diff --git a/dictionary.json b/dictionary.json
index d90eb9155..700a186a9 100644
--- a/dictionary.json
+++ b/dictionary.json
@@ -1057,6 +1057,16 @@
"description": "The additional data that is associated with the event or object. See specific usage.",
"type": "json_t"
},
+ "database": {
+ "caption": "Database",
+ "description": "The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.",
+ "type": "database"
+ },
+ "databucket": {
+ "caption": "Databucket",
+ "description": "The data bucket object is a basic container that holds data, typically organized through the use of data partitions.",
+ "type": "databucket"
+ },
"data_sources": {
"caption": "Data Sources",
"description": "The data sources for the finding.",
@@ -2563,6 +2573,11 @@
"description": "The Domain Name System (DNS) query.",
"type": "dns_query"
},
+ "query_info": {
+ "caption": "Query Info",
+ "description": "The query info object holds information related to data access within a datastore. To access, manipulate, delete, or retrieve data from a datastore, a database query must be written using a specific syntax.",
+ "type": "query_info"
+ },
"query_string": {
"caption": "HTTP Query String",
"description": "The query portion of the URL. For example: the query portion of the URL http://www.example.com/search?q=bad&sort=date is q=bad&sort=date.",
@@ -3226,6 +3241,11 @@
"description": "The system call that was invoked.",
"type": "string_t"
},
+ "table": {
+ "caption": "Table",
+ "description": "The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.",
+ "type": "table"
+ },
"tactic": {
"caption": "Tactic",
"description": "The Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by ATT&CK MatrixTM.",
diff --git a/events/application/datastore_activity.json b/events/application/datastore_activity.json
new file mode 100644
index 000000000..df8c02f45
--- /dev/null
+++ b/events/application/datastore_activity.json
@@ -0,0 +1,83 @@
+{
+ "uid": 5,
+ "description": "Datastore events describe general activities (Read, Update, Query, Delete, etc.) which affect datastores or data within those datastores, e.g. (AWS RDS, AWS S3).",
+ "extends": "application",
+ "caption": "Datastore Activity",
+ "name": "datastore_activity",
+ "attributes": {
+ "activity_id": {
+ "enum": {
+ "1": {
+ "caption": "Read",
+ "description": "The datastore activity in the event pertains to a 'Read' operation."
+ },
+ "2": {
+ "caption": "Update",
+ "description": "The datastore activity in the event pertains to a 'Update' operation."
+ },
+ "3": {
+ "caption": "Connect",
+ "description": "The datastore activity in the event pertains to a 'Connect' operation."
+ },
+ "4": {
+ "caption": "Query",
+ "description": "The datastore activity in the event pertains to a 'Query' operation."
+ },
+ "5": {
+ "caption": "Write",
+ "description": "The datastore activity in the event pertains to a 'Write' operation."
+ },
+ "6": {
+ "caption": "Create",
+ "description": "The datastore activity in the event pertains to a 'Create' operation."
+ },
+ "7": {
+ "caption": "Delete",
+ "description": "The datastore activity in the event pertains to a 'Delete' operation."
+ }
+ }
+ },
+ "database": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "databucket": {
+ "group": "primary",
+ "requirement": "recommended"
+ },
+ "table": {
+ "group": "primary",
+ "requirement": "optional"
+ },
+ "query_info": {
+ "group": "primary",
+ "requirement": "optional"
+ },
+ "dst_endpoint": {
+ "description": "Details about the endpoint hosting the datastore application or service.",
+ "group": "primary",
+ "requirement": "optional"
+ },
+ "http_request": {
+ "description": "Details about the underlying http request.",
+ "group": "primary",
+ "requirement": "optional"
+ },
+ "actor": {
+ "group": "primary",
+ "requirement": "required"
+ },
+ "src_endpoint": {
+ "description": "Details about the source of the activity.",
+ "group": "primary",
+ "requirement": "required"
+ }
+ },
+ "constraints": {
+ "at_least_one": [
+ "database",
+ "databucket",
+ "table"
+ ]
+ }
+}
diff --git a/objects/database.json b/objects/database.json
new file mode 100644
index 000000000..301a69530
--- /dev/null
+++ b/objects/database.json
@@ -0,0 +1,71 @@
+{
+ "caption": "Database",
+ "description": "The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.",
+ "extends": "_entity",
+ "name": "database",
+ "attributes": {
+ "created_time": {
+ "description": "The time when the database was known to have been created.",
+ "requirement": "optional"
+ },
+ "modified_time": {
+ "description": "The most recent time when any changes, updates, or modifications were made within the database.",
+ "requirement": "optional"
+ },
+ "desc": {
+ "caption": "Description",
+ "requirement": "optional"
+ },
+ "size": {
+ "description": "The size of the database in bytes.",
+ "requirement": "optional"
+ },
+ "groups": {
+ "description": "The group names to which the database belongs.",
+ "requirement": "optional"
+ },
+ "type": {
+ "description": "The database type.",
+ "requirement": "recommended"
+ },
+ "type_id": {
+ "description": "The normalized identifier of the database type.",
+ "requirement": "required",
+ "enum": {
+ "0": {
+ "caption": "Unknown"
+ },
+ "1": {
+ "caption": "Relational"
+ },
+ "2": {
+ "caption": "Network"
+ },
+ "3": {
+ "caption": "Object Oriented"
+ },
+ "3": {
+ "caption": "Cloud"
+ },
+ "4": {
+ "caption": "Centralized"
+ },
+ "5": {
+ "caption": "Operational"
+ },
+ "6": {
+ "caption": "NoSQL"
+ },
+ "99": {
+ "caption": "Other"
+ }
+ }
+ },
+ "name": {
+ "description": "The database name, ordinarily as assigned by a database administrator."
