Merge branch 'main' into 1148-enrichment-extension

Signed-off-by: Rajas <[email protected]>

CHANGELOG.md

@@ -60,6 +60,7 @@ Thankyou! -->
     8. Added `domain_contact` and array-typed `domain_contacts` object for use with `whois` object. #992
     9. Added `Windows Service` object to the Windows extension. #1103
     10. Added array-typed `compliance_references` and array-typed `compliance_standards` objects as array of `kb_article` to `compliance` object. #1110
+    11. Added `timespan` object and `avg_timespan` to dictionary. #1125
 * #### Platform Extensions
 
 ### Improved
@@ -83,7 +84,10 @@ Thankyou! -->
     7. Added `vendor_name`, `type`, `type_id` to object `package`. #1093
     8. Added `router`, `ids`, and `ips` entries to `type_id` enum in the `Endpoint` object. #1121
     9. Added `job` to `Evidence Artifacts` object. #1130
-    10. Added `created_time`,`desc`, `short_desc`, `reputation`, `src_url` to `enrichment` object. #1149
+    10. Added `ip` to object `load_balancer`. #1138
+    11. Added `cpe_name` and `hash` to `Software Package` object. #1142
+    12. Added `avg_timespan` to the `kb_article` object. #1125
+    13. 10. Added `created_time`,`desc`, `short_desc`, `reputation`, `src_url` to `enrichment` object. #1149
 * #### Platform Extensions
 
 ### Bugfixes
@@ -108,6 +112,7 @@ Thankyou! -->
     * Updated several attributes that do not follow conventions to disable linting for them
 8. Added `credential_uid` as an Observable type - type_id: 19. #1137
 9. New Extension registration for US Gov #1140
+10. Enum definitions refactored so generic enum descriptions have "See specific usage" in the description #1146
 
