From a76f0878b8fbd94c45901f87606d8351c2b953bd Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Fri, 4 Oct 2024 11:59:45 -0700 Subject: [PATCH 1/9] Removed the constraint from group_managenment. Signed-off-by: Paul Agbabian --- events/iam/group_management.json | 6 ------ 1 file changed, 6 deletions(-) diff --git a/events/iam/group_management.json b/events/iam/group_management.json index b5b873c50..a3899c525 100644 --- a/events/iam/group_management.json +++ b/events/iam/group_management.json @@ -53,11 +53,5 @@ "group": "primary", "requirement": "recommended" } - }, - "constraints": { - "at_least_one": [ - "privileges", - "user" - ] } } \ No newline at end of file From 5b68b7fe32e8d23035063c5e0b44085c7504fd91 Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Wed, 20 Nov 2024 13:50:24 -0800 Subject: [PATCH 2/9] Deprecated the email_url_activity and email_file_activity classes in favor of an updated email_activity class. Updated the email object to include domains, files, urls arrays. Updated the email_activity class to add the message_trace_uid ID. Updated the email_activity class to use the references[] for the Trace activity_id instead of the description URL. Updated the email_activity class description to reflect its SMTP protocol and the possible URLs and files attachments. Signed-off-by: Paul Agbabian --- dictionary.json | 23 +++++++++++++++++++++++ events/network/email_activity.json | 13 +++++++++++-- events/network/email_file_activity.json | 4 ++++ events/network/email_url_activity.json | 4 ++++ objects/email.json | 14 +++++++++++++- 5 files changed, 55 insertions(+), 3 deletions(-) diff --git a/dictionary.json b/dictionary.json index 8639d8601..b668abfcf 100644 --- a/dictionary.json +++ b/dictionary.json @@ -1781,6 +1781,12 @@ "type": "domain_contact", "is_array": true }, + "domains": { + "caption": "Domains", + "description": "The domains that pertain to the event or object", + "type": "string_t", + "is_array": true + }, "driver": { "caption": "Kernel Driver", "description": "The driver that was loaded/unloaded into the kernel", @@ -2083,6 +2089,12 @@ "description": "The result of the file change. It should contain the new values of the changed attributes.", "type": "file" }, + "files": { + "caption": "Files", + "description": "The files that are part of the event or object", + "type": "file", + "is_array": true + }, "finding": { "caption": "Finding", "description": "The Finding object provides details about a finding/detection generated by a security tool.", @@ -3083,6 +3095,11 @@ "description": "The description of the event/finding, as defined by the source.", "type": "string_t" }, + "message_trace_uid": { + "caption": "Message Trace UID", + "description": "The identifier that tracks a message that travels through multiple points of a messaging service.", + "type": "string_t" + }, "message_uid": { "caption": "Message UID", "description": "The email header Message-ID value, as defined by RFC 5322.", @@ -5014,6 +5031,12 @@ "description": "The URL string. See RFC 1738. For example: http://www.example.com/download/trouble.exe.", "type": "url_t" }, + "urls": { + "caption": "URLs", + "description": "The URLs that pertain to the event or object.", + "type": "url", + "is_array": true + }, "user": { "caption": "User", "description": "The user that pertains to the event or object.", diff --git a/events/network/email_activity.json b/events/network/email_activity.json index f37bf43bb..a828f739f 100644 --- a/events/network/email_activity.json +++ b/events/network/email_activity.json @@ -2,7 +2,7 @@ "uid": 9, "caption": "Email Activity", "category": "network", - "description": "Email events report activities of emails.", + "description": "Email Activity events report SMTP protocol and email activities including those with embedded URLs and files. See the Email object for details.", "extends": "base_event", "name": "email_activity", "attributes": { @@ -25,7 +25,8 @@ }, "4": { "caption": "Trace", - "description": "Follow an email message as it travels through an organization. For example: O365 Email Message Trace." + "description": "Follow an email message as it travels through an organization. The message_trace_uid should be populated when selected.", + "references": [{"url": "href='https://learn.microsoft.com/en-us/Exchange/monitoring/trace-an-email-message/message-trace-modern-eac", "description": "For