From 807de495acbc922f9dfdc04b0b17d5378333fc99 Mon Sep 17 00:00:00 2001 From: Dave McCormack Date: Wed, 16 Oct 2024 13:19:52 +0100 Subject: [PATCH 1/4] Removed redundant attribute from Windows extension to startup_info object. Signed-off-by: Dave McCormack --- CHANGELOG.md | 1 + extensions/windows/objects/startup_item.json | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index becd4e899..5da7fa4e1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -88,6 +88,7 @@ Thankyou! --> ### Bugfixes 1. Added sibling definition to `confidence_id` in dictionary, accurately associating `confidence` as its sibling. #1180 2. Added a fix (profile: null) to `OSINT Inventory Info` so that the `osint` attribute is present w/o the OSINT profile, per the class definition. + 3. Removed redundant `name` attribute from Windows extension to the `startup_item` object for consistency with other extensions. #1203 * #### Profiles 1. Added `is_alert`, `confidence_id`, `confidence`, `confidence_score` attributes to the `security_control` profile. #1178 diff --git a/extensions/windows/objects/startup_item.json b/extensions/windows/objects/startup_item.json index dfe30b149..fe09fc4c0 100644 --- a/extensions/windows/objects/startup_item.json +++ b/extensions/windows/objects/startup_item.json @@ -1,6 +1,5 @@ { "caption": "Startup Item", - "name": "startup_item", "description": "The startup item object describes an application component that has associated startup criteria and configurations.", "extends": "startup_item", "attributes": { From 1eba6dca09c72029e9c6c534c55e6d31c69dbbf2 Mon Sep 17 00:00:00 2001 From: Dave McCormack Date: Tue, 29 Oct 2024 19:34:03 +0000 Subject: [PATCH 2/4] Introduce `long_string` object to represent long strings. Signed-off-by: Dave McCormack --- CHANGELOG.md | 24 +++++++++++------------ dictionary.json | 32 ++++++++++++++++++++----------- objects/environment_variable.json | 12 ++++-------- objects/long_string.json | 20 +++++++++++++++++++ objects/script.json | 3 --- 5 files changed, 56 insertions(+), 35 deletions(-) create mode 100644 objects/long_string.json diff --git a/CHANGELOG.md b/CHANGELOG.md index 45c411b9d..9c7eb6cdd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -56,16 +56,16 @@ Thankyou! --> 7. Added `is_alert` as a `boolean_t`, #1179 8. Added `working_directory` as a `string_t`. #1195 9. Added `is_deleted` a `boolean_t`. #1196 - 10. Added `is_script_content_truncated` as a `boolean_t`. #1198 - 11. Added `body_length` as an `integer_t` #1200 - 12. Added `is_public` as a `boolean_t` #1208 - 13. Added `tags` as n array of `tag` object. #1207 - 14. Added `community_uid` as a `string_t`. #1202 - + 10. Added `body_length` as an `integer_t` #1200 + 11. Added `is_public` as a `boolean_t` #1208 + 12. Added `tags` as n array of `tag` object. #1207 + 13. Added `community_uid` as a `string_t`. #1202 + 14. Added `variable_name` and `variable_value` as `long_string`. #1227 * #### Objects 1. Added `environment_variable` object. #1172 2. Added `advisory` object. #1176 3. Added a `tag` object. #1207 + 4. Added a `long_string` object. #1227 ### Improved * #### Event Classes @@ -87,13 +87,11 @@ Thankyou! --> 11. Added `http_headers` to `email` object. #1199 12. Added `working_directory` to `process` object. #1195 13. Added `is_deleted` to `file` object. #1196 - 14. Added `is_script_content_truncated` to `script` object. #1198 - 15. Added entry for VBA macros to `type_id` enum in `script` object. #1198 - 16. Added `body_length` to the `http_response` and `http_request` objects. #1200 - 17. Added `is_public` to the `databucket` object. #1208 - 18. Added `tags` to the `account`, `container`, `image`, `ldap_person`, `metadata`, `resource_details`, `service`, `web_resource` objects. #1207 - 19. Added `domain` as a constraint to `network_endpoint` object. #1224 - + 14. Added entry for VBA macros to `type_id` enum in `script` object. #1198 + 15. Added `body_length` to the `http_response` and `http_request` objects. #1200 + 16. Added `is_public` to the `databucket` object. #1208 + 17. Added `tags` to the `account`, `container`, `image`, `ldap_person`, `metadata`, `resource_details`, `service`, `web_resource` objects. #1207 + 18. Added `domain` as a constraint to `network_endpoint` object. #1224 ### Bugfixes 1. Added sibling definition to `confidence_id` in dictionary, accurately associating `confidence` as its sibling. #1180 diff --git a/dictionary.json b/dictionary.json index e7abf1ea6..dec0145bf 100644 --- a/dictionary.json +++ b/dictionary.json @@ -2447,11 +2447,6 @@ "description": "A determination if a policy, rule, or enforcement action was applied.", "type": "boolean_t" }, - "is_attribute_truncated": { - "caption": "Attribute Truncated", - "description": "The indication of whether or not an attribute is truncated.", - "type": "boolean_t" - }, "is_cleartext": { "caption": "Cleartext Credentials", "description": "Indicates whether the credentials were passed in clear text.

Note: True if the credentials were passed in a clear text protocol such as FTP or TELNET, or if Windows detected that a user's logon password was passed to the authentication package in clear text.

", @@ -2532,11 +2527,6 @@ "description": "The indication of whether this is a lease/session renewal event.", "type": "boolean_t" }, - "is_script_content_truncated": { - "caption": "Is Script Content Truncated", - "description": "Indicates if the contents of the script_content attribute have been truncated.", - "type": "boolean_t" - }, "is_secure": { "caption": "Secure", "description": "The cookie attribute indicates that cookies are sent to the server only when the request is encrypted using the HTTPS protocol.", @@ -2567,6 +2557,11 @@ "description": "Whether the authentication factor is a Time-based One-time Password (TOTP).", "type": "boolean_t" }, + "is_truncated": { + "caption": "Is Truncated", + "description": "Indicates that an attribute has been truncated. See specific usage.", + "type": "boolean_t" + }, "is_trusted": { "caption": "Trusted Device", "description": "The event occurred on a trusted device.", @@ -4049,7 +4044,7 @@ "observable": 36, "caption": "Script Content", "description": "The script content, normalized to UTF-8 encoding irrespective of its original encoding. When emitting this attribute, it may be appropriate to truncate large scripts. When consuming this attribute, large scripts should be anticipated.", - "type": "string_t" + "type": "long_string" }, "section_a": { "caption": "JA4 Section A", @@ -4744,6 +4739,11 @@ "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.", "type": "object" }, + "untruncated_size": { + "caption": "Untruncated Size", + "description": "The size in bytes of an attribute before truncation. See specific usage.", + "type": "integer_t" + }, "url": { "caption": "URL", "description": "The URL object that pertains to the event or object. See specific usage.", @@ -4786,6 +4786,16 @@ "description": "The value that pertains to the object. See specific usage.", "type": "string_t" }, + "variable_name": { + "caption": "Variable Name", + "description": "The name of a variable. See specific usage.", + "type": "long_string" + }, + "variable_value": { + "caption": "Variable Value", + "description": "The value of a variable. See specific usage.", + "type": "long_string" + }, "vector_string": { "caption": "Vector String", "description": "The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.", diff --git a/objects/environment_variable.json b/objects/environment_variable.json index c3ee38ccf..805febab9 100644 --- a/objects/environment_variable.json +++ b/objects/environment_variable.json @@ -4,17 +4,13 @@ "extends": "object", "name": "environment_variable", "attributes": { - "name": { - "description": "The name of the environment variable.", + "variable_name": { + "description": "The name of the environment variable. Note that some operating systems permit