Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added a number of new observables, both dictionary types, and dictionary attributes #1035

Merged
merged 7 commits into from
Apr 12, 2024
Merged

Added a number of new observables, both dictionary types, and dictionary attributes #1035

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a2a368b
Added a number of new observables, both dictionary types, and diction…
pagbabian-splunk Apr 11, 2024
1b25d01
Added enum items for observables, also as a new Addition section.
pagbabian-splunk Apr 11, 2024
c384c16
Fixed observable for cwe_uid which was deprecated: moved to the cwe o…
pagbabian-splunk Apr 12, 2024
38fbd79
Adjusted changelog to have cwe vs cwe_uid
pagbabian-splunk Apr 12, 2024
bf75880
Switched out the cwe object observable for the cwe.uid object-specifi…
pagbabian-splunk Apr 12, 2024
1836b71
Added cve.uid as observable 18
pagbabian-splunk Apr 12, 2024
ec63d89
fixed changelog to eliminate a tick
pagbabian-splunk Apr 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,9 @@ Thankyou! -->
4. Added `agent` object. #987
5. Added `data_classification` object. #998

* #### Observables
1. Added `port_t` `subnet_t` `cmd_line` `country` `pid` `cwe.uid` `cve.uid` `user_agent` enum items. #1035

* #### Platform Extensions

### Improved
Expand Down
78 changes: 42 additions & 36 deletions dictionary.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -878,7 +878,8 @@
},
"cmd_line": {
"caption": "Command Line",
"description": "The full command line used to launch an application, service, process, or job. For example: <code>ssh [email protected]</code>. If the command line is unavailable or missing, the empty string <code>''</code> is to be used",
"observable": 13,
"description": "The full command line used to launch an application, service, process, or job. For example: <code>ssh [email protected]</code>. If the command line is unavailable or missing, the empty string <code>''</code> is to be used.",
"type": "string_t"
},
"code": {
Expand Down Expand Up @@ -1074,6 +1075,7 @@
},
"country": {
"caption": "Country",
"observable": 14,
"description": "The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see <a target='_blank' href='https://www.iso.org/obp/ui/#iso:pub:PUB500001:en' >ISO 3166-1 alpha-2 codes</a>.<p><b>Note:</b> The two letter country code should be capitalized. For example: <code>US</code> or <code>CA</code>.</p>",
"type": "string_t"
},
Expand Down Expand Up @@ -1132,41 +1134,6 @@
"description": "Criticality of a resource/object in question",
"type": "string_t"
},
"security_level": {
"caption": "Security Level",
"description": "The current security level of the entity",
"type": "string_t"
},
"security_level_id": {
"caption": "Security Level ID",
"description": "The current security level of the entity",
"enum": {
"99": {
"caption": "Other",
"description": "The security level is not mapped. See the <code>security_level</code> attribute, which contains data source specific values."
},
"0": {
"caption": "Unknown"
},
"1": {
"caption": "Secure"
},
"2": {
"caption": "At Risk"
},
"3": {
"caption": "Compromised"
}
},
"sibling": "security_level",
"type": "integer_t"
},
"security_states": {
"caption": "Security States",
"description": "The current security states. See specific usage.",
"is_array": true,
"type": "security_state"
},
"customer_uid": {
"@deprecated": {
"message": "Use the <code> tenant_uid </code> attribute instead.",
Expand Down Expand Up @@ -2931,6 +2898,7 @@
},
"pid": {
"caption": "Process ID",
"observable": 15,
"description": "The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.",
"type": "integer_t"
},
Expand Down Expand Up @@ -3541,12 +3509,47 @@
"description": "The object security descriptor.",
"type": "string_t"
},
"security_level": {
"caption": "Security Level",
"description": "The current security level of the entity",
"type": "string_t"
},
"security_level_id": {
"caption": "Security Level ID",
"description": "The current security level of the entity",
"enum": {
"99": {
"caption": "Other",
"description": "The security level is not mapped. See the <code>security_level</code> attribute, which contains data source specific values."
},
"0": {
"caption": "Unknown"
},
"1": {
"caption": "Secure"
},
"2": {
"caption": "At Risk"
},
"3": {
"caption": "Compromised"
}
},
"sibling": "security_level",
"type": "integer_t"
},
"security_questions": {
"caption": "Security Questions",
"description": "The question(s) provided to user for a question-based authentication factor.",
"is_array": true,
"type": "string_t"
},
"security_states": {
"caption": "Security States",
"description": "The current security states. See specific usage.",
"is_array": true,
"type": "security_state"
},
"sequence": {
"caption": "Sequence Number",
"description": "Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.",
Expand Down Expand Up @@ -4092,6 +4095,7 @@
},
"user_agent": {
"caption": "HTTP User-Agent",
"observable": 16,
"description": "The request header that identifies the operating system and web browser.",
"type": "string_t"
},
Expand Down Expand Up @@ -4360,6 +4364,7 @@
},
"port_t": {
"caption": "Port",
"observable": 11,
"description": "The TCP/UDP port number. For example: <code>80</code> or <code>22</code>.",
"range": [
0,
Expand Down Expand Up @@ -4390,6 +4395,7 @@
},
"subnet_t": {
"caption": "Subnet",
"observable": 12,
"description": "The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet. <div>For example:<ul><li>192.168.1.0/24</li><li>2001:0db8:85a3:0000::/64</li></ul></div>",
"max_len": 42,
"type": "string_t",
Expand Down
1 change: 1 addition & 0 deletions objects/cve.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@
},
"uid": {
"caption": "CVE ID",
"observable": 18,
"description": "The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: <code>CVE-2021-12345</code>.",
"requirement": "required"
}
Expand Down
1 change: 1 addition & 0 deletions objects/cwe.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
},
"uid": {
"caption": "CWE ID",
"observable": 17,
"description": "The Common Weakness Enumeration unique number assigned to a specific weakness. A CWE Identifier begins \"CWE\" followed by a sequence of digits that acts as a unique identifier. For example: <code>CWE-123</code>.",
"requirement": "required"
}
Expand Down
Loading