diff --git a/CHANGELOG.md b/CHANGELOG.md
index 08b8bab84..4e311d6e6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -60,6 +60,7 @@ Thankyou! -->
8. Added `domain_contact` and array-typed `domain_contacts` object for use with `whois` object. #992
9. Added `Windows Service` object to the Windows extension. #1103
10. Added array-typed `compliance_references` and array-typed `compliance_standards` objects as array of `kb_article` to `compliance` object. #1110
+ 11. Added `timespan` object and `avg_timespan` to dictionary. #1125
* #### Platform Extensions
### Improved
@@ -83,7 +84,10 @@ Thankyou! -->
7. Added `vendor_name`, `type`, `type_id` to object `package`. #1093
8. Added `router`, `ids`, and `ips` entries to `type_id` enum in the `Endpoint` object. #1121
9. Added `job` to `Evidence Artifacts` object. #1130
- 10. Added `created_time`,`desc`, `short_desc`, `reputation`, `src_url` to `enrichment` object. #1149
+ 10. Added `ip` to object `load_balancer`. #1138
+ 11. Added `cpe_name` and `hash` to `Software Package` object. #1142
+ 12. Added `avg_timespan` to the `kb_article` object. #1125
+ 13. 10. Added `created_time`,`desc`, `short_desc`, `reputation`, `src_url` to `enrichment` object. #1149
* #### Platform Extensions
### Bugfixes
@@ -108,6 +112,7 @@ Thankyou! -->
* Updated several attributes that do not follow conventions to disable linting for them
8. Added `credential_uid` as an Observable type - type_id: 19. #1137
9. New Extension registration for US Gov #1140
+10. Enum definitions refactored so generic enum descriptions have "See specific usage" in the description #1146
## [v1.2.0] - April 23rd, 2024
diff --git a/dictionary.json b/dictionary.json
index 1a0d129bf..186e76fc2 100644
--- a/dictionary.json
+++ b/dictionary.json
@@ -140,7 +140,7 @@
},
"algorithm_id": {
"caption": "Algorithm ID",
- "description": "The identifier of the normalized algorithm. See specific usage.",
+ "description": "The normalized identifier of the algorithm. See specific usage.",
"sibling": "algorithm",
"type": "integer_t",
"enum": {
@@ -315,6 +315,11 @@
"description": "The unique identifier of the cloud autoscale configuration.",
"type": "string_t"
},
+ "avg_timespan": {
+ "caption": "Average Timespan",
+ "description": "The average time span of an activity.",
+ "type": "timespan"
+ },
"banner": {
"caption": "SMTP Banner",
"description": "The initial SMTP connection response that a messaging server receives after it connects to a email server.",
@@ -843,17 +848,17 @@
},
"classification_ids": {
"caption": "Classification IDs",
- "description": "The list of normalized identifiers of the malware classifications. Reference: STIX Malware Types ",
+ "description": "The list of normalized classification identifiers. See specific usage.",
"sibling": "classifications",
"type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
- "description": "The malware classification is unknown."
+ "description": "The classification is unknown."
},
"99": {
"caption": "Other",
- "description": "The malware classification is not mapped. See the classifications
array, which contains a data source specific value."
+ "description": "The classification is not mapped. See the classifications
attribute, which contains a data source specific value."
}
},
"is_array": true
@@ -1510,6 +1515,114 @@
"caption": "Unknown",
"description": "The disposition is unknown."
},
+ "1": {
+ "caption": "Allowed",
+ "description": "Granted access or allowed the action to the protected resource."
+ },
+ "2": {
+ "caption": "Blocked",
+ "description": "Denied access or blocked the action to the protected resource."
+ },
+ "3": {
+ "caption": "Quarantined",
+ "description": "A suspicious file or other content was moved to a benign location."
+ },
+ "4": {
+ "caption": "Isolated",
+ "description": "A session was isolated on the network or within a browser."
+ },
+ "5": {
+ "caption": "Deleted",
+ "description": "A file or other content was deleted."