environment variables to have very long names.", "requirement": "required" }, - "value": { - "description": "The value of the environment variable.", + "variable_value": { + "description": "The value of the environment variable. Note that some operating systems permit environment variables to have very long values.", "requirement": "required" - }, - "is_attribute_truncated": { - "description": "Whether the name or value of the environment variable has been truncated.", - "requirement": "optional" } } } \ No newline at end of file diff --git a/objects/long_string.json b/objects/long_string.json new file mode 100644 index 000000000..fa9f9123b --- /dev/null +++ b/objects/long_string.json @@ -0,0 +1,20 @@ +{ + "caption": "Long String", + "description": "This object is a used to capture strings which may be truncated by a security product due to their length.", + "extends": "object", + "name": "long_string", + "attributes": { + "value": { + "description": "The string value, truncated if is_truncated is true.", + "requirement" : "required" + }, + "is_truncated": { + "description": "Indicates that value has been truncated. May be omitted if truncation has not occurred.", + "requirement" : "optional" + }, + "untruncated_size": { + "description": "The size in bytes of the string represented by value before truncation. Should be omitted if truncation has not occurred.", + "requirement" : "optional" + } + } +} \ No newline at end of file diff --git a/objects/script.json b/objects/script.json index 53b19a7a6..3ace907f6 100644 --- a/objects/script.json +++ b/objects/script.json @@ -12,9 +12,6 @@ "description": "An array of the script's cryptographic hashes. Note that these hashes are calculated on the script in its original encoding, and not on the normalized UTF-8 encoding found in the script_content attribute.", "requirement": "recommended" }, - "is_script_content_truncated": { - "requirement": "optional" - }, "parent_uid": { "description": "This attribute relates a sub-script to a parent script having the matching uid attribute. In the case of PowerShell, sub-script execution can be identified by matching the activity correlation ID of the raw ETW events provided by the OS.", "requirement": "optional" From 009b0f14bda83a64646f5303d6637b4c48f1567f Mon Sep 17 00:00:00 2001 From: Dave McCormack Date: Wed, 30 Oct 2024 12:59:19 +0000 Subject: [PATCH 3/4] Update CHANGELOG.md Signed-off-by: Dave McCormack --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b7b17ea2e..1423c3809 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -60,12 +60,12 @@ Thankyou! --> 11. Added `is_public` as a `boolean_t` #1208 12. Added `tags` as n array of `tag` object. #1207 13. Added `community_uid` as a `string_t`. #1202 - 14. Added `variable_name` and `variable_value` as `long_string`. #1227 + 14. Added `variable_name` and `variable_value` as `long_string`. #1228 * #### Objects 1. Added `environment_variable` object. #1172 2. Added `advisory` object. #1176 3. Added a generic `key_value_object` object. #1219 - 4. Added a `long_string` object. #1227 + 4. Added a `long_string` object. #1228 ### Improved * #### Event Classes From feb98811290cb0ce21d02b7bbf340b384cf44305 Mon Sep 17 00:00:00 2001 From: Dave McCormack Date: Wed, 30 Oct 2024 19:00:27 +0000 Subject: [PATCH 4/4] Update CHANGELOG.md Signed-off-by: Dave McCormack --- CHANGELOG.md | 1 - 1 file changed, 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fe669b031..b04ebda58 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -52,7 +52,6 @@ Thankyou! --> * #### Dictionary Attributes 1. Added `has_mfa` as a `boolean_t`. #1155 1. Added `environment_variables` as an array of `environment_variable` object. #1172 - 1. Added `is_attribute_truncated` as a `boolean_t`. #1172 1. Added `forward_addr` as an `email_t`. #1179 1. Added `related_cves`, `related_cwes` as arrays of `cve`, `cwe` objects respectively. #1176 1. Added `exploit_last_seen_time` as a `timestamp_t`. #1176