example O365 Email Message Trace"}] } } }, @@ -82,6 +83,14 @@ "group": "primary", "requirement": "recommended" }, + "email_uid": { + "group": "primary", + "requirement": "optional" + }, + "message_trace_uid": { + "group": "primary", + "requirement": "recommended" + }, "smtp_hello": { "description": "The value of the SMTP HELO or EHLO command sent by the initiator (client).", "group": "primary", diff --git a/events/network/email_file_activity.json b/events/network/email_file_activity.json index f99953b37..daf7a4cf8 100644 --- a/events/network/email_file_activity.json +++ b/events/network/email_file_activity.json @@ -5,6 +5,10 @@ "description": "Email File Activity events report files within emails.", "extends": "base_event", "name": "email_file_activity", + "@deprecated": { + "message": "Use the Email Activity class with the email.files[] array instead.", + "since": "1.3.0" + }, "attributes": { "$include": [ "profiles/host.json", diff --git a/events/network/email_url_activity.json b/events/network/email_url_activity.json index 8877af62f..7386eef07 100644 --- a/events/network/email_url_activity.json +++ b/events/network/email_url_activity.json @@ -5,6 +5,10 @@ "description": "Email URL Activity events report URLs within an email.", "extends": "base_event", "name": "email_url_activity", + "@deprecated": { + "message": "Use the Email Activity class with the email.urls[] array instead.", + "since": "1.3.0" + }, "attributes": { "$include": [ "profiles/host.json", diff --git a/objects/email.json b/objects/email.json index bb2fe88e9..7d6067598 100644 --- a/objects/email.json +++ b/objects/email.json @@ -1,7 +1,7 @@ { "caption": "Email", "name": "email", - "description": "The Email object describes the email metadata such as sender, recipients, and direction.", + "description": "The Email object describes the email metadata such as sender, recipients, and direction, and can include embedded URLs and files.", "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Email/", "description": "D3FEND™ Ontology d3f:Email."}], "extends": "object", "observable": 22, @@ -18,6 +18,14 @@ "delivered_to": { "requirement": "optional" }, + "domains": { + "requirement": "optional", + "description": "The domain names that pertain to the email sender or recipients." + }, + "files": { + "requirement": "optional", + "description": "The files embedded or attached to the email." + }, "from": { "requirement": "required" }, @@ -51,6 +59,10 @@ "to": { "requirement": "required" }, + "urls": { + "requirement": "optional", + "description": "The URLs embedded in the email." + }, "x_originating_ip": { "requirement": "optional" }, From df7fc1805c0e910e698947e19a9cf8b1b221befd Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Wed, 20 Nov 2024 14:01:17 -0800 Subject: [PATCH 3/9] Added changed for PR #1259 Signed-off-by: Paul Agbabian --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 800cde373..0369b72bd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -74,6 +74,7 @@ Thankyou! --> 1. Added new `11: Basic Authentication` enum value to `auth_protocol_id`. #1239 1. Added `values` as an array of `string_t`. #1251 1. Added `kernel_release` as a `string_t`. + 1. Added `domains` `files` `urls` and `message_trace_uid`. #1259 * #### Objects 1. Added `environment_variable` object. #1172 1. Added `advisory` object. #1176 @@ -92,6 +93,7 @@ Thankyou! --> 1. Removed constraint from `group_management` class. #1193 1. Added `Archived|5` as an enum item to `status_id` attribute in Findings classes. #1219 1. Added a `Trace` `activity_id` to the `Email Activity` class. #1252 + 1. Added a `message_trace_uid` to the `Email Activity` class. #1259 * #### Profiles 1. Added `is_alert`, `confidence_id`, `confidence`, `confidence_score` attributes to the `security_control` profile. #1178 1. Added `risk_level_id`, `risk_level`, `risk_score`, `risk_details` attributes to the `security_control` profile. #1178 @@ -127,6 +129,7 @@ Thankyou! --> 1. Added `hostname`, `ip`, and `name` to `resource_details` for purposes of assigning an Observable number. #1250 1. Added `values` to `key_value_object`. #1251 1. Added `kernel_release` to `os` object. + 1. Added `domains` `files` `urls` to the `Email` object. #1259 ### Bugfixes 1. Added sibling definition to `confidence_id` in dictionary, accurately