+ },
+ "6": {
+ "caption": "Dropped",
+ "description": "The request was detected as a threat and resulted in the connection being dropped."
+ },
+ "7": {
+ "caption": "Custom Action",
+ "description": "A custom action was executed such as running of a command script. Use the message
attribute of the base class for details."
+ },
+ "8": {
+ "caption": "Approved",
+ "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1
'Allowed'."
+ },
+ "9": {
+ "caption": "Restored",
+ "description": "A quarantined file or other content was restored to its original location."
+ },
+ "10": {
+ "caption": "Exonerated",
+ "description": "A suspicious or risky entity was deemed to no longer be suspicious (re-scored)."
+ },
+ "11": {
+ "caption": "Corrected",
+ "description": "A corrupt file or configuration was corrected."
+ },
+ "12": {
+ "caption": "Partially Corrected",
+ "description": "A corrupt file or configuration was partially corrected."
+ },
+ "13": {
+ "caption": "Uncorrected",
+ "description": "A corrupt file or configuration was not corrected."
+ },
+ "14": {
+ "caption": "Delayed",
+ "description": "An operation was delayed, for example if a restart was required to finish the operation."
+ },
+ "15": {
+ "caption": "Detected",
+ "description": "Suspicious activity or a policy violation was detected without further action."
+ },
+ "16": {
+ "caption": "No Action",
+ "description": "The outcome of an operation had no action taken."
+ },
+ "17": {
+ "caption": "Logged",
+ "description": "The operation or action was logged without further action."
+ },
+ "18": {
+ "caption": "Tagged",
+ "description": "A file or other entity was marked with extended attributes."
+ },
+ "19": {
+ "caption": "Alert",
+ "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked."
+ },
+ "20": {
+ "caption": "Count",
+ "description": "Counted the request or activity but did not determine whether to allow it or block it."
+ },
+ "21": {
+ "caption": "Reset",
+ "description": "The request was detected as a threat and resulted in the connection being reset."
+ },
+ "22": {
+ "caption": "Captcha",
+ "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request."
+ },
+ "23": {
+ "caption": "Challenge",
+ "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot."
+ },
+ "24": {
+ "caption": "Access Revoked",
+ "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host
profile if the User
or Actor
requestor is not present in the event class."
+ },
+ "25": {
+ "caption": "Rejected",
+ "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2
'Blocked'."
+ },
+ "26": {
+ "caption": "Unauthorized",
+ "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2
'Blocked' and can be complemented with the authorizations
attribute for more detail."
+ },
+ "27": {
+ "caption": "Error",
+ "description": "An error occurred during the processing of the activity or request. Use the message
attribute of the base class for details."
+ },
"99": {
"caption": "Other",
"description": "The disposition is not mapped. See the disposition
attribute, which contains a data source specific value."
@@ -1602,48 +1715,43 @@
"type": "network_endpoint"
},
"duration": {
- "caption": "Duration",
- "description": "The event duration or aggregate time, the amount of time the event covers from start_time
to end_time
in milliseconds.",
+ "caption": "Duration Milliseconds",
+ "description": "This represents the duration of the activity in milliseconds. See specific usage.",
"type": "long_t"
},
- "duration_avg_days": {
- "caption": "Average Duration Days",
- "description": "This represents the average duration of the activity in days. See specific usage.",
- "type": "integer_t"
- },
- "duration_avg_hours": {
- "caption": "Average Duration Hours",
- "description": "This represents the average duration of the activity in hours. See specific usage.",
+ "duration_days": {
+ "caption": "Duration Days",
+ "description": "Represents the duration of the activity in days. See specific usage.",
"type": "integer_t"
},
- "duration_avg_mins": {
- "caption": "Average Duration Minutes",
- "description": "This represents the average duration of the activity in minutes. See specific usage.",
+ "duration_hours": {
+ "caption": "Duration Hours",
+ "description": "Represents the duration of the activity in hours. See specific usage.",
"type": "integer_t"