+ },
+ "uid": {
+ "description": "The unique identifier of the database."
+ }
+ }
+}
diff --git a/objects/databucket.json b/objects/databucket.json
new file mode 100644
index 000000000..a27f36487
--- /dev/null
+++ b/objects/databucket.json
@@ -0,0 +1,64 @@
+{
+ "caption": "Databucket",
+ "description": "The databucket object is a basic container that holds data, typically organized through the use of data partitions.",
+ "extends": "_entity",
+ "name": "databucket",
+ "attributes": {
+ "created_time": {
+ "description": "The time when the databucket was known to have been created.",
+ "requirement": "optional"
+ },
+ "modified_time": {
+ "description": "The most recent time when any changes, updates, or modifications were made within the databucket.",
+ "requirement": "optional"
+ },
+ "desc": {
+ "caption": "Description",
+ "description": "The description of the databucket.",
+ "requirement": "optional"
+ },
+ "size": {
+ "description": "The size of the databucket in bytes.",
+ "requirement": "optional"
+ },
+ "file": {
+ "description": "A file within a databucket.",
+ "requirement": "optional"
+ },
+ "groups": {
+ "description": "The group names to which the databucket belongs.",
+ "requirement": "optional"
+ },
+ "type": {
+ "description": "The databucket type.",
+ "requirement": "recommended"
+ },
+ "type_id": {
+ "description": "The normalized identifier of the databucket type.",
+ "requirement": "required",
+ "enum": {
+ "0": {
+ "caption": "Unknown"
+ },
+ "1": {
+ "caption": "S3"
+ },
+ "2": {
+ "caption": "Azure Blob"
+ },
+ "3": {
+ "caption": "GCP Bucket"
+ },
+ "99": {
+ "caption": "Other"
+ }
+ }
+ },
+ "name": {
+ "description": "The databucket name."
+ },
+ "uid": {
+ "description": "The unique identifier of the databucket."
+ }
+ }
+}
diff --git a/objects/query_info.json b/objects/query_info.json
new file mode 100644
index 000000000..1f2918bdc
--- /dev/null
+++ b/objects/query_info.json
@@ -0,0 +1,31 @@
+{
+ "caption": "Query Information",
+ "description": "The query info object holds information related to data access within a datastore. To access, manipulate, delete, or retrieve data from a datastore, a query must be written using a specific syntax.",
+ "extends": "_entity",
+ "name": "query_info",
+ "attributes": {
+ "query_time": {
+ "description": "The time when the query was run.",
+ "requirement": "optional"
+ },
+ "query_string": {
+ "caption": "Query String",
+ "description": "A string representing the query code being run. For example: SELECT * FROM my_table",
+ "requirement": "required"
+ },
+ "data": {
+ "description": "The data returned from the query execution.",
+ "requirement": "optional"
+ },
+ "bytes": {
+ "description": "The size of the data returned from the query.",
+ "requirement": "optional"
+ },
+ "name": {
+ "description": "The query name for a saved or scheduled query."
+ },
+ "uid": {
+ "description": "The unique identifier of the query."
+ }
+ }
+}
diff --git a/objects/table.json b/objects/table.json
new file mode 100644
index 000000000..48eff1fee
--- /dev/null
+++ b/objects/table.json
@@ -0,0 +1,35 @@
+{
+ "caption": "Table",
+ "description": "The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.",
+ "extends": "_entity",
+ "name": "table",
+ "attributes": {
+ "created_time": {
+ "description": "The time when the table was known to have been created.",
+ "requirement": "optional"
+ },
+ "modified_time": {
+ "description": "The most recent time when any changes, updates, or modifications were made within the table.",
+ "requirement": "optional"
+ },
+ "desc": {
+ "caption": "Description",
+ "description": "The description of the table.",
+ "requirement": "optional"
+ },
+ "size": {
+ "description": "The size of the data table in bytes.",
+ "requirement": "optional"
+ },
+ "groups": {
+ "description": "The group names to which the table belongs.",
+ "requirement": "optional"
+ },
+ "name": {
+ "description": "The table name, ordinarily as assigned by a database administrator."
+ },
+ "uid": {
+ "description": "The unique identifier of the table."
+ }
+ }
+}