associating `confidence` as its sibling. #1180 @@ -143,6 +146,7 @@ Thankyou! --> 1. Deprecated `imei` in favor of `imei_list` in `device` object. #1225 1. Deprecated `data_classification` in favor of `data_classifications` in the `data_classification` profile. #1245 1. Deprecated activity_id `4|Suppressed` in the Data Security Finding event class. This shouldn't have been added when we first created it, as the right place for this info is `status_id`. #1245 +1. Deprecated `email_file_activity` and `email_url_activity` in favor of updated `email_activity`. #1259 ### Misc 1. Added `user.uid` as an Observable type - `type_id: 31`. #1155 From e69358f43fd444ed2c48c9c707f87bbcdcec90f0 Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Wed, 20 Nov 2024 14:06:32 -0800 Subject: [PATCH 4/9] removed the optional tag for email_uid as it was causing the validation to fail!! Signed-off-by: Paul Agbabian --- events/network/email_activity.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/events/network/email_activity.json b/events/network/email_activity.json index a828f739f..5bc8b2444 100644 --- a/events/network/email_activity.json +++ b/events/network/email_activity.json @@ -84,8 +84,7 @@ "requirement": "recommended" }, "email_uid": { - "group": "primary", - "requirement": "optional" + "group": "primary" }, "message_trace_uid": { "group": "primary", From 8f2ac7072df8078fccaacd936f0cbcc864790110 Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Wed, 20 Nov 2024 14:15:43 -0800 Subject: [PATCH 5/9] Relaxed the requirement of 'from' and 'to' to be recommended, and added an at_least_one constraint on all the to and from attributes. Not all email logs have the 'to' and 'from' but must have at least those or 'smtp_to' and 'smtp_from' in the log. Signed-off-by: Paul Agbabian --- objects/email.json | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/objects/email.json b/objects/email.json index 7d6067598..79bfd768e 100644 --- a/objects/email.json +++ b/objects/email.json @@ -27,7 +27,7 @@ "description": "The files embedded or attached to the email." }, "from": { - "requirement": "required" + "requirement": "recommended" }, "http_headers": { "requirement": "optional" @@ -57,7 +57,7 @@ "requirement": "recommended" }, "to": { - "requirement": "required" + "requirement": "recommended" }, "urls": { "requirement": "optional", @@ -71,5 +71,13 @@ "description": "The email unique identifier.", "requirement": "recommended" } + }, + "constraints": { + "at_least_one": [ + "from", + "to", + "smtp_from", + "smtp_to" + ] } } From 4e172303ba4f921da052cb9167f29835033015ec Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Wed, 20 Nov 2024 14:20:08 -0800 Subject: [PATCH 6/9] Added the constraint and relaxed requirement to the email object. Signed-off-by: Paul Agbabian --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0369b72bd..fcb30c13e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -129,7 +129,7 @@ Thankyou! --> 1. Added `hostname`, `ip`, and `name` to `resource_details` for purposes of assigning an Observable number. #1250 1. Added `values` to `key_value_object`. #1251 1. Added `kernel_release` to `os` object. - 1. Added `domains` `files` `urls` to the `Email` object. #1259 + 1. Added `domains` `files` `urls` to the `Email` object. Relaxed requirements on the `from` and `to` attributes and added the `at_least_one` constraint. #1259 ### Bugfixes 1. Added sibling definition to `confidence_id` in dictionary, accurately associating `confidence` as its sibling. #1180 From 9b63ed28d12e3d72325d0a9950f5a7885c55ebb9 Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Wed, 20 Nov 2024 15:38:12 -0800 Subject: [PATCH 7/9] Added a 'family' meta schema keyword for grouping of classes in a category. Updated the Discovery classes with their families of Query, Inventory, State. Signed-off-by: Paul Agbabian --- events/discovery/admin_group_query.json | 1 + events/discovery/cloud_resources_inventory_info.json | 1 + events/discovery/config_state.json | 1 + events/discovery/device_config_state_change.json | 1 + events/discovery/discovery_result.json | 1 + events/discovery/file_query.json | 1 + events/discovery/folder_query.json | 1 + events/discovery/inventory_info.json | 1 + events/discovery/job_query.json | 1 + events/discovery/kernel_object_query.json | 1 + events/discovery/module_query.json | 1 + events/discovery/network_connection_query.json | 1 + events/discovery/networks_query.json | 1 + events/discovery/osint_inventory_info.json | 1 + events/discovery/patch_state.json | 1 + events/discovery/peripheral_device_query.json | 1 + events/discovery/process_query.json | 1 + events/discovery/service_query.json | 1 + events/discovery/session_query.json | 1 + events/discovery/software_info.json | 1 + events/discovery/startup_item_query.json | 1 + events/discovery/user_inventory.json | 1 + events/discovery/user_query.json | 1 + metaschema/event.schema.json | 4 ++++ 24 files changed, 27 insertions(+) diff --git a/events/discovery/admin_group_query.json b/events/discovery/admin_group_query.json index 58e93ef8f..ea232730b 100644 --- a/events/discovery/admin_group_query.json +++ b/events/discovery/admin_group_query.json @@ -4,6 +4,7 @@ "description": "Admin Group Query events report information about administrative groups.", "extends": "discovery_result", "name": "admin_group_query", + "family": "Query", "attributes": { "group": { "description": "The administrative group.", diff --git a/events/discovery/cloud_resources_inventory_info.json b/events/discovery/cloud_resources_inventory_info.json index 08616076f..c925dd624 100644 --- a/events/discovery/cloud_resources_inventory_info.json +++ b/events/discovery/cloud_resources_inventory_info.json @@ -4,6 +4,7 @@ "description": "Cloud Resources Inventory Info events report cloud asset inventory data that is either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.", "extends": "discovery", "name": "cloud_resources_inventory_info", + "family": "Inventory", "attributes": { "cloud": { "profile": null, diff --git a/events/discovery/config_state.json b/events/discovery/config_state.json index 5cd879c01..108157694 100644 --- a/events/discovery/config_state.json +++ b/events/discovery/config_state.json @@ -4,6 +4,7 @@ "description": "Device Config State events report device configuration data and CIS Benchmark results.", "extends": "discovery", "name": "config_state", + "family": "State", "attributes": { "actor": { "group": "context", diff --git a/events/discovery/device_config_state_change.json b/events/discovery/device_config_state_change.json index b6e6ab964..3570feb6e 100644 --- a/events/discovery/device_config_state_change.json +++ b/events/discovery/device_config_state_change.json @@ -4,6 +4,7 @@ "description": "Device Config State Change events report state changes that impact the security of the device.", "extends": "discovery", "name": "device_config_state_change", + "family": "State", "attributes": { "actor": { "group": "context", diff --git a/events/discovery/discovery_result.json b/events/discovery/discovery_result.json index 9e3869be0..6aebe766b 100644 --- a/events/discovery/discovery_result.json +++ b/events/discovery/discovery_result.json @@ -4,6 +4,7 @@ "description": "Discovery Result events report the results of a discovery request.", "extends": "base_event", "name": "discovery_result", + "family": "Query", "attributes": { "$include": [ "profiles/host.json" diff --git a/events/discovery/file_query.json b/events/discovery/file_query.json index 733a456f5..2bfe6f5e6 100644 --- a/events/discovery/file_query.json +++ b/events/discovery/file_query.json @@ -4,6 +4,7 @@ "description": "File Query events report information about files that are present on the system.", "extends": "discovery_result", "name": "file_query", + "family": "Query", "attributes": { "file": { "description": "The file that is the target of the query.", diff --git a/events/discovery/folder_query.json b/events/discovery/folder_query.json index 02229c2bb..3b3bfe1d3 100644 --- a/events/discovery/folder_query.json +++ b/events/discovery/folder_query.json @@ -4,6 +4,7 @@ "description": "Folder Query events report information about folders that are present on the system.", "extends": "discovery_result", "name": "folder_query", + "family": "Query", "attributes": { "folder": { "description": "The folder that is the target of the query.", diff --git a/events/discovery/inventory_info.json b/events/discovery/inventory_info.json index e9726a69c..3666e9e8a 100644 --- a/events/discovery/inventory_info.json +++ b/events/discovery/inventory_info.json @@ -4,6 +4,7 @@ "description": "Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.", "extends": "discovery", "name": "inventory_info", + "family": "Inventory", "attributes": { "actor": { "group": "context", diff --git a/events/discovery/job_query.json b/events/discovery/job_query.json index 7c21be81c..71029ebfa 100644 --- a/events/discovery/job_query.json +++ b/events/discovery/job_query.json @@ -4,6 +4,7 @@ "description": "Job Query events report information about scheduled jobs.", "extends": "discovery_result", "name": "job_query", + "family": "Query", "attributes": { "job": { "group": "primary", diff --git a/events/discovery/kernel_object_query.json b/events/discovery/kernel_object_query.json index 73faae79a..64f33bc18 100644 --- a/events/discovery/kernel_object_query.json +++ b/events/discovery/kernel_object_query.json @@ -4,6 +4,7 @@ "description": "Kernel Object Query events report information about discovered kernel resources.", "extends": "discovery_result", "name": "kernel_object_query", + "family": "Query", "attributes": { "kernel": { "description": "The kernel object that pertains to the event.", diff --git a/events/discovery/module_query.json b/events/discovery/module_query.json index 1f9406be0..25eac1b49 100644 --- a/events/discovery/module_query.json +++ b/events/discovery/module_query.json @@ -4,6 +4,7 @@ "description": "Module Query events report information about loaded modules.", "extends": "discovery_result", "name": "module_query", + "family": "Query", "attributes": { "module": { "group": "primary", diff --git a/events/discovery/network_connection_query.json b/events/discovery/network_connection_query.json index 18da1a607..6269c177c 100644 --- a/events/discovery/network_connection_query.json +++ b/events/discovery/network_connection_query.json @@ -4,6 +4,7 @@ "description": "Network Connection Query events report information about active network connections.", "extends": "discovery_result", "name": "network_connection_query", + "family": "Query", "attributes": { "connection_info": { "group": "primary", diff --git a/events/discovery/networks_query.json b/events/discovery/networks_query.json index b486a2190..08d0d88b1 100644 --- a/events/discovery/networks_query.json +++ b/events/discovery/networks_query.json @@ -4,6 +4,7 @@ "description": "Networks Query events report information about network adapters.", "extends": "discovery_result", "name": "networks_query", + "family": "Query", "attributes": { "network_interfaces": { "group": "primary", diff --git a/events/discovery/osint_inventory_info.json b/events/discovery/osint_inventory_info.json index 3b7c6feb9..5f2124ce8 100644 --- a/events/discovery/osint_inventory_info.json +++ b/events/discovery/osint_inventory_info.json @@ -4,6 +4,7 @@ "description": "OSINT Inventory Info events report open source intelligence or threat intelligence inventory data that is either logged or proactively collected. For example, when collecting OSINT information from Threat Intelligence Platforms (TIPs) or Extended Detection and Response (XDR) platforms, or collecting data from OSINT or other generic threat intelligence and enrichment feeds such as APIs and datastores.", "extends": "discovery", "name": "osint_inventory_info", + "family": "Inventory", "attributes": { "actor": { "description": "The actor describes the process that was the source of the inventory activity. In the case of OSINT inventory data, that could be a particular process or script that is run to scrape the OSINT or threat intelligence data. For example, it could be a Python process that runs to pull data from a MISP or Shodan API.", diff --git a/events/discovery/patch_state.json b/events/discovery/patch_state.json index db0240c4a..d8c3f79e5 100644 --- a/events/discovery/patch_state.json +++ b/events/discovery/patch_state.json @@ -4,6 +4,7 @@ "description": "Operating System Patch State reports the installation of an OS patch to a device and any associated knowledgebase articles.", "extends": "discovery", "name": "patch_state", + "family": "State", "attributes": { "$include": [ "profiles/host.json" diff --git a/events/discovery/peripheral_device_query.json b/events/discovery/peripheral_device_query.json index bd0207e0d..482f3d8ca 100644 --- a/events/discovery/peripheral_device_query.json +++ b/events/discovery/peripheral_device_query.json @@ -4,6 +4,7 @@ "description": "Peripheral Device Query events report information about peripheral