},
- "duration_avg_months": {
- "caption": "Average Duration Months",
- "description": "This represents the average duration of the activity in months. See specific usage.",
+ "duration_mins": {
+ "caption": "Duration Minutes",
+ "description": "Represents the duration of the activity in minutes. See specific usage.",
"type": "integer_t"
},
- "duration_avg_msecs": {
- "caption": "Average Duration Milliseconds",
- "description": "This represents the average duration of the activity in milliseconds. See specific usage.",
+ "duration_months": {
+ "caption": "Duration Months",
+ "description": "Represents the duration of the activity in months. See specific usage.",
"type": "integer_t"
},
- "duration_avg_secs": {
- "caption": "Average Duration Seconds",
- "description": "This represents the average duration of the activity in seconds. See specific usage.",
+ "duration_secs": {
+ "caption": "Duration Seconds",
+ "description": "Represents the duration of the activity in seconds. See specific usage.",
"type": "integer_t"
},
- "duration_avg_weeks": {
- "caption": "Average Duration Weeks",
- "description": "This represents the average duration of the activity in weeks. See specific usage.",
+ "duration_weeks": {
+ "caption": "Duration Weeks",
+ "description": "Represents the duration of the activity in weeks. See specific usage.",
"type": "integer_t"
},
- "duration_avg_years": {
- "caption": "Average Duration Years",
- "description": "This represents the average duration of the activity in years. See specific usage.",
+ "duration_years": {
+ "caption": "Duration Years",
+ "description": "Represents the duration of the activity in years. See specific usage.",
"type": "integer_t"
},
"edition": {
@@ -1935,7 +2043,7 @@
},
"flag_ids": {
"caption": "Communication Flag IDs",
- "description": "The list of normalized identifiers of the communication flag IDs.",
+ "description": "The list of normalized identifiers of the communication flag IDs. See specific usage.",
"sibling": "flags",
"type": "integer_t",
"enum": {
@@ -2238,6 +2346,24 @@
"caption": "Unknown",
"description": "The integrity level is unknown."
},
+ "1": {
+ "caption": "Untrusted"
+ },
+ "2": {
+ "caption": "Low"
+ },
+ "3": {
+ "caption": "Medium"
+ },
+ "4": {
+ "caption": "High"
+ },
+ "5": {
+ "caption": "System"
+ },
+ "6": {
+ "caption": "Protected"
+ },
"99": {
"caption": "Other",
"description": "The integrity level is not mapped. See the integrity
attribute, which contains a data source specific value."
@@ -2557,12 +2683,12 @@
},
"load_type": {
"caption": "Load Type",
- "description": "The load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source. It describes how the module was loaded in memory.",
+ "description": "The load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source.",
"type": "string_t"
},
"load_type_id": {
"caption": "Load Type ID",
- "description": "The normalized identifier of the load type. It identifies how the module was loaded in memory.",
+ "description": "The normalized identifier of the load type. See specific uasge.",
"sibling": "load_type",
"type": "integer_t",
"enum": {
@@ -3331,7 +3457,7 @@
},
"protocol_ver_id": {
"caption": "Protocol Version ID",
- "description": "The normalized identifier of the Protocol version.",
+ "description": "The normalized identifier of the Protocol version. See specific usage.",
"sibling": "protocol_ver",
"type": "integer_t",
"enum": {
diff --git a/includes/occurrence.json b/includes/occurrence.json
index 7902aa2f4..04f292c34 100644
--- a/includes/occurrence.json
+++ b/includes/occurrence.json
@@ -9,6 +9,7 @@
"requirement": "optional"
},
"duration": {
+ "description": "The event duration or aggregate time, the amount of time the event covers from start_time
to end_time
in milliseconds.",
"requirement": "optional"
},
"end_time": {
diff --git a/objects/dns_answer.json b/objects/dns_answer.json
index ec30b1ebe..3500c1bfe 100644
--- a/objects/dns_answer.json
+++ b/objects/dns_answer.json
@@ -12,9 +12,6 @@
"caption": "DNS Header Flags",
"description": "The list of DNS answer header flag IDs.",
"enum": {
- "0": {
- "caption": "Unknown"
- },
"1": {
"caption": "Authoritative Answer"
},
@@ -32,10 +29,6 @@
},
"6": {
"caption": "Checking Disabled"
- },
- "99": {
- "caption": "Other",
- "description": "The event DNS header flag is not mapped."