 ## [v1.2.0] - April 23rd, 2024
 

dictionary.json

@@ -140,7 +140,7 @@
     },
     "algorithm_id": {
       "caption": "Algorithm ID",
-      "description": "The identifier of the normalized algorithm. See specific usage.",
+      "description": "The normalized identifier of the algorithm. See specific usage.",
       "sibling": "algorithm",
       "type": "integer_t",
       "enum": {
@@ -315,6 +315,11 @@
       "description": "The unique identifier of the cloud autoscale configuration.",
       "type": "string_t"
     },
+    "avg_timespan": {
+      "caption": "Average Timespan",
+      "description": "The average time span of an activity.",
+      "type": "timespan"
+    },
     "banner": {
       "caption": "SMTP Banner",
       "description": "The initial SMTP connection response that a messaging server receives after it connects to a email server.",
@@ -843,17 +848,17 @@
     },
     "classification_ids": {
       "caption": "Classification IDs",
-      "description": "The list of normalized identifiers of the malware classifications. Reference: <a target='_blank' href='https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_oxlc4df65spl'>STIX Malware Types</a> ",
+      "description": "The list of normalized classification identifiers. See specific usage.",
       "sibling": "classifications",
       "type": "integer_t",
       "enum": {
         "0": {
           "caption": "Unknown",
-          "description": "The malware classification is unknown."
+          "description": "The classification is unknown."
         },
         "99": {
           "caption": "Other",
-          "description": "The malware classification is not mapped. See the <code>classifications</code> array, which contains a data source specific value."
+          "description": "The classification is not mapped. See the <code>classifications</code> attribute, which contains a data source specific value."
         }
       },
       "is_array": true
@@ -1510,6 +1515,114 @@
           "caption": "Unknown",
           "description": "The disposition is unknown."
         },
+        "1": {
+          "caption": "Allowed",
+          "description": "Granted access or allowed the action to the protected resource."
+        },
+        "2": {
+          "caption": "Blocked",
+          "description": "Denied access or blocked the action to the protected resource."
+        },
+        "3": {
+          "caption": "Quarantined",
+          "description": "A suspicious file or other content was moved to a benign location."
+        },
+        "4": {
+          "caption": "Isolated",
+          "description": "A session was isolated on the network or within a browser."
+        },
+        "5": {
+          "caption": "Deleted",
+          "description": "A file or other content was deleted."
+        },
+        "6": {
+          "caption": "Dropped",
+          "description": "The request was detected as a threat and resulted in the connection being dropped."
+        },
+        "7": {
+          "caption": "Custom Action",
+          "description": "A custom action was executed such as running of a command script. Use the <code>message</code> attribute of the base class for details."
+        },
+        "8": {
+          "caption": "Approved",
+          "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from <code>1</code> 'Allowed'."
+        },
+        "9": {
+          "caption": "Restored",
+          "description": "A quarantined file or other content was restored to its original location."
+        },
+        "10": {
+          "caption": "Exonerated",
+          "description": "A suspicious or risky entity was deemed to no longer be suspicious (re-scored)."
+        },
+        "11": {
+          "caption": "Corrected",
+          "description": "A corrupt file or configuration was corrected."
+        },
+        "12": {
+          "caption": "Partially Corrected",
+          "description": "A corrupt file or configuration was partially corrected."
+        },
+        "13": {
+          "caption": "Uncorrected",
+          "description": "A corrupt file or configuration was not corrected."
+        },
+        "14": {
+          "caption": "Delayed",
+          "description": "An operation was delayed, for example if a restart was required to finish the operation."
+        },
+        "15": {
+          "caption": "Detected",
+          "description": "Suspicious activity or a policy violation was detected without further action."
+        },
+        "16": {
+          "caption": "No Action",
+          "description": "The outcome of an operation had no action taken."
+        },
+        "17": {
+          "caption": "Logged",
+          "description": "The operation or action was logged without further action."
+        },
+        "18": {
+          "caption": "Tagged",
+          "description": "A file or other entity was marked with extended attributes."
+        },
+        "19": {
+          "caption": "Alert",
+          "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked."
+        },
+        "20": {
+          "caption": "Count",
+          "description": "Counted the request or activity but did not determine whether to allow it or block it."
+        },
+        "21": {
+          "caption": "Reset",
+          "description": "The request was detected as a threat and resulted in the connection being reset."
+        },
+        "22": {
+          "caption": "Captcha",
+          "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request."
+        },
+        "23": {
+          "caption": "Challenge",
+          "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot."
+        },
+        "24": {
+          "caption": "Access Revoked",
+          "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the <code>Host</code> profile if the <code>User</code> or <code>Actor</code> requestor is not present in the event class."
+        },
+        "25": {
+          "caption": "Rejected",
+          "description": "A request or submission was rejected.  For example, when a form was improperly filled out and submitted. This is distinct from <code>2</code> 'Blocked'."
+        },
+        "26": {
+          "caption": "Unauthorized",
+          "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than <code>2</code> 'Blocked' and can be complemented with the <code>authorizations</code> attribute for more detail."
+        },
+        "27": {
+          "caption": "Error",
+          "description": "An error occurred during the processing of the activity or request. Use the <code>message</code> attribute of the base class for details."
+        },
         "99": {
           "caption": "Other",
           "description": "The disposition is not mapped. See the <code>disposition</code> attribute, which contains a data source specific value."
@@ -1602,48 +1715,43 @@
       "type": "network_endpoint"
     },
     "duration": {
-      "caption": "Duration",
-      "description": "The event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.",
+      "caption": "Duration Milliseconds",
+      "description": "This represents the duration of the activity in milliseconds. See specific usage.",
       "type": "long_t"
     },
-    "duration_avg_days": {
-      "caption": "Average Duration Days",
-      "description": "This represents the average duration of the activity in days. See specific usage.",
-      "type": "integer_t"
-    },
-    "duration_avg_hours": {
-      "caption": "Average Duration Hours",
-      "description": "This represents the average duration of the activity in hours. See specific usage.",
+    "duration_days": {
+      "caption": "Duration Days",
+      "description": "Represents the duration of the activity in days. See specific usage.",
       "type": "integer_t"
     },
-    "duration_avg_mins": {
-      "caption": "Average Duration Minutes",
-      "description": "This represents the average duration of the activity in minutes. See specific usage.",
+    "duration_hours": {
+      "caption": "Duration Hours",
+      "description": "Represents the duration of the activity in hours. See specific usage.",
       "type": "integer_t"
     },
-    "duration_avg_months": {
-      "caption": "Average Duration Months",
-      "description": "This represents the average duration of the activity in months. See specific usage.",
+    "duration_mins": {
+      "caption": "Duration Minutes",
+      "description": "Represents the duration of the activity in minutes. See specific usage.",
       "type": "integer_t"
     },
-    "duration_avg_msecs": {
-      "caption": "Average Duration Milliseconds",
-      "description": "This represents the average duration of the activity in milliseconds. See specific usage.",
+    "duration_months": {
+      "caption": "Duration Months",
+      "description": "Represents the duration of the activity in months. See specific usage.",
       "type": "integer_t"
     },
-    "duration_avg_secs": {
-      "caption": "Average Duration Seconds",
-      "description": "This represents the average duration of the activity in seconds. See specific usage.",
+    "duration_secs": {
+      "caption": "Duration Seconds",
+      "description": "Represents the duration of the activity in seconds. See specific usage.",
       "type": "integer_t"
     },
-    "duration_avg_weeks": {
-      "caption": "Average Duration Weeks",
-      "description": "This represents the average duration of the activity in weeks. See specific usage.",
+    "duration_weeks": {
+      "caption": "Duration Weeks",
+      "description": "Represents the duration of the activity in weeks. See specific usage.",
       "type": "integer_t"
     },
-    "duration_avg_years": {
-      "caption": "Average Duration Years",
-      "description": "This represents the average duration of the activity in years. See specific usage.",
+    "duration_years": {
+      "caption": "Duration Years",
+      "description": "Represents the duration of the activity in years. See specific usage.",
       "type": "integer_t"
     },
     "edition": {
@@ -1935,7 +2043,7 @@
     },
     "flag_ids": {
       "caption": "Communication Flag IDs",
-      "description": "The list of normalized identifiers of the communication flag IDs.",
+      "description": "The list of normalized identifiers of the communication flag IDs. See specific usage.",
       "sibling": "flags",
       "type": "integer_t",
       "enum": {
@@ -2238,6 +2346,24 @@
           "caption": "Unknown",
           "description": "The integrity level is unknown."
         },
+        "1": {
+          "caption": "Untrusted"
+        },
+        "2": {
+          "caption": "Low"
+        },
+        "3": {
+          "caption": "Medium"
+        },
+        "4": {
+          "caption": "High"
+        },
+        "5": {
+          "caption": "System"
+        },
+        "6": {
+          "caption": "Protected"
+        },
         "99": {
           "caption": "Other",
           "description": "The integrity level is not mapped. See the <code>integrity</code> attribute, which contains a data source specific value."
@@ -2557,12 +2683,12 @@
     },
     "load_type": {
       "caption": "Load Type",
-      "description": "The load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source. It describes how the module was loaded in memory.",
+      "description": "The load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source.",
       "type": "string_t"
     },
     "load_type_id": {
       "caption": "Load Type ID",
-      "description": "The normalized identifier of the load type. It identifies how the module was loaded in memory.",
+      "description": "The normalized identifier of the load type. See specific uasge.",
       "sibling": "load_type",
       "type": "integer_t",
       "enum": {
@@ -3331,7 +3457,7 @@
     },
     "protocol_ver_id": {
       "caption": "Protocol Version ID",
-      "description": "The normalized identifier of the Protocol version.",
+      "description": "The normalized identifier of the Protocol version. See specific usage.",
       "sibling": "protocol_ver",
       "type": "integer_t",
       "enum": {

