period, or the time of the most recent event included in the aggregate event.", - "requirement": "optional" - }, - "start_time": { - "description": "The start time of a time period, or the time of the least recent event included in the aggregate event.", - "requirement": "optional" - }, - "time": { - "requirement": "required" - }, - "timezone_offset": { - "requirement": "recommended" - } - } -}