Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an Event Log Activity Class #1014

Merged
merged 78 commits into from
Apr 29, 2024
Merged

Add an Event Log Activity Class #1014

merged 78 commits into from
Apr 29, 2024

Conversation

mikeradka
Copy link
Contributor

@mikeradka mikeradka commented Apr 3, 2024
edited
Loading

Related Issue:

#839 Event Log Activity eg 'Audit Log Cleared'

Description of changes:

This PR introduces a new class designed for actions related to monitoring the System Event Log Service.

image

@mikeradka mikeradka added enhancement New feature or request system_activity Issues related to System Activity Category labels Apr 3, 2024
@mikeradka mikeradka self-assigned this Apr 3, 2024
@mikeradka mikeradka added the v1.2.0 Changes marked for version v1.2.0 of OCSF label Apr 3, 2024
@mikeradka mikeradka changed the title Add an Event Log Activity class DRAFT: Add an Event Log Activity class Apr 3, 2024
@floydtree floydtree added v1.3.0 Changes marked for v1.3.0 of OCSF and removed v1.2.0 Changes marked for version v1.2.0 of OCSF labels Apr 15, 2024
@jasonbreimer
Copy link
Contributor

What about a "set-log" activity id? I'm looking at the various detections written against event log activities and I see the concept of event log configuration setting modification. An entity can modify settings regarding the event log using wevtutil command set-log.

@jasonbreimer
Copy link
Contributor

Another thought...when looking at clear event log it looks like there are return code status values. This list is oddly limited linked below but I see "success" and "privilege missing". Do we want to capture the successful event or get down to this next layer of capturing a failure by adding some kind of status/return code for each activity id?

https://learn.microsoft.com/en-us/previous-versions/windows/desktop/eventlogprov/cleareventlog-method-in-class-win32-nteventlogfile

@mikeradka
Copy link
Contributor Author

mikeradka commented Apr 16, 2024
edited
Loading

Another thought...when looking at clear event log it looks like there are return code status values. This list is oddly limited linked below but I see "success" and "privilege missing". Do we want to capture the successful event or get down to this next layer of capturing a failure by adding some kind of status/return code for each activity id?

https://learn.microsoft.com/en-us/previous-versions/windows/desktop/eventlogprov/cleareventlog-method-in-class-win32-nteventlogfile

That is a good find! Thanks for the suggestion - will take a look at what is possible, it seems like this may be good context to capture.

EDIT: After checking this out, I think status_code and status_detail should work for this. I added more specific descriptions for these attributes within the context of this class, and gave the info in this page as examples.

@mikeradka mikeradka closed this Apr 17, 2024
@mikeradka mikeradka deleted the event_log_activity_class branch April 17, 2024 22:21
@mikeradka mikeradka restored the event_log_activity_class branch April 17, 2024 22:25
@mikeradka mikeradka reopened this Apr 17, 2024
@mikeradka
Copy link
Contributor Author

Created Issue #1047 to address the discrepancy in validation failure output.

@mikeradka
Copy link
Contributor Author

mikeradka commented Apr 18, 2024
edited
Loading

What about a "set-log" activity id? I'm looking at the various detections written against event log activities and I see the concept of event log configuration setting modification. An entity can modify settings regarding the event log using wevtutil command set-log.

This is a good suggestion, @jasonbreimer. I took a look at the Microsoft wevtutil documentation, and it notes:

Enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs.

The Archive, and Clear actions are covered, and I've added Export to the actions. However, I am not yet certain on how we should approach uninstall event manifests and run queries. Maybe Uninstall and Query actions are sufficient, but I would like to get some further inputs.

@floydtree, @pagbabian-splunk, @k2niner any thoughts on whether Uninstall and Query could work as activities for this new class?