includes/occurrence.json

@@ -9,6 +9,7 @@
       "requirement": "optional"
     },
     "duration": {
+      "description": "The event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.",
       "requirement": "optional"
     },
     "end_time": {

objects/dns_answer.json

@@ -12,9 +12,6 @@
       "caption": "DNS Header Flags",
       "description": "The list of DNS answer header flag IDs.",
       "enum": {
-        "0": {
-          "caption": "Unknown"
-        },
         "1": {
           "caption": "Authoritative Answer"
         },
@@ -32,10 +29,6 @@
         },
         "6": {
           "caption": "Checking Disabled"
-        },
-        "99": {
-          "caption": "Other",
-          "description": "The event DNS header flag is not mapped."
         }
       },
       "requirement": "recommended"

objects/endpoint.json

@@ -123,6 +123,10 @@
         "14": {
           "caption": "IPS",
           "description": "An <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:IntrusionPreventionSystem/'>intrusion prevention system</a>."
+        },
+       "15": {
+          "caption": "Load Balancer",
+          "description": "A <a target='_blank' href='https://en.wikipedia.org/wiki/Load_balancing_(computing)'> Load Balancer device."
         }
       },
       "requirement": "recommended"

objects/kb_article.json

@@ -4,16 +4,8 @@
   "extends": "object",
   "name": "kb_article",
   "attributes": {
-    "duration_avg_days": {
-      "description": "The average time to patch in days.",
-      "requirement": "optional"
-    },
-    "duration_avg_hours": {
-      "description": "The average time to patch in hours.",
-      "requirement": "optional"
-    },
-    "duration_avg_mins": {
-      "description": "The average time to patch in minutes.",
+    "avg_timespan": {
+      "description": "The average time to patch.",
       "requirement": "optional"
     },
     "install_state": {

objects/load_balancer.json

@@ -30,7 +30,11 @@
         "caption": "Classification",
         "description": "The request classification as defined by the load balancer.",
         "requirement": "optional"
-        },
+    },
+    "ip": {
+        "description": "The IP address of the load balancer node that handled the client request. Note: the load balancer may have other IP addresses, and this is not an IP address of the target/distribution endpoint - see <code>dst_endpoint</code>.",
+        "requirement": "optional"
+    }, 
     "status_detail": {
         "caption": "Status Detail",
         "description": "The status detail contains additional status information about the load balancer distribution event.",