}
},
"requirement": "recommended"
diff --git a/objects/endpoint.json b/objects/endpoint.json
index 332810968..1bc85992e 100644
--- a/objects/endpoint.json
+++ b/objects/endpoint.json
@@ -123,6 +123,10 @@
"14": {
"caption": "IPS",
"description": "An intrusion prevention system."
+ },
+ "15": {
+ "caption": "Load Balancer",
+ "description": "A Load Balancer device."
}
},
"requirement": "recommended"
diff --git a/objects/kb_article.json b/objects/kb_article.json
index 1320eb774..62e81453f 100644
--- a/objects/kb_article.json
+++ b/objects/kb_article.json
@@ -4,16 +4,8 @@
"extends": "object",
"name": "kb_article",
"attributes": {
- "duration_avg_days": {
- "description": "The average time to patch in days.",
- "requirement": "optional"
- },
- "duration_avg_hours": {
- "description": "The average time to patch in hours.",
- "requirement": "optional"
- },
- "duration_avg_mins": {
- "description": "The average time to patch in minutes.",
+ "avg_timespan": {
+ "description": "The average time to patch.",
"requirement": "optional"
},
"install_state": {
diff --git a/objects/load_balancer.json b/objects/load_balancer.json
index 81b0f9b94..0ca8d5c91 100644
--- a/objects/load_balancer.json
+++ b/objects/load_balancer.json
@@ -30,7 +30,11 @@
"caption": "Classification",
"description": "The request classification as defined by the load balancer.",
"requirement": "optional"
- },
+ },
+ "ip": {
+ "description": "The IP address of the load balancer node that handled the client request. Note: the load balancer may have other IP addresses, and this is not an IP address of the target/distribution endpoint - see dst_endpoint
.",
+ "requirement": "optional"
+ },
"status_detail": {
"caption": "Status Detail",
"description": "The status detail contains additional status information about the load balancer distribution event.",
diff --git a/objects/malware.json b/objects/malware.json
index b58df3256..ab638cde2 100644
--- a/objects/malware.json
+++ b/objects/malware.json
@@ -5,11 +5,9 @@
"name": "malware",
"attributes": {
"classification_ids": {
+ "description": "The list of normalized identifiers of the malware classifications. Reference: STIX Malware Types ",
"requirement": "required",
"enum": {
- "0": {
- "caption": "Unknown"
- },
"1": {
"caption": "Adware"
},
@@ -72,13 +70,11 @@
},
"22": {
"caption": "Worm"
- },
- "99": {
- "caption": "Other"
}
}
},
"classifications": {
+ "description": "The list of malware classifications, normalized to the captions of the classification_ids
values. In the case of 'Other', they are defined by the event source.",
"requirement": "optional"
},
"cves": {
diff --git a/objects/module.json b/objects/module.json
index 4b5cfe96a..bedc4fa6c 100644
--- a/objects/module.json
+++ b/objects/module.json
@@ -18,11 +18,9 @@
"requirement": "optional"
},
"load_type_id": {
+ "description": "The normalized identifier for how the module was loaded in memory.",
"requirement": "required",
"enum": {
- "0": {
- "caption": "Unknown"
- },
"1": {
"caption": "Standard",
"description": "A normal module loaded by the normal windows loading mechanism i.e. LoadLibrary."
@@ -42,9 +40,6 @@
"5": {
"caption": "NonStandard Backed",
"description": "A module loaded in a non standard way. However, GetModuleFileName succeeds on this allocation."
