diff --git a/CHANGELOG.md b/CHANGELOG.md index 3fbd53a99..33530d9c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -45,6 +45,9 @@ Thankyou! --> 4. Added `agent` object. #987 5. Added `data_classification` object. #998 +* #### Observables + 1. Added `port_t` `subnet_t` `cmd_line` `country` `pid` `cwe.uid` `cve.uid` `user_agent` enum items. #1035 + * #### Platform Extensions ### Improved diff --git a/dictionary.json b/dictionary.json index 298a42efb..9af916b36 100644 --- a/dictionary.json +++ b/dictionary.json @@ -878,7 +878,8 @@ }, "cmd_line": { "caption": "Command Line", - "description": "The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used", + "observable": 13, + "description": "The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used.", "type": "string_t" }, "code": { @@ -1074,6 +1075,7 @@ }, "country": { "caption": "Country", + "observable": 14, "description": "The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes.

Note: The two letter country code should be capitalized. For example: US or CA.

", "type": "string_t" }, @@ -1132,41 +1134,6 @@ "description": "Criticality of a resource/object in question", "type": "string_t" }, - "security_level": { - "caption": "Security Level", - "description": "The current security level of the entity", - "type": "string_t" - }, - "security_level_id": { - "caption": "Security Level ID", - "description": "The current security level of the entity", - "enum": { - "99": { - "caption": "Other", - "description": "The security level is not mapped. See the security_level attribute, which contains data source specific values." - }, - "0": { - "caption": "Unknown" - }, - "1": { - "caption": "Secure" - }, - "2": { - "caption": "At Risk" - }, - "3": { - "caption": "Compromised" - } - }, - "sibling": "security_level", - "type": "integer_t" - }, - "security_states": { - "caption": "Security States", - "description": "The current security states. See specific usage.", - "is_array": true, - "type": "security_state" - }, "customer_uid": { "@deprecated": { "message": "Use the tenant_uid attribute instead.", @@ -2931,6 +2898,7 @@ }, "pid": { "caption": "Process ID", + "observable": 15, "description": "The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.", "type": "integer_t" }, @@ -3541,12 +3509,47 @@ "description": "The object security descriptor.", "type": "string_t" }, + "security_level": { + "caption": "Security Level", + "description": "The current security level of the entity", + "type": "string_t" + }, + "security_level_id": { + "caption": "Security Level ID", + "description": "The current security level of the entity", + "enum": { + "99": { + "caption": "Other", + "description": "The security level is not mapped. See the security_level attribute, which contains data source specific values." + }, + "0": { + "caption": "Unknown" + }, + "1": { + "caption": "Secure" + }, + "2": { + "caption": "At Risk" + }, + "3": { + "caption": "Compromised" + } + }, + "sibling": "security_level", + "type": "integer_t" + }, "security_questions": { "caption": "Security Questions", "description": "The question(s) provided to user for a question-based authentication factor.", "is_array": true, "type": "string_t" }, + "security_states": { + "caption": "Security States", + "description": "The current security states. See specific usage.", + "is_array": true, + "type": "security_state" + }, "sequence": { "caption": "Sequence Number", "description": "Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.", @@ -4092,6 +4095,7 @@ }, "user_agent": { "caption": "HTTP User-Agent", + "observable": 16, "description": "The request header that identifies the operating system and web browser.", "type": "string_t" }, @@ -4360,6 +4364,7 @@ }, "port_t": { "caption": "Port", + "observable": 11, "description": "The TCP/UDP port number. For example: 80 or 22.", "range": [ 0, @@ -4390,6 +4395,7 @@ }, "subnet_t": { "caption": "Subnet", + "observable": 12, "description": "The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet.
For example:
", "max_len": 42, "type": "string_t", diff --git a/objects/cve.json b/objects/cve.json index cf896186b..66b9eb98f 100644 --- a/objects/cve.json +++ b/objects/cve.json @@ -50,6 +50,7 @@ }, "uid": { "caption": "CVE ID", + "observable": 18, "description": "The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.", "requirement": "required" } diff --git a/objects/cwe.json b/objects/cwe.json index e31aec16c..be698af8d 100644 --- a/objects/cwe.json +++ b/objects/cwe.json @@ -14,6 +14,7 @@ }, "uid": { "caption": "CWE ID", + "observable": 17, "description": "The Common Weakness Enumeration unique number assigned to a specific weakness. A CWE Identifier begins \"CWE\" followed by a sequence of digits that acts as a unique identifier. For example: CWE-123.", "requirement": "required" }