QDM 1.3.0 #24
Merged
QDM 1.3.0 #24
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Michael Radka <mradka@splunk.com>
Signed-off-by: Michael Radka <mradka@splunk.com>
Update ext versions, add siblings
This addresses use-cases where the the activity was an Update but the changes were unable to be captured such as a new file.owner, file.size, file.name, etc.
Signed-off-by: Michael Radka <mradka@splunk.com>
Signed-off-by: Rajas Panat <rajaspa@amazon.com>
[bugfix]: Adding "unknown" enum value to query_result_id
Fix grammar in status_detail desc/caption
Signed-off-by: Michael Radka <mradka@splunk.com>
[nonbreaking] Minor indentation fix for readability
Signed-off-by: Alan Pinkert <apinkert@cisco.com>
Clarify how to reference profiles in metadata
Signed-off-by: Rajas Panat <rajaspa@amazon.com>
… object Signed-off-by: Rajas Panat <rajaspa@amazon.com>
…section Signed-off-by: Rajas Panat <rajaspa@amazon.com>
Signed-off-by: Michael Radka <mradka@splunk.com>
…ction. Signed-off-by: Dave McCormack <dmccorma@cisco.com>
Signed-off-by: Dave McCormack <dmccorma@cisco.com>
Signed-off-by: Dave McCormack <dmccorma@cisco.com>
Address gaps in Process Activity and Memory Activity wrt process injection.
#### Related Issue: ocsf#1061 _Support linting of enum and sibling conventions_ #### Description of changes: * Adds a `suppress_checks` option to the metaschema to configure turning off certain linting rules * Turns off those linting checks for places where we have violated the conventions (there are about 3) * Fixes `data_lifecycle_state_id` to follow the enum convention by adding a 99 (Other) enumerand and articulating that _it_ should be used for "other" --------- Signed-off-by: Donovan Kolbly <donovan@rscheme.org> Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com>
…sf#1137) #### Related Issue: n/a #### Description of changes: 1. Adding `credential_uid` as an observable type, type_id 19. 2. Misc Changelog fixes --------- Signed-off-by: Rajas Panat <rajaspa@amazon.com> Signed-off-by: Rajas <89877409+floydtree@users.noreply.github.com>
Add USG-1 extension reservation @ 990. --------- Signed-off-by: k2niner <120660286+k2niner@users.noreply.github.com>
#### Related Issue: [ocsf#1124](ocsf#1124) #### Description of changes: - Added the pre-existing `job` attribute to the `Evidence Artifacts` object. - Adjusted the `at_least_one` constraint in the object to include `job`. Note that this approach is the same as that taken to fix other gaps in the `Evidence Artifacts` object, e.g. PR ocsf#1078. Signed-off-by: Dave McCormack <dmccorma@cisco.com> Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com>
…csf#1144) #### Related Issue: surfaced by @dkolbly in slack #### Description of changes: 1. Fixing event class names in the Remediation category to avoid name collision within the framework 2. No need for a changelog entry, this is fixing a new item added in 1.3.0-dev Signed-off-by: Rajas Panat <rajaspa@amazon.com>
…t 4662 (ocsf#1114) Adjust Entity Management class (3004) to be aligned with fields exist in Windows event 4662 - “An operation was performed on an object”. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662 #### Related Issue: ocsf#1090 #### Description of changes: We add the attributes access_list, access_mask.  Signed-off-by: Eliraz Levi [eliraz.levi@hunters.ai](mailto:eliraz.levi@hunters.ai) Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com>
…nt of `src_endpoint` (ocsf#1147) This adds support for representing a network endpoint listening for new network connections on a network. The listening network endpoint will always be the `dst_endpoint`, and there is no `src_endpoint` because no network connection has been established yet. Therefore `src_endpoint` is changed from required to recommended. The rational behind using `Network Activity` is that when a data consumer asks their data set for `Network Activity`, they will probably be interested in things that are listening on the network even if there wasn't a connection established yet. This is in contrast to needing to ask the data set for a different event type. Signed-off-by: Mitchell Wasson <miwasson@cisco.com> Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com>
…ee specific usage' in the description (ocsf#1146) This change was a suggestion from @pagbabian-splunk in ocsf#1111 After this PR, all enums that are defined in `dictionary.json` with only the nominal values (0/99 or 99) also have 'See specific usage' in the description. The effect is that a warning will be generated by the OCSF server if these attributes are used without overriding the description. The process for these changes was: - Decide if the attribute name is general enough to have other uses or not. - If the name is general enough, the definition in `dictionary.json` only has 0/99 and 'See specific usage' is in description. The use of the enum has the additional enum values and a description override. - If the name is very specific, then the whole enum definition is now in `dictionary.json` and the use of it only specifies optionality. Signed-off-by: Mitchell Wasson <miwasson@cisco.com> Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com>
Add two additional attributes for the Software Package object. In both instances the pre-existing attribute is used to uniquely identify the package. This can be useful when looking at Software Bill of Materials (SBOM) inventory data. #### Description of changes: Add cpe_name attribute. Common Platform Enumeration CPE is used to uniquely identity software packages. Add hash attribute. A cryptographic hash is another common way to identify software packages. These changes pass local validation testing. --------- Signed-off-by: Jason Reimer <jason.reimer@tanium.com> Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com>
