Skip to content

Commit

Permalink
user Object expansion and related Observables creation (ocsf#1155)
Browse files Browse the repository at this point in the history
Expands the `user` object to add relevant data that comes from various
Identity Providers or Directories while keep relevance with LDAP and
MITRE D3FEND.

- Add Observable `type_id` 31-35 for User UID, Group Name, Group UID,
Account Name, Account UID
- Add `phone_number` to `user` and to `ldap_person` - this attribute can
be assigned to both or one or the other depending on the upstream
system. For instance Entra ID or Okta
- ~~Add `state_id` and `state` to `user` to represent the various states
of a user record in a directory or IDP such as their provisioning
status, (de)activation. This is 1:1 with Okta with an extra `Deleted`
enum added for Google Workspace~~ Removed as ocsf#1136 already has a
solution
- Add `has_mfa` Boolean to Dictionary and `user` object as a quick way
to tell if a `user` has MFA/2FA enabled/assigned to them

---------

Signed-off-by: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com>
  • Loading branch information
2 people authored and query-jeremy committed Aug 20, 2024
1 parent 4815676 commit f1a0c4a
Show file tree
Hide file tree
Showing 6 changed files with 45 additions and 5 deletions.
17 changes: 17 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,23 @@ Thankyou! -->
-->

## [Unreleased]

### Added
* #### Event Classes
1. Added `OSINT Inventory Info` event class to the Discovery category. #1154

### Improved
* #### Objects
1. Added `phone_number` to `user` and `ldap_person` objects. #1155
2. Added `has_mfa` to `user` object. #1155

### Misc
1. Added `user.uid` as an Observable type - `type_id: 31`. #1155
2. Added `group.name` and `group.uid` as Observable types - `type_id: 32` and `type_id: 33`, respectively. #1155
3. Added `account.name` and `account.uid` as Observable types - `type_id: 34` and `type_id: 35`, respectively. #1155
4. Added `has_mfa` boolean_t to Dictionary. #1155

## [v1.3.0] - August 1st, 2024

### Added
Expand Down
5 changes: 5 additions & 0 deletions dictionary.json
Original file line number Diff line number Diff line change
Expand Up @@ -2124,6 +2124,11 @@
"description": "The amount of total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds.",
"type": "integer_t"
},
"has_mfa": {
"caption": "MFA Assigned",
"description": "The user has a multi-factor or secondary-factor device assigned.",
"type": "boolean_t"
},
"hash": {
"caption": "Hash",
"description": "The hash attribute is the value of a digital fingerprint including information about its algorithm.",
Expand Down
6 changes: 4 additions & 2 deletions objects/account.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@
"extends": "_entity",
"attributes": {
"name": {
"description": "The name of the account (e.g. GCP Account Name)."
"description": "The name of the account (e.g. GCP Account Name).",
"observable": 34
},
"type": {
"caption": "Type",
Expand Down Expand Up @@ -58,7 +59,8 @@
"requirement": "recommended"
},
"uid": {
"description": "The unique identifier of the account (e.g. AWS Account ID)."
"description": "The unique identifier of the account (e.g. AWS Account ID).",
"observable": 35
},
"labels": {
"caption": "Labels",
Expand Down
6 changes: 4 additions & 2 deletions objects/group.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@
"requirement": "optional"
},
"name": {
"description": "The group name."
"description": "The group name.",
"observable": 32
},
"privileges": {
"description": "The group privileges.",
Expand All @@ -25,7 +26,8 @@
"requirement": "optional"
},
"uid": {
"description": "The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group."
"description": "The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.",
"observable": 33
}
}
}
5 changes: 5 additions & 0 deletions objects/ldap_person.json
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,11 @@
"office_location": {
"requirement": "optional"
},
"phone_number": {
"caption": "Telephone Number",
"description": "The telephone number of the user. Corresponds to the LDAP <code>Telephone-Number</code> CN.",
"requirement": "optional"
},
"surname": {
"requirement": "optional"
}
Expand Down
11 changes: 10 additions & 1 deletion objects/user.json
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@
"description": "The administrative groups to which the user belongs.",
"requirement": "optional"
},
"has_mfa": {
"requirement": "recommended"
},
"ldap_person": {
"description": "The additional LDAP attributes that describe a person.",
"requirement": "optional"
Expand All @@ -39,6 +42,11 @@
"description": "Organization and org unit related to the user.",
"requirement": "optional"
},
"phone_number": {
"caption": "Telephone Number",
"description": "The telephone number of the user.",
"requirement": "optional"
},
"risk_level": {
"requirement": "optional"
},
Expand Down Expand Up @@ -78,7 +86,8 @@
},
"uid": {
"description": "The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.",
"requirement": "recommended"
"requirement": "recommended",
"observable": 31
},
"uid_alt": {
"description": "The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.",
Expand Down

0 comments on commit f1a0c4a

Please sign in to comment.