devices.", "extends": "discovery_result", "name": "peripheral_device_query", + "family": "Query", "attributes": { "peripheral_device": { "group": "primary", diff --git a/events/discovery/process_query.json b/events/discovery/process_query.json index fbb9d9935..a3c557166 100644 --- a/events/discovery/process_query.json +++ b/events/discovery/process_query.json @@ -4,6 +4,7 @@ "description": "Process Query events report information about running processes.", "extends": "discovery_result", "name": "process_query", + "family": "Query", "attributes": { "process": { "group": "primary", diff --git a/events/discovery/service_query.json b/events/discovery/service_query.json index 1b13784c7..71c32e1e6 100644 --- a/events/discovery/service_query.json +++ b/events/discovery/service_query.json @@ -4,6 +4,7 @@ "description": "Service Query events report information about running services.", "extends": "discovery_result", "name": "service_query", + "family": "Query", "attributes": { "service": { "group": "primary", diff --git a/events/discovery/session_query.json b/events/discovery/session_query.json index 4293993b4..156e66e5a 100644 --- a/events/discovery/session_query.json +++ b/events/discovery/session_query.json @@ -4,6 +4,7 @@ "description": "User Session Query events report information about existing user sessions.", "extends": "discovery_result", "name": "session_query", + "family": "Query", "attributes": { "session": { "group": "primary", diff --git a/events/discovery/software_info.json b/events/discovery/software_info.json index c0d9b6e54..d968b5683 100644 --- a/events/discovery/software_info.json +++ b/events/discovery/software_info.json @@ -4,6 +4,7 @@ "description": "Software Inventory Info events report device software inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.", "extends": "discovery", "name": "software_info", + "family": "Inventory", "attributes": { "actor": { "group": "context", diff --git a/events/discovery/startup_item_query.json b/events/discovery/startup_item_query.json index 78e50ef43..d79d3fd82 100644 --- a/events/discovery/startup_item_query.json +++ b/events/discovery/startup_item_query.json @@ -4,6 +4,7 @@ "extends": "discovery_result", "name": "startup_item_query", "uid": 22, + "family": "Query", "attributes": { "startup_item": { "group": "primary", diff --git a/events/discovery/user_inventory.json b/events/discovery/user_inventory.json index fcc11d16a..390d9402c 100644 --- a/events/discovery/user_inventory.json +++ b/events/discovery/user_inventory.json @@ -4,6 +4,7 @@ "description": "User Inventory Info events report user inventory data that is either logged or proactively collected. For example, when collecting user information from Active Directory entries.", "extends": "discovery", "name": "user_inventory", + "family": "Inventory", "attributes": { "actor": { "description": "The actor describes the process that was the source of the inventory activity. In the case of user inventory data, that could be a particular process or script that is run to scrape the user data. For example, it could be a powershell process that runs to pull data from the Azure AD graph API.", diff --git a/events/discovery/user_query.json b/events/discovery/user_query.json index 4976adb1b..5c4d8efd6 100644 --- a/events/discovery/user_query.json +++ b/events/discovery/user_query.json @@ -4,6 +4,7 @@ "description": "User Query events report user data that have been discovered, queried, polled or searched. This event differs from User Inventory as it describes the result of a targeted search by filtering a subset of user attributes.", "extends": "discovery_result", "name": "user_query", + "family": "Query", "attributes": { "user": { "group": "primary", diff --git a/metaschema/event.schema.json b/metaschema/event.schema.json index ca634f5ad..2297316d0 100644 --- a/metaschema/event.schema.json +++ b/metaschema/event.schema.json @@ -33,6 +33,10 @@ "type": "string", "description": "The category that the event belongs to." }, + "family": { + "type:": "string", + "description": "The family or sub-category that the event belongs to, usually with a common suffix in its name." + }, "uid": { "type": "integer", "description": "A unique identifier for this event, must be unique within the category.", From 69327912bb9eb2dfee1c92ce0f99796293b5db77 Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Wed, 