- },
- "99": {
- "caption": "Other"
}
}
},
diff --git a/objects/package.json b/objects/package.json
index b7a5e9773..5c85fcac9 100644
--- a/objects/package.json
+++ b/objects/package.json
@@ -7,9 +7,16 @@
"architecture": {
"requirement": "recommended"
},
+ "cpe_name": {
+ "requirement": "optional"
+ },
"epoch": {
"requirement": "optional"
},
+ "hash": {
+ "description": "Cryptographic hash to identify the binary instance of a software component. This can include any component such file, package, or library.",
+ "requirement": "optional"
+ },
"license": {
"description": "The software license applied to this package.",
"requirement": "optional"
@@ -25,6 +32,7 @@
"requirement": "optional"
},
"vendor_name": {
+ "description": "The name of the vendor who published the software package.",
"requirement": "optional"
},
"type": {
@@ -32,6 +40,7 @@
"requirement": "optional"
},
"type_id": {
+ "description": "The type of software package.",
"enum": {
"1": {
"caption": "Application",
diff --git a/objects/process.json b/objects/process.json
index bebe45c14..82a4e04ca 100644
--- a/objects/process.json
+++ b/objects/process.json
@@ -26,32 +26,6 @@
"requirement": "optional"
},
"integrity_id": {
- "enum": {
- "0": {
- "caption": "Unknown"
- },
- "1": {
- "caption": "Untrusted"
- },
- "2": {
- "caption": "Low"
- },
- "3": {
- "caption": "Medium"
- },
- "4": {
- "caption": "High"
- },
- "5": {
- "caption": "System"
- },
- "6": {
- "caption": "Protected"
- },
- "99": {
- "caption": "Other"
- }
- },
"requirement": "optional"
},
"lineage": {
diff --git a/objects/timespan.json b/objects/timespan.json
new file mode 100644
index 000000000..044df512d
--- /dev/null
+++ b/objects/timespan.json
@@ -0,0 +1,94 @@
+{
+ "caption": "Time Span",
+ "name": "timespan",
+ "description": "The Time Span object represents different time period durations. If a timespan is fractional, i.e. crosses one period, e.g. a week and 3 days, more than one may may be populated since each member is of integral type. In that case type_id
if present should be set to Other
.",
+ "extends": "object",
+ "attributes": {
+ "duration" : {
+ "description": "The duration of the time span in milliseconds.",
+ "requirement": "recommended"
+ },
+ "duration_days": {
+ "description": "The duration of the time span in days.",
+ "requirement": "recommended"
+ },
+ "duration_hours": {
+ "description": "The duration of the time span in hours.",
+ "requirement": "recommended"
+ },
+ "duration_mins": {
+ "description": "The duration of the time span in minutes.",
+ "requirement": "recommended"
+ },
+ "duration_months": {
+ "description": "The duration of the time span in months.",
+ "requirement": "recommended"
+ },
+ "duration_secs": {
+ "description": "The duration of the time span in seconds.",
+ "requirement": "recommended"
+ },
+ "duration_weeks": {
+ "description": "The duration of the time span in weeks.",
+ "requirement": "recommended"
+ },
+ "duration_years": {
+ "description": "The duration of the time span in years.",
+ "requirement": "recommended"
+ },
+ "type": {
+ "caption": "Time Span Type",
+ "description": "The type of time span duration the object represents.",
+ "requirement": "optional"
+ },
+ "type_id": {
+ "caption": "Time Span Type ID",
+ "description": "The normalized identifier for the time span duration type.",
+ "enum": {
+ "0": {
+ "caption": "Unknown"
+ },
+ "1": {
+ "caption": "Milliseconds"
+ },
+ "2": {
+ "caption": "Seconds"
+ },
+ "3": {
+ "caption": "Minutes"
+ },
+ "4": {
+ "caption": "Hours"
+ },
+ "5": {
+ "caption": "Days"
+ },
+ "6": {
+ "caption": "Weeks"
+ },
+ "7": {
+ "caption": "Months"
+ },
+ "8": {
+ "caption": "Years"
+ },
+ "99": {
+ "caption": "Other"
+ }
+ },
+ "requirement": "recommended"
+ }
+ },
+ "constraints": {
+ "at_least_one": [
+ "duration",
+ "duration_days",
+ "duration_hours",
+ "duration_mins",
+ "duration_months",
+ "duration_secs",
+ "duration_weeks",
+ "duration_years"
+ ]
+ }
+}
\ No newline at end of file
diff --git a/profiles/security_control.json b/profiles/security_control.json
index 1f3a50c3e..463210d60 100644
--- a/profiles/security_control.json
+++ b/profiles/security_control.json
@@ -41,125 +41,7 @@
"requirement": "optional"
},
"disposition_id": {
- "requirement": "recommended",
- "enum": {
- "99": {
- "caption": "Other",
- "description": "The disposition is not listed. The disposition
attribute should be populated with a source specific caption."
