Proposal to add Datastore Event Class 6005

dictionary.json

@@ -1057,6 +1057,16 @@
       "description": "The additional data that is associated with the event or object. See specific usage.",
       "type": "json_t"
     },
+    "database": {
+      "caption": "Database",
+      "description": "The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.",
+      "type": "database"
+    },
+    "databucket": {
+      "caption": "Databucket",
+      "description": "The data bucket object is a basic container that holds data, typically organized through the use of data partitions.",
+      "type": "databucket"
+    },
     "data_sources": {
       "caption": "Data Sources",
       "description": "The data sources for the finding.",
@@ -2563,6 +2573,11 @@
       "description": "The Domain Name System (DNS) query.",
       "type": "dns_query"
     },
+    "query_info": {
+      "caption": "Query Info",
+      "description": "The query info object holds information related to data access within a datastore. To access, manipulate, delete, or retrieve data from a datastore, a database query must be written using a specific syntax.",
+      "type": "query_info"
+    },
     "query_string": {
       "caption": "HTTP Query String",
       "description": "The query portion of the URL. For example: the query portion of the URL <code>http://www.example.com/search?q=bad&sort=date</code> is <code>q=bad&sort=date</code>.",
@@ -3226,6 +3241,11 @@
       "description": "The system call that was invoked.",
       "type": "string_t"
     },
+    "table": {
+      "caption": "Table",
+      "description": "The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.",
+      "type": "table"
+    },
     "tactic": {
       "caption": "Tactic",
       "description": "The Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK Matrix<sup>TM</sup></a>.",

events/application/datastore_activity.json

@@ -0,0 +1,83 @@
+{
+    "uid": 5,
+    "description": "Datastore events describe general activities (Read, Update, Query, Delete, etc.) which affect datastores or data within those datastores, e.g. (AWS RDS, AWS S3)",
+    "extends": "application",
+    "caption": "Datastore Activity",
+    "name": "datastore_activity",
+    "attributes": {
+        "activity_id": {
+            "enum": {
+                "1": {
+                    "caption": "Read",
+                    "description": "The datastore activity in the event pertains to a 'Read' operation."
+                },
+                "2": {
+                    "caption": "Update",
+                    "description": "The datastore activity in the event pertains to a 'Update' operation."
+                },
+                "3": {
+                    "caption": "Connect",
+                    "description": "The datastore activity in the event pertains to a 'Connect' operation."
+                },
+                "4": {
+                    "caption": "Query",
+                    "description": "The datastore activity in the event pertains to a 'Query' operation."
+                },
+                "5": {
+                    "caption": "Write",
+                    "description": "The datastore activity in the event pertains to a 'Write' operation."
+                },
+                "6": {
+                    "caption": "Create",
+                    "description": "The datastore activity in the event pertains to a 'Create' operation."
+                },
+                "7": {
+                    "caption": "Delete",
+                    "description": "The datastore activity in the event pertains to a 'Delete' operation."
+                }
+            }
+        },
+        "database": {
+            "group": "primary",
+            "requirement": "recommended"
+        },
+        "databucket": {
+            "group": "primary",
+            "requirement": "recommended"
+        },
+        "table": {
+            "group": "primary",
+            "requirement": "optional"
+        },
+        "query_info": {
+            "group": "primary",
+            "requirement": "optional"
+        },
+        "dst_endpoint": {
+            "description": "Details about the endpoint hosting the datastore application or service.",
+            "group": "primary",
+            "requirement": "optional"
+        },
+        "http_request": {
+            "description": "Details about the underlying http request.",
+            "group": "primary",
+            "requirement": "optional"
+        },
+        "actor": {
+            "group": "primary",
+            "requirement": "required"
+        },
+        "src_endpoint": {
+            "description": "Details about the source of the activity.",
+            "group": "primary",
+            "requirement": "required"
+        }
+    },
+    "constraints": {
+      "at_least_one": [
+        "database",
+        "databucket",
+        "table"
+    ]
+  }
+}