20 Nov 2024 17:49:35 -0800 Subject: [PATCH 8/9] Reverted files from the email_update branch that were incorrectly added. Signed-off-by: Paul Agbabian --- CHANGELOG.md | 4 ---- dictionary.json | 23 ----------------------- events/network/email_activity.json | 12 ++---------- events/network/email_file_activity.json | 4 ---- events/network/email_url_activity.json | 4 ---- 5 files changed, 2 insertions(+), 45 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fcb30c13e..800cde373 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -74,7 +74,6 @@ Thankyou! --> 1. Added new `11: Basic Authentication` enum value to `auth_protocol_id`. #1239 1. Added `values` as an array of `string_t`. #1251 1. Added `kernel_release` as a `string_t`. - 1. Added `domains` `files` `urls` and `message_trace_uid`. #1259 * #### Objects 1. Added `environment_variable` object. #1172 1. Added `advisory` object. #1176 @@ -93,7 +92,6 @@ Thankyou! --> 1. Removed constraint from `group_management` class. #1193 1. Added `Archived|5` as an enum item to `status_id` attribute in Findings classes. #1219 1. Added a `Trace` `activity_id` to the `Email Activity` class. #1252 - 1. Added a `message_trace_uid` to the `Email Activity` class. #1259 * #### Profiles 1. Added `is_alert`, `confidence_id`, `confidence`, `confidence_score` attributes to the `security_control` profile. #1178 1. Added `risk_level_id`, `risk_level`, `risk_score`, `risk_details` attributes to the `security_control` profile. #1178 @@ -129,7 +127,6 @@ Thankyou! --> 1. Added `hostname`, `ip`, and `name` to `resource_details` for purposes of assigning an Observable number. #1250 1. Added `values` to `key_value_object`. #1251 1. Added `kernel_release` to `os` object. - 1. Added `domains` `files` `urls` to the `Email` object. Relaxed requirements on the `from` and `to` attributes and added the `at_least_one` constraint. #1259 ### Bugfixes 1. Added sibling definition to `confidence_id` in dictionary, accurately associating `confidence` as its sibling. #1180 @@ -146,7 +143,6 @@ Thankyou! --> 1. Deprecated `imei` in favor of `imei_list` in `device` object. #1225 1. Deprecated `data_classification` in favor of `data_classifications` in the `data_classification` profile. #1245 1. Deprecated activity_id `4|Suppressed` in the Data Security Finding event class. This shouldn't have been added when we first created it, as the right place for this info is `status_id`. #1245 -1. Deprecated `email_file_activity` and `email_url_activity` in favor of updated `email_activity`. #1259 ### Misc 1. Added `user.uid` as an Observable type - `type_id: 31`. #1155 diff --git a/dictionary.json b/dictionary.json index b668abfcf..8639d8601 100644 --- a/dictionary.json +++ b/dictionary.json @@ -1781,12 +1781,6 @@ "type": "domain_contact", "is_array": true }, - "domains": { - "caption": "Domains", - "description": "The domains that pertain to the event or object", - "type": "string_t", - "is_array": true - }, "driver": { "caption": "Kernel Driver", "description": "The driver that was loaded/unloaded into the kernel", @@ -2089,12 +2083,6 @@ "description": "The result of the file change. It should contain the new values of the changed attributes.", "type": "file" }, - "files": { - "caption": "Files", - "description": "The files that are part of the event or object", - "type": "file", - "is_array": true - }, "finding": { "caption": "Finding", "description": "The Finding object provides details about a finding/detection generated by a security tool.", @@ -3095,11 +3083,6 @@ "description": "The description of the event/finding, as defined by the source.", "type": "string_t" }, - "message_trace_uid": { - "caption": "Message Trace UID", - "description": "The identifier that tracks a message that travels through multiple points of a messaging service.", - "type": "string_t" - }, "message_uid": { "caption": "Message UID", "description": "The email header Message-ID value, as defined by RFC 5322.", @@ -5031,12 +5014,6 @@ "description": "The URL string. See RFC 1738. For example: http://www.example.com/download/trouble.exe.", "type": "url_t" }, - "urls": { - "caption": "URLs", - "description": "The URLs that pertain to the event or object.", - "type": "url", - "is_array": true - }, "user": { "caption": "User", "description": "The user that pertains to the event or