feat: [1122]-ldap and user extension + AD profile #1136
Conversation
PavelJurka
requested review from
floydtree,
pagbabian-splunk,
Aniak5,
mikeradka and
zschmerber
as code owners
mikeradka
added
enhancement
| @@ -154,6 +167,17 @@ | |||
| } | |||
| } | |||
| }, | |||
| "allowed_to_act_on_behalf_of_other_identity": { | |||
There was a problem hiding this comment.
This is a very long name. Could this be made more concise? Also should this be a boolean?
There was a problem hiding this comment.
It's long but name and type is consistent with AD. Can we keep it? thank you!
There was a problem hiding this comment.
Do you have some examples of how this looks in AD?
We may still want to consider looking how to make this more concise, if it is possible to do so. Why not something along the lines of act_on_behalf, acts_on_behalf, or on_behalf_of with the details about the indication that the account is allowed to act on behalf of another identity within the attribute's description?
There was a problem hiding this comment.
It is the native AD name. There is an LDAP display name, and a CN name. adminCount (which doesn't have an internal separator) is a LDAP display name. Admin-Count is the CN name.
msDS-Allowed-To-Act-On-Behalf-Of-Other-Identity is the CN name and msDSAllowedToActOnBehalfOfOtherIdentity is the LDAP display name.
There was a problem hiding this comment.
Another common name for this is 'impersonation.' e.g. can_impersonate. If it is a boolean, then we would have is_* has_* and can_* conventions. However this proposed attribute seems to be a string_t - not sure why.
Similarly, allowed_to_delegate_to could be can_delegate. Again as boolean but this is also an array.
These are a few that have pretty long names. With OCSF we try our best to keep attribute names as concise as possible. Can we look a bit deeper into ways to shorten these attribute names? While I understand there is an intent to keep these consistent with AD, OCSF and AD still have separate conventions and I am hesitant to deviate from OCSF by introducing large attribute names unless absolutely needed.
|
PavelJurka
force-pushed
the
1122-User-LdapPerson-Asure-AD-support
branch
from
bc354a3
to
f0c170a
Compare
mikeradka
added
v1.4.0 or later
Expands the `user` object to add relevant data that comes from various Identity Providers or Directories while keep relevance with LDAP and MITRE D3FEND. - Add Observable `type_id` 31-35 for User UID, Group Name, Group UID, Account Name, Account UID - Add `phone_number` to `user` and to `ldap_person` - this attribute can be assigned to both or one or the other depending on the upstream system. For instance Entra ID or Okta - ~~Add `state_id` and `state` to `user` to represent the various states of a user record in a directory or IDP such as their provisioning status, (de)activation. This is 1:1 with Okta with an extra `Deleted` enum added for Google Workspace~~ Removed as #1136 already has a solution - Add `has_mfa` Boolean to Dictionary and `user` object as a quick way to tell if a `user` has MFA/2FA enabled/assigned to them --------- Signed-off-by: Jonathan Rau <[email protected]> Co-authored-by: Rajas <[email protected]>
| }, | ||
| "allowed_to_delegate_to": { | ||
| "requirement": "optional" | ||
| }, |
There was a problem hiding this comment.
Why are these AD specific attributes included directly in the ldap_person object rather than included via the AD profile which is also applied? That is, these two will always be in the object even if the profile is not applied.
| @@ -154,6 +167,17 @@ | |||
| } | |||
| } | |||
| }, | |||
| "allowed_to_act_on_behalf_of_other_identity": { | |||
There was a problem hiding this comment.
Another common name for this is 'impersonation.' e.g. can_impersonate. If it is a boolean, then we would have is_* has_* and can_* conventions. However this proposed attribute seems to be a string_t - not sure why.
Similarly, allowed_to_delegate_to could be can_delegate. Again as boolean but this is also an array.
| "description": "The number of times the user tried to log on to the account using an incorrect password." | ||
| }, | ||
| "bad_password_time": { | ||
| "caption": "Bad Password Time", |
There was a problem hiding this comment.
Naming again. Not sure if these are native AD names. I would prefer 'failed_loginsornum_failed_logins. Also last_failed_loginorlast_failed_login_time`.
| "caption": "Consistency Guid", | ||
| "type": "string_t", | ||
| "description": "Is used to check consistency between the directory and another object, database, or application by comparing GUIDs." | ||
| }, |
There was a problem hiding this comment.
This one seems very specific, maybe to AD only? Should be type uuid_t.
| "creator_sid": { | ||
| "caption": "Creator SID", | ||
| "type": "string_t", | ||
| "description": "The security ID of the creator of the object that contains this attribute." |
There was a problem hiding this comment.
Windows specific - sid. Do we use strings or uids for sids? Can we use creator.uid already in dictionary? We can use this Windows name in the desc.
| "description": "roxy address of a user. For example [SMTP: [email protected], smtp: [email protected]]", | ||
| "type": "string_t", | ||
| "is_array": true | ||
| }, |
There was a problem hiding this comment.
Will this always be an email address? If so, we can use the email_t type. Also, a typo in the description of proxy.
| "caption": "Is Recycled", | ||
| "type": "boolean_t", | ||
| "description": "Identifies if the object has been added to the Recycle bin in Active Directory." | ||
| }, |
There was a problem hiding this comment.
This is a generic name with a specific to AD description.
| "caption": "Resultant PSO", | ||
| "type": "string_t", | ||
| "description": "The effective password policy applied on this object." | ||
| }, |
There was a problem hiding this comment.
Should this be a Policy data type? Is this specific to AD? What is a PSO?
| "caption": "SAM Account Type", | ||
| "type": "long_t", | ||
| "description": "This attribute contains information about every account type object." | ||
| }, |
There was a problem hiding this comment.
Windows specific sam_ prefixes. (Just keeping notes of these).
| "type": "string_t", | ||
| "description": "The unique identifiers of a service instance in Active Directory.", | ||
| "is_array": true | ||
| }, |
There was a problem hiding this comment.
We usually sort these attributes even if they are related (e.g. is_ stays together) but not absolute.
| "caption": "Last Known Parent", | ||
| "type": "string_t", | ||
| "description": "The Distinguished Name (DN) of the last known parent of an orphaned object." | ||
| }, |
There was a problem hiding this comment.
May need ldap_ because it is a DN or an object. A convention around objects like AD could be retrofitted to LDAP too (we would need to deprecate).
| "caption": "On Premises Distinguished Name", | ||
| "description": "The distinguished name of the user in the on-premises Active Directory.", | ||
| "type": "string_t" | ||
| }, |
There was a problem hiding this comment.
This is a difference between AD and Azure Entra ID?
|
We may need to break this PR down into a few smaller PRs - it is quite large with many new attributes, but is also very important to get right. |
There was a problem hiding this comment.
I echo @pagbabian-splunk's comment, these additions are much needed for the framework, but we need to break the PR down in smaller chunks. Perhaps you can target additions/enhancements to just one object at a time in a single PR.
Other things to consider -
- If you have sample events that you want to normalize, it will help us quite a bit to review.
- Consider re-using existing attributes before adding new ones. (Refer to Paul's inline comments)
- Consider all the specific data-types as you add new attributes, instead of defaulting to
string_t - Consider object creation to avoid redundancy in naming and re-usability of attributes. (e.g
on_premises_*vs onon_premises { * }) - Consider if you can create an object to group AD specific attributes together (thinking about re-usability and portability across the framework)
@pagbabian-splunk @mikeradka @zschmerber Feel free to add, if I missed anything.
| "type": "string_t", | ||
| "description": "Specifies all the groups in which the object is a member, directly or indirectly. See specific usage.", | ||
| "is_array": true | ||
| }, |
There was a problem hiding this comment.
Also, can the caption be made clearer?
Expands the `user` object to add relevant data that comes from various Identity Providers or Directories while keep relevance with LDAP and MITRE D3FEND. - Add Observable `type_id` 31-35 for User UID, Group Name, Group UID, Account Name, Account UID - Add `phone_number` to `user` and to `ldap_person` - this attribute can be assigned to both or one or the other depending on the upstream system. For instance Entra ID or Okta - ~~Add `state_id` and `state` to `user` to represent the various states of a user record in a directory or IDP such as their provisioning status, (de)activation. This is 1:1 with Okta with an extra `Deleted` enum added for Google Workspace~~ Removed as ocsf#1136 already has a solution - Add `has_mfa` Boolean to Dictionary and `user` object as a quick way to tell if a `user` has MFA/2FA enabled/assigned to them --------- Signed-off-by: Jonathan Rau <[email protected]> Co-authored-by: Rajas <[email protected]>
Expands the `user` object to add relevant data that comes from various Identity Providers or Directories while keep relevance with LDAP and MITRE D3FEND. - Add Observable `type_id` 31-35 for User UID, Group Name, Group UID, Account Name, Account UID - Add `phone_number` to `user` and to `ldap_person` - this attribute can be assigned to both or one or the other depending on the upstream system. For instance Entra ID or Okta - ~~Add `state_id` and `state` to `user` to represent the various states of a user record in a directory or IDP such as their provisioning status, (de)activation. This is 1:1 with Okta with an extra `Deleted` enum added for Google Workspace~~ Removed as ocsf#1136 already has a solution - Add `has_mfa` Boolean to Dictionary and `user` object as a quick way to tell if a `user` has MFA/2FA enabled/assigned to them --------- Signed-off-by: Jonathan Rau <[email protected]> Co-authored-by: Rajas <[email protected]>
Expands the `user` object to add relevant data that comes from various Identity Providers or Directories while keep relevance with LDAP and MITRE D3FEND. - Add Observable `type_id` 31-35 for User UID, Group Name, Group UID, Account Name, Account UID - Add `phone_number` to `user` and to `ldap_person` - this attribute can be assigned to both or one or the other depending on the upstream system. For instance Entra ID or Okta - ~~Add `state_id` and `state` to `user` to represent the various states of a user record in a directory or IDP such as their provisioning status, (de)activation. This is 1:1 with Okta with an extra `Deleted` enum added for Google Workspace~~ Removed as ocsf#1136 already has a solution - Add `has_mfa` Boolean to Dictionary and `user` object as a quick way to tell if a `user` has MFA/2FA enabled/assigned to them --------- Signed-off-by: Jonathan Rau <[email protected]> Co-authored-by: Rajas <[email protected]>
Related Issue: .
#1122
Description of changes:
This issue is about adding a few useful fields to LDAP user, User object and adding a way how to map Azure ID to it.