- },
- "0": {
- "caption": "Unknown",
- "description": "The disposition was not known."
- },
- "1": {
- "caption": "Allowed",
- "description": "Granted access or allowed the action to the protected resource."
- },
- "2": {
- "caption": "Blocked",
- "description": "Denied access or blocked the action to the protected resource."
- },
- "3": {
- "caption": "Quarantined",
- "description": "A suspicious file or other content was moved to a benign location."
- },
- "4": {
- "caption": "Isolated",
- "description": "A session was isolated on the network or within a browser."
- },
- "5": {
- "caption": "Deleted",
- "description": "A file or other content was deleted."
- },
- "6": {
- "caption": "Dropped",
- "description": "The request was detected as a threat and resulted in the connection being dropped."
- },
- "7": {
- "caption": "Custom Action",
- "description": "A custom action was executed such as running of a command script. Use the message
attribute of the base class for details."
- },
- "8": {
- "caption": "Approved",
- "description": "A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1
'Allowed'."
- },
- "9": {
- "caption": "Restored",
- "description": "A quarantined file or other content was restored to its original location."
- },
- "10": {
- "caption": "Exonerated",
- "description": "A suspicious or risky entity was deemed to no longer be suspicious (re-scored)."
- },
- "11": {
- "caption": "Corrected",
- "description": "A corrupt file or configuration was corrected."
- },
- "12": {
- "caption": "Partially Corrected",
- "description": "A corrupt file or configuration was partially corrected."
- },
- "13": {
- "caption": "Uncorrected",
- "description": "A corrupt file or configuration was not corrected."
- },
- "14": {
- "caption": "Delayed",
- "description": "An operation was delayed, for example if a restart was required to finish the operation."
- },
- "15": {
- "caption": "Detected",
- "description": "Suspicious activity or a policy violation was detected without further action."
- },
- "16": {
- "caption": "No Action",
- "description": "The outcome of an operation had no action taken."
- },
- "17": {
- "caption": "Logged",
- "description": "The operation or action was logged without further action."
- },
- "18": {
- "caption": "Tagged",
- "description": "A file or other entity was marked with extended attributes."
- },
- "19": {
- "caption": "Alert",
- "description": "The request or activity was detected as a threat and resulted in a notification but request was not blocked."
- },
- "20": {
- "caption": "Count",
- "description": "Counted the request or activity but did not determine whether to allow it or block it."
- },
- "21": {
- "caption": "Reset",
- "description": "The request was detected as a threat and resulted in the connection being reset."
- },
- "22": {
- "caption": "Captcha",
- "description": "Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request."
- },
- "23": {
- "caption": "Challenge",
- "description": "Ran a silent challenge that required the client session to verify that it's a browser, and not a bot."
- },
- "24": {
- "caption": "Access Revoked",
- "description": "The requestor's access has been revoked due to security policy enforcements. Note: use the Host
profile if the User
or Actor
requestor is not present in the event class."
- },
- "25": {
- "caption": "Rejected",
- "description": "A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2
'Blocked'."
- },
- "26": {
- "caption": "Unauthorized",
- "description": "An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2
'Blocked' and can be complemented with the authorizations
attribute for more detail."
- },
- "27": {
- "caption": "Error",
- "description": "An error occurred during the processing of the activity or request. Use the message
attribute of the base class for details."
- }
- }
+ "requirement": "recommended"
},
"firewall_rule": {
"requirement": "optional"