Update Event Facet

[cyberinvestigationexpress]

Background

Need to update EventFacet to reference the originating device rather than representing computerName as a strings. In addition, need to add a property to EventFacet for the user account referenced by an event.

NOTE: Parts of this proposal related to SSN/SOSA have been moved to a new change proposal #404. Other proposed properties have been divided into issues #401 and #396

Requirements

Requirement 1

The device that generated an event shall be referenced as a Device observable object, not represented as a string.

Requirement 2

The user account referenced by an event shall be referenced as an Account observable object.

Risk / Benefit analysis

Benefits

Represent nodes in the graph rather than as strings.

Risks

The submitter is not aware of any risks associated with the proposed changes.

Competencies demonstrated

A Microsoft Windows Event Log (EVTX) entry should be well-described by the EventFacet. Other competencies are enumerated here.

Competency 1

Reference the device that generated the event.

Competency Question 1.1

What logs did a particular device generate?

Result 1.1

Query returns the logs generated by a particular device.

Competency 2

Reference the user account that is referenced by the event.

Competency Question 2.1

What user account is referenced by the event?

Result 2.1

Query returns the user account reference by the event.

Solution suggestion

• Change observable:computerName property to a reference to an object representing computer that generated the event
• Add observable:user property to EventFacet to reference an object representing a user AccountFacet related to this EventFacet
• Add unit test showing potential errors in property usage and how to avoid them

Coordination

• Tracking in Jira ticket OC-94
• Administrative review to be completed
• Requirements to be discussed in Ontology Committee (OC) meeting, 2022-07-28
• Requirements Review vote occurred, passing, on 2022-07-28
• Requirements development phase completed.
• Solutions Approval to be discussed in OC meeting, 2022-08-25
• Solutions Approval vote occurred, passing, on 2022-08-25
• Solutions development phase completed.
• Implementation merged into develop
• Implementation part 2 merged into develop
• Implementation part 3 merged into develop
• Milestone linked
• Documentation logged in pending release page

[ajnelson-nist]

This issue happens to be related to CASE Issue 87, which would add cryptocurrency representations into the CDO ecosystem. Where they have some overlap is both currently are considering importing the SSN/SOSA/QUDT ontologies. I note that here because this is an ontological risk to UCO, which I'll note on the proposal text in a moment - UCO has not yet imported an external ontology.

I have a request related to this proposal's content - the term "Event" is usually a term reserved for a top-level ontological concept. I'd expect a subclass of events to be, say, measurement events like are described in this proposal; I'd also expect another subclass to be phone calls, or music concerts, or gatherings in the park. The term "Event" is too broadly scoped to restrict to only things reconstructed from system logs.

I think with the scoping of the competency questions, it would make sense to be a little more steered by adopting SSN. From the class overview documentation, it looks like UCO would adopt the sosa:Observation class. We have some conflict with UCO already having defined observable:Observation, but to date there is no demonstrated usage or other documentation of the class. Perhaps we could take this opportunity to repurpose observable:Observation, turning it into a subclass of sosa:Observation instead of action:Action?

[ajnelson-nist]

@sbarnum , I think you were one of the main proposers of the observable:Observation class. Do you have any reactions to the above proposal to repurpose the class?

[ajnelson-nist]

@cyberinvestigationexpress , there's a design issue with CQ1.1. Why would a query for times an app was used return timestamps, which are 0-dimensional points, rather than time intervals? There are two similar questions this CQ could morph into:
1.1 - During what time intervals was an application used?
1.2 - Was the application being used at time T?
If you agree, I can adjust the QC from how you have it worded.

[cyberinvestigationexpress]

This proposal needs to be divided into multiple proposals addressing different issues. Issues #396 and #401 proposed adding specific properties to EventFacet. The current proposal could concentrate on two properties in EventFacet being represented as references to objects:

1. observable:computerName = a reference to an object representing a device that generated the event (consider changing property name to observable:deviceName)

2. observable:user = a reference to an object representing a user AccountFacet related to the event

The importing of SSN/SOSA/QUDT ontologies for sensor measurements and currencies requires a dedicated new change proposal.

[cyberinvestigationexpress]

This proposal addresses part of UCO CP-44.

[sbarnum]

I have no objection to removing observable:computerName and replacing it with a Device property.
I do see two significant issues with the current solution implementation.

1. While the observable:computerName property definition was removed, the SHACL property shape for it was left on EventFacet (I am also a little confused on which PR changes the name EventFacet to EventRecordFacet as agreed)
2. The property name observable:device is FAR to general to be defined specifically as "The device on which the log entry was generated." This property needs to be names something more specific such as observable:eventRecordDevice

[ajnelson-nist]

Thanks, Sean! Agreed on the shape, and eventRecordDevice. Will change the name.

[ajnelson-nist]

Ah, foiled by forgetting a checklist line. I didn't get @sbarnum 's fixes in before merging 414. @b0bkaT , we need a follow-on PR to implement Sean's suggestions; please don't post docs on this one yet.