@mikeradka
Add an Event Log Activity class
65a1405 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
Add descs and groups for attrs
c9c3728 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
Add 0, 99 for activity_id
f949a58 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
Remove 0,99 for activity_id, not needed
afe4380 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
fix pesky nesting issue
27aa544 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
Add constraints
cd8bfdf 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
make activity_id required
6565acb 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
add group to activity_id
70fe37a 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
undo change to tunnel class
80bc9f6 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
Add group for required field activity_id
2be71d1 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
shorten name
7c1883c 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
remove classification
2d6cb43 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
shorten name
e2894a1 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
clean up grammar
1edb3b9 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
Merge remote-tracking branch 'refs/remotes/origin/event_log_activity_…
443b3a9 
…class' into event_log_activity_class
@mikeradka
Reorder activities, add start, stop, and restart
d969ada 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
Update desc
b86d81f 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka mikeradka marked this pull request as ready for review April 19, 2024 20:48
@mikeradka mikeradka changed the title DRAFT: Add an Event Log Activity class Add an Event Log Activity class Apr 19, 2024
@mikeradka mikeradka requested a review from k2niner April 19, 2024 20:49
@mikeradka
update CHANGELOG
d4f4702 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
Add src/dst_endpoint
e2a2b9b 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka mikeradka changed the title Add an Event Log Activity class Add an Event Log Activity class Apr 19, 2024
@mikeradka mikeradka changed the title Add an Event Log Activity class Add an Event Log Activity Class Apr 19, 2024
@mikeradka mikeradka added the non_breaking Non Breaking, backwards compatible changes label Apr 19, 2024
@pagbabian-splunk
Copy link
Contributor

What about a "set-log" activity id? I'm looking at the various detections written against event log activities and I see the concept of event log configuration setting modification. An entity can modify settings regarding the event log using wevtutil command set-log.

This is a good suggestion, @jasonbreimer. I took a look at the Microsoft wevtutil documentation, and it notes:

Enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs.

The Archive, and Clear actions are covered, and I've added Export to the actions. However, I am not yet certain on how we should approach uninstall event manifests and run queries. Maybe Uninstall and Query actions are sufficient, but I would like to get some further inputs.

@floydtree, @pagbabian-splunk, @k2niner any thoughts on whether Uninstall and Query could work as activities for this new class?

If we don't yet know how to address these two activities, we can hold off until we do, and add them later. Unless @jasonbreimer or others have a use case of course. I haven't researched it so I don't have any informed suggestion at the moment.

floydtree
floydtree requested changes Apr 23, 2024
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@mikeradka
Update CHANGELOG
0284f99 
Signed-off-by: Michael Radka <[email protected]>
@mikeradka
Emphasize 'target' in red
fa38984 
Signed-off-by: Michael Radka <[email protected]>
floydtree
floydtree approved these changes Apr 25, 2024
View reviewed changes
events/system/event_log.json Show resolved Hide resolved
@floydtree floydtree merged commit b9506f9 into ocsf:main Apr 29, 2024
2 checks passed
@mikeradka mikeradka mentioned this pull request May 1, 2024
Merged
@mikeradka mikeradka deleted the event_log_activity_class branch May 23, 2024 20:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rmouritzen-splunk rmouritzen-splunk rmouritzen-splunk approved these changes

@floydtree floydtree floydtree approved these changes

@zschmerber zschmerber zschmerber approved these changes

@jasonbreimer jasonbreimer Awaiting requested review from jasonbreimer

@pagbabian-splunk pagbabian-splunk Awaiting requested review from pagbabian-splunk pagbabian-splunk is a code owner

@Aniak5 Aniak5 Awaiting requested review from Aniak5 Aniak5 is a code owner

@k2niner k2niner Awaiting requested review from k2niner

Assignees

@mikeradka mikeradka

Labels
enhancement New feature or request non_breaking Non Breaking, backwards compatible changes system_activity Issues related to System Activity Category v1.3.0 Changes marked for v1.3.0 of OCSF
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@mikeradka @jasonbreimer @pagbabian-splunk @zschmerber @floydtree @rmouritzen-splunk