From a2a368b3e4c6ad47eb470b7433a1dd79d2e89c9e Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Thu, 11 Apr 2024 16:40:47 -0700 Subject: [PATCH 1/7] Added a number of new observables, both dictionary types, and dictionary attributes. Moved the security_level_id and related attributes to be better sorted in alphabetic order. Signed-off-by: Paul Agbabian --- dictionary.json | 79 +++++++++++++++++++++++++++---------------------- 1 file changed, 43 insertions(+), 36 deletions(-) diff --git a/dictionary.json b/dictionary.json index 298a42efb..8b0e83840 100644 --- a/dictionary.json +++ b/dictionary.json @@ -878,7 +878,8 @@ }, "cmd_line": { "caption": "Command Line", - "description": "The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used", + "observable": 13, + "description": "The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '' is to be used.", "type": "string_t" }, "code": { @@ -1074,6 +1075,7 @@ }, "country": { "caption": "Country", + "observable": 14, "description": "The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes.

Note: The two letter country code should be capitalized. For example: US or CA.

", "type": "string_t" }, @@ -1132,41 +1134,6 @@ "description": "Criticality of a resource/object in question", "type": "string_t" }, - "security_level": { - "caption": "Security Level", - "description": "The current security level of the entity", - "type": "string_t" - }, - "security_level_id": { - "caption": "Security Level ID", - "description": "The current security level of the entity", - "enum": { - "99": { - "caption": "Other", - "description": "The security level is not mapped. See the security_level attribute, which contains data source specific values." - }, - "0": { - "caption": "Unknown" - }, - "1": { - "caption": "Secure" - }, - "2": { - "caption": "At Risk" - }, - "3": { - "caption": "Compromised" - } - }, - "sibling": "security_level", - "type": "integer_t" - }, - "security_states": { - "caption": "Security States", - "description": "The current security states. See specific usage.", - "is_array": true, - "type": "security_state" - }, "customer_uid": { "@deprecated": { "message": "Use the tenant_uid attribute instead.", @@ -1204,6 +1171,7 @@ "since": "1.1.0" }, "caption": "CWE UID", + "observable": 16, "description": "The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.", "type": "string_t" }, @@ -2931,6 +2899,7 @@ }, "pid": { "caption": "Process ID", + "observable": 15, "description": "The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.", "type": "integer_t" }, @@ -3541,12 +3510,47 @@ "description": "The object security descriptor.", "type": "string_t" }, + "security_level": { + "caption": "Security Level", + "description": "The current security level of the entity", + "type": "string_t" + }, + "security_level_id": { + "caption": "Security Level ID", + "description": "The current security level of the entity", + "enum": { + "99": { + "caption": "Other", + "description": "The security level is not mapped. See the security_level attribute, which contains data source specific values." + }, + "0": { + "caption": "Unknown" + }, + "1": { + "caption": "Secure" + }, + "2": { + "caption": "At Risk" + }, + "3": { + "caption": "Compromised" + } + }, + "sibling": "security_level", + "type": "integer_t" + }, "security_questions": { "caption": "Security Questions", "description": "The question(s) provided to user for a question-based authentication factor.", "is_array": true, "type": "string_t" }, + "security_states": { + "caption": "Security States", + "description": "The current security states. See specific usage.", + "is_array": true, + "type": "security_state" + }, "sequence": { "caption": "Sequence Number", "description": "Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.", @@ -4092,6 +4096,7 @@ }, "user_agent": { "caption": "HTTP User-Agent", + "observable": 17, "description": "The request header that identifies the operating system and web browser.", "type": "string_t" }, @@ -4360,6 +4365,7 @@ }, "port_t": { "caption": "Port", + "observable": 11, "description": "The TCP/UDP port number. For example: 80 or 22.", "range": [ 0, @@ -4390,6 +4396,7 @@ }, "subnet_t": { "caption": "Subnet", + "observable": 12, "description": "The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet.
For example:
  • 192.168.1.0/24
  • 2001:0db8:85a3:0000::/64
", "max_len": 42, "type": "string_t", From 1b25d0190dde0efcaa3967076db9129e8ffacfde Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Thu, 11 Apr 2024 16:56:41 -0700 Subject: [PATCH 2/7] Added enum items for observables, also as a new Addition section. --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3fbd53a99..7dc4f4ddb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -45,6 +45,9 @@ Thankyou! --> 4. Added `agent` object. #987 5. Added `data_classification` object. #998 +* #### Observables + 1. Added `port_t` `subnet_t` `cmd_line` `country` `pid` `cwe_uid` `user_agent` enum items. #1035 + * #### Platform Extensions ### Improved From c384c165f6ccc77a5b8a54f41d6d0a8905d3caed Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Fri, 12 Apr 2024 09:01:23 -0700 Subject: [PATCH 3/7] Fixed observable for cwe_uid which was deprecated: moved to the cwe object and adjusted the user_agent number to fill the gap. Signed-off-by: Paul Agbabian --- dictionary.json | 3 +-- objects/cwe.json | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dictionary.json b/dictionary.json index 8b0e83840..9af916b36 100644 --- a/dictionary.json +++ b/dictionary.json @@ -1171,7 +1171,6 @@ "since": "1.1.0" }, "caption": "CWE UID", - "observable": 16, "description": "The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.", "type": "string_t" }, @@ -4096,7 +4095,7 @@ }, "user_agent": { "caption": "HTTP User-Agent", - "observable": 17, + "observable": 16, "description": "The request header that identifies the operating system and web browser.", "type": "string_t" }, diff --git a/objects/cwe.json b/objects/cwe.json index e31aec16c..cc65eb0fd 100644 --- a/objects/cwe.json +++ b/objects/cwe.json @@ -3,6 +3,7 @@ "description": "The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack. The CWE object is based on the Common Weakness Enumeration (CWE) catalog.", "extends": "object", "name": "cwe", + "observable": 31, "attributes": { "caption":{ "description": "The caption assigned to the Common Weakness Enumeration unique identifier.", From 38fbd7903a3b7d722c7c96f789a97c66c44c76a4 Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Fri, 12 Apr 2024 09:05:16 -0700 Subject: [PATCH 4/7] Adjusted changelog to have cwe vs cwe_uid Signed-off-by: Paul Agbabian --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7dc4f4ddb..f6470f5ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,7 +46,7 @@ Thankyou! --> 5. Added `data_classification` object. #998 * #### Observables - 1. Added `port_t` `subnet_t` `cmd_line` `country` `pid` `cwe_uid` `user_agent` enum items. #1035 + 1. Added `port_t` `subnet_t` `cmd_line` `country` `pid` ``cwe` `user_agent` enum items. #1035 * #### Platform Extensions From bf75880559379ddbc3aa3fd1f53708ec046079f4 Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Fri, 12 Apr 2024 09:13:31 -0700 Subject: [PATCH 5/7] Switched out the cwe object observable for the cwe.uid object-specific attribute. Signed-off-by: Paul Agbabian --- objects/cwe.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/cwe.json b/objects/cwe.json index cc65eb0fd..be698af8d 100644 --- a/objects/cwe.json +++ b/objects/cwe.json @@ -3,7 +3,6 @@ "description": "The CWE object represents a weakness in a software system that can be exploited by a threat actor to perform an attack. The CWE object is based on the Common Weakness Enumeration (CWE) catalog.", "extends": "object", "name": "cwe", - "observable": 31, "attributes": { "caption":{ "description": "The caption assigned to the Common Weakness Enumeration unique identifier.", @@ -15,6 +14,7 @@ }, "uid": { "caption": "CWE ID", + "observable": 17, "description": "The Common Weakness Enumeration unique number assigned to a specific weakness. A CWE Identifier begins \"CWE\" followed by a sequence of digits that acts as a unique identifier. For example: CWE-123.", "requirement": "required" } From 1836b714e62d04451164565aff7d1cc3b0fcfc7a Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Fri, 12 Apr 2024 09:30:20 -0700 Subject: [PATCH 6/7] Added cve.uid as observable 18 Signed-off-by: Paul Agbabian --- CHANGELOG.md | 2 +- objects/cve.json | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f6470f5ad..42b421209 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,7 +46,7 @@ Thankyou! --> 5. Added `data_classification` object. #998 * #### Observables - 1. Added `port_t` `subnet_t` `cmd_line` `country` `pid` ``cwe` `user_agent` enum items. #1035 + 1. Added `port_t` `subnet_t` `cmd_line` `country` `pid` ``cwe.uid` `cve.uid`, `user_agent` enum items. #1035 * #### Platform Extensions diff --git a/objects/cve.json b/objects/cve.json index cf896186b..66b9eb98f 100644 --- a/objects/cve.json +++ b/objects/cve.json @@ -50,6 +50,7 @@ }, "uid": { "caption": "CVE ID", + "observable": 18, "description": "The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.", "requirement": "required" } From ec63d8988a893d79cd694bc4192558a73e2caa28 Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Fri, 12 Apr 2024 09:37:24 -0700 Subject: [PATCH 7/7] fixed changelog to eliminate a tick Signed-off-by: Paul Agbabian --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 42b421209..33530d9c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,7 +46,7 @@ Thankyou! --> 5. Added `data_classification` object. #998 * #### Observables - 1. Added `port_t` `subnet_t` `cmd_line` `country` `pid` ``cwe.uid` `cve.uid`, `user_agent` enum items. #1035 + 1. Added `port_t` `subnet_t` `cmd_line` `country` `pid` `cwe.uid` `cve.uid` `user_agent` enum items. #1035 * #### Platform Extensions