Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sept 2024 pass at OCSF/DEFEND mappings #1173

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

ryantxu1
Copy link
Contributor

@ryantxu1 ryantxu1 commented Sep 9, 2024

Adding a few D3FEND mappings to OCSF.

Objects changed:

  • registry_value
  • account
  • container
  • database
  • fingerprint
  • group
  • http_cookie
  • job
  • script

Noticed a minor typo in http_header

@@ -1,6 +1,6 @@
{
"caption": "Script",
"description": "The Script object describes a script or command that can be executed by a shell, script engine, or interpreter. Examples include Bash, JavsScript, PowerShell, Python, VBScript, etc. Note that the term <em>script</em> here denotes not only a script contained within a file but also a script or command typed interactively by a user, supplied on the command line, or provided by some other file-less mechanism.",
"description": "The Script object describes a script or command that can be executed by a shell, script engine, or interpreter. Examples include Bash, JavsScript, PowerShell, Python, VBScript, etc. Note that the term <em>script</em> here denotes not only a script contained within a file but also a script or command typed interactively by a user, supplied on the command line, or provided by some other file-less mechanism. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:ExecutableScript/'>d3f:ExecutableScript</a>.",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A script can manifest as a file or a string-based commandline argument in the case of powershell.

Curious if OCSF is wanted to make such a distinction.

consider this shadowcat example:

D3FEND CAD Shadowcat example

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to clarify, the file-less script case is more than just a string-based command line:

  • It may be read by an interpreter from stdin.
  • It may be embedded within a container document, e.g. VBA macro in a Word document or Excel sheet.
  • It may be dynamically executed as a sub-script of another script, e.g. a sub-script that results from deobfuscation, a sub-script that is downloaded, etc.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would check with @davemcatcisco who authored the script class and object.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@davemcatcisco would be happy to hear your thoughts. Please see the CAD example above.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As you can see, I wrote the above comment two weeks ago but then forgot to submit the review until now. I'm just pointing out that a file-less script execution can happen in a lot of ways beyond a PowerShell command line.

I'm afraid I'm not sure what you mean when you say you're curious if OCSF wants to make a distinction. Can you clarify?

@netfl0
Copy link

netfl0 commented Sep 10, 2024

looks good save for a potential distinction OCSF might want to make regarding scripts as cmd line args. They might have already discussed this somewhere but it was not jumping out at me.

CHANGELOG.md Outdated Show resolved Hide resolved
@floydtree
Copy link
Contributor

Thanks for doing this! A general question, based on your review of the objects you updated, do you see a need to add more attributes in any of the objects? Any pertinent gaps in an OCSF object when compared to it's d3fend counterpart?

@netfl0
Copy link

netfl0 commented Sep 10, 2024

Thanks for doing this! A general question, based on your review of the objects you updated, do you see a need to add more attributes in any of the objects? Any pertinent gaps in an OCSF object when compared to it's d3fend counterpart?

There is quite a bit more we can do, in general we're looking to incorporate "data properties" from OCSF into D3FEND, since they are precisely what the community needs. This was an intentional and planned on our part.

We want to synchronize "object properties" between OCSF and D3FEND but that is going to require further discussion and modeling.

@ryantxu1
Copy link
Contributor Author

There are a few instances where there are related D3FEND and OCSF objects, but the definitions don't align perfectly. Do we want to still relate those with "See also in D3FEND..." or something similar?

D3FEND OCSF
d3f:Authorization Authorization
d3f:HardwareDevice Device Hardware Info
d3f:DomainRegistration Domain Contact
d3f:SystemFirewallConfiguration or d3f:Firewall Firewall Rule

@jonrau-at-queryai
Copy link
Contributor

There are a few instances where there are related D3FEND and OCSF objects, but the definitions don't align perfectly. Do we want to still relate those with "See also in D3FEND..." or something similar?

D3FEND OCSF
d3f:Authorization Authorization
d3f:HardwareDevice Device Hardware Info
d3f:DomainRegistration Domain Contact
d3f:SystemFirewallConfiguration or d3f:Firewall Firewall Rule

If it's pertinent enough, I think it's worth the callout. I did domain_contact for the larger osint object (and Profile/Discovery event) and would find that valuable.

Overall the more specific examples or further reading we can do for descriptions and captions, the better it is overall, both producers and consumers alike.

@pagbabian-splunk
Copy link
Contributor

These all look good using the current form of relationships to d3fend artifact definitions. However now that we have references and source metashema, we are looking at either using those mechanisms or using a specific ontology meta schema keyword(s) that have been proposed by @netfl0 . We would then convert these to using the keywords, and back port the existing linkages.

pagbabian-splunk added a commit that referenced this pull request Nov 25, 2024
… PR #1173 doing it the old way via descriptions.

Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants