From f1a0c4a81006c366edfc279d1b6207d7823143dc Mon Sep 17 00:00:00 2001 From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com> Date: Tue, 13 Aug 2024 13:09:49 -0400 Subject: [PATCH] `user` Object expansion and related Observables creation (#1155) Expands the `user` object to add relevant data that comes from various Identity Providers or Directories while keep relevance with LDAP and MITRE D3FEND. - Add Observable `type_id` 31-35 for User UID, Group Name, Group UID, Account Name, Account UID - Add `phone_number` to `user` and to `ldap_person` - this attribute can be assigned to both or one or the other depending on the upstream system. For instance Entra ID or Okta - ~~Add `state_id` and `state` to `user` to represent the various states of a user record in a directory or IDP such as their provisioning status, (de)activation. This is 1:1 with Okta with an extra `Deleted` enum added for Google Workspace~~ Removed as #1136 already has a solution - Add `has_mfa` Boolean to Dictionary and `user` object as a quick way to tell if a `user` has MFA/2FA enabled/assigned to them --------- Signed-off-by: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com> Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com> --- CHANGELOG.md | 17 +++++++++++++++++ dictionary.json | 5 +++++ objects/account.json | 6 ++++-- objects/group.json | 6 ++++-- objects/ldap_person.json | 5 +++++ objects/user.json | 11 ++++++++++- 6 files changed, 45 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 68941f5f9..7e9466cd0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,6 +39,23 @@ Thankyou! --> --> +## [Unreleased] + +### Added +* #### Event Classes + 1. Added `OSINT Inventory Info` event class to the Discovery category. #1154 + +### Improved +* #### Objects + 1. Added `phone_number` to `user` and `ldap_person` objects. #1155 + 2. Added `has_mfa` to `user` object. #1155 + +### Misc +1. Added `user.uid` as an Observable type - `type_id: 31`. #1155 +2. Added `group.name` and `group.uid` as Observable types - `type_id: 32` and `type_id: 33`, respectively. #1155 +3. Added `account.name` and `account.uid` as Observable types - `type_id: 34` and `type_id: 35`, respectively. #1155 +4. Added `has_mfa` boolean_t to Dictionary. #1155 + ## [v1.3.0] - August 1st, 2024 ### Added diff --git a/dictionary.json b/dictionary.json index 186e76fc2..2ced1b5ed 100644 --- a/dictionary.json +++ b/dictionary.json @@ -2124,6 +2124,11 @@ "description": "The amount of total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds.", "type": "integer_t" }, + "has_mfa": { + "caption": "MFA Assigned", + "description": "The user has a multi-factor or secondary-factor device assigned.", + "type": "boolean_t" + }, "hash": { "caption": "Hash", "description": "The hash attribute is the value of a digital fingerprint including information about its algorithm.", diff --git a/objects/account.json b/objects/account.json index 48deb20dd..9e33ae9a6 100644 --- a/objects/account.json +++ b/objects/account.json @@ -5,7 +5,8 @@ "extends": "_entity", "attributes": { "name": { - "description": "The name of the account (e.g. GCP Account Name)." + "description": "The name of the account (e.g. GCP Account Name).", + "observable": 34 }, "type": { "caption": "Type", @@ -58,7 +59,8 @@ "requirement": "recommended" }, "uid": { - "description": "The unique identifier of the account (e.g. AWS Account ID)." + "description": "The unique identifier of the account (e.g. AWS Account ID).", + "observable": 35 }, "labels": { "caption": "Labels", diff --git a/objects/group.json b/objects/group.json index 0d44af547..88f6e73e4 100644 --- a/objects/group.json +++ b/objects/group.json @@ -13,7 +13,8 @@ "requirement": "optional" }, "name": { - "description": "The group name." + "description": "The group name.", + "observable": 32 }, "privileges": { "description": "The group privileges.", @@ -25,7 +26,8 @@ "requirement": "optional" }, "uid": { - "description": "The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group." + "description": "The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.", + "observable": 33 } } } diff --git a/objects/ldap_person.json b/objects/ldap_person.json index e3bbaaf10..0749b351f 100644 --- a/objects/ldap_person.json +++ b/objects/ldap_person.json @@ -59,6 +59,11 @@ "office_location": { "requirement": "optional" }, + "phone_number": { + "caption": "Telephone Number", + "description": "The telephone number of the user. Corresponds to the LDAP Telephone-Number CN.", + "requirement": "optional" + }, "surname": { "requirement": "optional" } diff --git a/objects/user.json b/objects/user.json index bfa1d11b1..5840b42e4 100644 --- a/objects/user.json +++ b/objects/user.json @@ -26,6 +26,9 @@ "description": "The administrative groups to which the user belongs.", "requirement": "optional" }, + "has_mfa": { + "requirement": "recommended" + }, "ldap_person": { "description": "The additional LDAP attributes that describe a person.", "requirement": "optional" @@ -39,6 +42,11 @@ "description": "Organization and org unit related to the user.", "requirement": "optional" }, + "phone_number": { + "caption": "Telephone Number", + "description": "The telephone number of the user.", + "requirement": "optional" + }, "risk_level": { "requirement": "optional" }, @@ -78,7 +86,8 @@ }, "uid": { "description": "The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.", - "requirement": "recommended" + "requirement": "recommended", + "observable": 31 }, "uid_alt": { "description": "The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.",