object.", diff --git a/events/network/email_activity.json b/events/network/email_activity.json index 5bc8b2444..f37bf43bb 100644 --- a/events/network/email_activity.json +++ b/events/network/email_activity.json @@ -2,7 +2,7 @@ "uid": 9, "caption": "Email Activity", "category": "network", - "description": "Email Activity events report SMTP protocol and email activities including those with embedded URLs and files. See the Email object for details.", + "description": "Email events report activities of emails.", "extends": "base_event", "name": "email_activity", "attributes": { @@ -25,8 +25,7 @@ }, "4": { "caption": "Trace", - "description": "Follow an email message as it travels through an organization. The message_trace_uid should be populated when selected.", - "references": [{"url": "href='https://learn.microsoft.com/en-us/Exchange/monitoring/trace-an-email-message/message-trace-modern-eac", "description": "For example O365 Email Message Trace"}] + "description": "Follow an email message as it travels through an organization. For example: O365 Email Message Trace." } } }, @@ -83,13 +82,6 @@ "group": "primary", "requirement": "recommended" }, - "email_uid": { - "group": "primary" - }, - "message_trace_uid": { - "group": "primary", - "requirement": "recommended" - }, "smtp_hello": { "description": "The value of the SMTP HELO or EHLO command sent by the initiator (client).", "group": "primary", diff --git a/events/network/email_file_activity.json b/events/network/email_file_activity.json index daf7a4cf8..f99953b37 100644 --- a/events/network/email_file_activity.json +++ b/events/network/email_file_activity.json @@ -5,10 +5,6 @@ "description": "Email File Activity events report files within emails.", "extends": "base_event", "name": "email_file_activity", - "@deprecated": { - "message": "Use the Email Activity class with the email.files[] array instead.", - "since": "1.3.0" - }, "attributes": { "$include": [ "profiles/host.json", diff --git a/events/network/email_url_activity.json b/events/network/email_url_activity.json index 7386eef07..8877af62f 100644 --- a/events/network/email_url_activity.json +++ b/events/network/email_url_activity.json @@ -5,10 +5,6 @@ "description": "Email URL Activity events report URLs within an email.", "extends": "base_event", "name": "email_url_activity", - "@deprecated": { - "message": "Use the Email Activity class with the email.urls[] array instead.", - "since": "1.3.0" - }, "attributes": { "$include": [ "profiles/host.json", From 335dd6dbeb20f2abf750510c0e9bb18811b14cd2 Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Wed, 20 Nov 2024 17:51:33 -0800 Subject: [PATCH 9/9] Removed file from branch erroneously included in the commit. Signed-off-by: Paul Agbabian --- objects/email.json | 26 +++----------------------- 1 file changed, 3 insertions(+), 23 deletions(-) diff --git a/objects/email.json b/objects/email.json index 79bfd768e..bb2fe88e9 100644 --- a/objects/email.json +++ b/objects/email.json @@ -1,7 +1,7 @@ { "caption": "Email", "name": "email", - "description": "The Email object describes the email metadata such as sender, recipients, and direction, and can include embedded URLs and files.", + "description": "The Email object describes the email metadata such as sender, recipients, and direction.", "references": [{"url": "https://d3fend.mitre.org/dao/artifact/d3f:Email/", "description": "D3FEND™ Ontology d3f:Email."}], "extends": "object", "observable": 22, @@ -18,16 +18,8 @@ "delivered_to": { "requirement": "optional" }, - "domains": { - "requirement": "optional", - "description": "The domain names that pertain to the email sender or recipients." - }, - "files": { - "requirement": "optional", - "description": "The files embedded or attached to the email." - }, "from": { - "requirement": "recommended" + "requirement": "required" }, "http_headers": { "requirement": "optional" @@ -57,11 +49,7 @@ "requirement": "recommended" }, "to": { - "requirement": "recommended" - }, - "urls": { - "requirement": "optional", - "description": "The URLs embedded in the email." + "requirement": "required" }, "x_originating_ip": { "requirement": "optional" @@ -71,13 +59,5 @@ "description": "The email unique identifier.", "requirement": "recommended" } - }, - "constraints": { - "at_least_one": [ - "from", - "to", - "smtp_from", - "smtp_to" - ] } }