objects/database.json

@@ -0,0 +1,71 @@
+{
+  "caption": "Database",
+  "description": "The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.",
+  "extends": "_entity",
+  "name": "database",
+  "attributes": {
+    "created_time": {
+      "description": "The time when the database was known to have been created.",
+      "requirement": "optional"
+    },
+    "modified_time": {
+      "description": "The most recent time when any changes, updates, or modifications were made within the database.",
+      "requirement": "optional"
+    },
+    "desc": {
+      "caption": "Description",
+      "requirement": "optional"
+    },
+    "size": {
+      "description": "The size of database, in bytes.",
+      "requirement": "optional"
+    },
+    "groups": {
+      "description": "The group names to which the database belongs.",
+      "requirement": "optional"
+    },
+    "type": {
+      "description": "The database type.",
+      "requirement": "recommended"
+    },
+    "type_id": {
+      "description": "The normalized identifier of the database type.",
+      "requirement": "required",
+      "enum": {
+        "0": {
+          "caption": "Unknown"
+        },
+        "1": {
+          "caption": "Relational"
+        },
+        "2": {
+          "caption": "Network"
+        },
+        "3": {
+          "caption": "Object Oriented"
+        },
+        "3": {
+          "caption": "Cloud"
+        },
+        "4": {
+          "caption": "Centralized"
+        },
+        "5": {
+          "caption": "Operational"
+        },
+        "6": {
+          "caption": "NoSQL"
+        },
+        "99": {
+          "caption": "Other"
+        }
+      }
+    },
+    "name": {
+      "description": "The database name, ordinarily as assigned by a database administrator."
+    },
+    "uid": {
+      "description": "The unique identifier of the database."
+    }
+  }
+}

objects/databucket.json

@@ -0,0 +1,64 @@
+{
+  "caption": "Databucket",
+  "description": "The data bucket object is a basic container that holds data, typically organized through the use of data partitions.",
+  "extends": "_entity",
+  "name": "databucket",
+  "attributes": {
+    "created_time": {
+      "description": "The time when the databucket was known to have been created.",
+      "requirement": "optional"
+    },
+    "modified_time": {
+      "description": "The most recent time when any changes, updates, or modifications were made within the databucket.",
+      "requirement": "optional"
+    },
+    "desc": {
+      "caption": "Description",
+      "description": "The description of the databucket.",
+      "requirement": "optional"
+    },
+    "size": {
+      "description": "The size of data bucket, in bytes.",
+      "requirement": "optional"
+    },
+    "file": {
+      "description": "A file within a databucket.",
+      "requirement": "optional"
+    },
+    "groups": {
+      "description": "The group names to which the databucket belongs.",
+      "requirement": "optional"
+    },
+    "type": {
+      "description": "The database type.",
+      "requirement": "recommended"
+    },
+    "type_id": {
+      "description": "The normalized identifier of the databucket type.",
+      "requirement": "required",
+      "enum": {
+        "0": {
+          "caption": "Unknown"
+        },
+        "1": {
+          "caption": "S3"
+        },
+        "2": {
+          "caption": "Azure Blob"
+        },
+        "3": {
+          "caption": "GCP Bucket"
+        },
+        "99": {
+          "caption": "Other"
+        }
+      }
+    },
+    "name": {
+      "description": "The databucket name."
+    },
+    "uid": {
+      "description": "The unique identifier of the databucket."
+    }
+  }
+}

objects/query_info.json

@@ -0,0 +1,31 @@
+{
+  "caption": "Query Information",
+  "description": "The query info object contains data relating to accessing data within a datastore. If you need to access, manipulate, delete, or retrieve data from a datastore, you'll need a database query written using a specific syntax.",
+  "extends": "_entity",
+  "name": "query_info",
+  "attributes": {
+    "query_time": {
+      "description": "The time when the query was run.",
+      "requirement": "optional"
+    },
+    "query_string": {
+      "caption": "Query String",
+      "description": "A string representing the query code being run. For example: SELECT *</code>",
+      "requirement": "required"
+    },
+    "data": {
+      "description": "The data returned from the query execution.",
+      "requirement": "optional"
+    },
+    "bytes": {
+      "description": "The size of the data returned from the query.",
+      "requirement": "optional"
+    },
+    "name": {
+      "description": "The query name for a saved or scheduled query."
+    },
+    "uid": {
+      "description": "The unique identifier of the query."
+    }
+  }
+}

objects/table.json

@@ -0,0 +1,35 @@
+{
+  "caption": "Table",
+  "description": "The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.",
+  "extends": "_entity",
+  "name": "table",
+  "attributes": {
+    "created_time": {
+      "description": "The time when the table was known to have been created.",
+      "requirement": "optional"
+    },
+    "modified_time": {
+      "description": "The most recent time when any changes, updates, or modifications were made within the table.",
+      "requirement": "optional"
+    },
+    "desc": {
+      "caption": "Description",
+      "description": "The description of the table.",
+      "requirement": "optional"
+    },
+    "size": {
+      "description": "The size of data table, in bytes.",
+      "requirement": "optional"
+    },
+    "groups": {
+      "description": "The group names to which the table belongs.",
+      "requirement": "optional"
+    },
+    "name": {
+      "description": "The table name, ordinarily as assigned by a database administrator."
+    },
+    "uid": {
+      "description": "The unique identifier of the table."
+    }
+  }
+}