#### Related Issue: N/A #### Description of changes: Added a new object that encapsulates the `duration_avg_xx` attributes with a `type_id` discriminator and a `just_one` constraint. --------- Signed-off-by: Paul Agbabian <pagbabian@splunk.com> Signed-off-by: pagbabian-splunk <pagbabian@symantec.com> Co-authored-by: pagbabian-splunk <pagbabian@symantec.com>
#### Related Issue: N/A (from Slack) #### Description of changes: Added ip to the load_balancer object. Added Load Balancer to the endpoint type_id enum list. --------- Signed-off-by: Paul Agbabian <pagbabian@splunk.com> Signed-off-by: pagbabian-splunk <pagbabian@symantec.com> Signed-off-by: Rajas <89877409+floydtree@users.noreply.github.com> Co-authored-by: pagbabian-splunk <pagbabian@symantec.com> Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com>
#### Related Issue: 1148 ocsf#1148 #### Description of changes: extending - enrichment by: time, recommended - The timestamp when the enrichment data was generated. desc optional - A long description of the enrichment data. reputation optional - The reputation of the enrichment data short_desc, recommended - A short description of the enrichment data. url_string, recommended - The URL of the source of the enrichment data --------- Signed-off-by: Pavel Jurka <pavel.jurka@sentinelone.com> Signed-off-by: Rajas <89877409+floydtree@users.noreply.github.com> Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com>
ocsf#1150) #### Related Issue: n/a #### Description of changes: 1. Making `resources` available in Vuln Finding and Compliance Finding event classes. 2. Deprecating `resource` attribute. 3. Fixing desc in Data Security Finding event class --------- Signed-off-by: Rajas Panat <rajaspa@amazon.com>
Related Issue: Missing enable/disable state Ids Description of changes: added state id's to Device Config State Change Class. Signed-off-by: Sasha Selin (Cyrebro) (sasha.selin@cyrebro.io) Following closed PR ocsf#1076 (ocsf#1076), Ive created new PR to create disable/enable state to "device_config_state_change" class. state “disable/enable” is very common when it comes to FortiGate logs, especially where the subtype=”system” and action=”add”. The “status” field on this type of logs are represent the “cfgattr” (Configuration value changed) status. Raw log for example: <118>date=2024-05-01 time=11:43:38 devname="Test for OCSF" devid="FG11256985563" eventtime=1714553018203018280 tz="+0300" logid="0100044547" type="event" subtype="system" level="information" vd="North" logdesc="Object attribute configured" user="SashaS" ui="GUI(192.168.190.54)" action="Add" cfgtid=10691505 cfgpath="firewall.policy" cfgobj="136" cfgattr="status[disable]srcintf[OCSF-Test]dstintf[OCSF-Test]srcaddr[Sasha-selin-ocsf-test]dstaddr[Sasha-selin]srcaddr6[]dstaddr6[]src-vendor-mac[]action[accept]schedule[always]service[RDP]groups[]users[]fsso-groups[]comments[ (Copy of 148)]custom-log-fields[]" msg="Add firewall.policy 136"  --------- Signed-off-by: SashaSelin <145011693+SashaSelin@users.noreply.github.com> Signed-off-by: Rajas <89877409+floydtree@users.noreply.github.com> Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com>
#### Related Issue: n/a Releasing 1.3.0 #### Description of changes: 1. Updating core and platform extension versions. 2. Updating Changelog. --------- Signed-off-by: Rajas Panat <rajaspa@amazon.com>
Adds a `OSINT Inventory Info` event to the Discovery category to represent retrieval of OSINT, CTI, and other enrichment data from TIPs, XDRs, and other sources of OSINT/CTI --------- Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com>
Expands the `user` object to add relevant data that comes from various Identity Providers or Directories while keep relevance with LDAP and MITRE D3FEND. - Add Observable `type_id` 31-35 for User UID, Group Name, Group UID, Account Name, Account UID - Add `phone_number` to `user` and to `ldap_person` - this attribute can be assigned to both or one or the other depending on the upstream system. For instance Entra ID or Okta - ~~Add `state_id` and `state` to `user` to represent the various states of a user record in a directory or IDP such as their provisioning status, (de)activation. This is 1:1 with Okta with an extra `Deleted` enum added for Google Workspace~~ Removed as ocsf#1136 already has a solution - Add `has_mfa` Boolean to Dictionary and `user` object as a quick way to tell if a `user` has MFA/2FA enabled/assigned to them --------- Signed-off-by: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com> Co-authored-by: Rajas <89877409+floydtree@users.noreply.github.com>
… & deprecate `project_uid` (ocsf#1166) #### Related Issue: #### Description of changes: As per conversations with @floydtree and @zschmerber, some better guidance and applicability of existing `org` and `account` objects was required to account for the various ways that logical compartmentalization are defined in various public cloud and SaaS tools. For instance, GCP has Org -> Folder -> Project, OCI has Domain -> Tenancy -> Compartment, AWS has Org -> OU -> Account, and various SaaS tools have high level compartmentalization such as Servicenow Instances, M365 Tenants, Salesforce Accounts, etc. - Deprecate `project_uid` as it was hyper-specific to GCP and doesn't fit other CSPs or SaaS, removed `project_uid` from `cloud`. - Update all descriptions within `org` and `account` to reflect the applicability to CSP and SaaS platforms with more examples for mappers. - Added several new `account.type_id` to reflect AWS Account-like equivalents for Azure, GCP, OCI, Salesforce, M365, and Servicenow.
jonrau-at-queryai
approved these changes
Aug 23, 2024
srotsinha
reviewed
Aug 26, 2024
srotsinha
reviewed
Aug 26, 2024
| @@ -113,14 +108,14 @@ | |||
| "affected_code": { | |||
| "caption": "Affected Code", | |||
| "description": "List of Affected Code objects that describe details about code blocks identified as vulnerable.", | |||
| "is_array": true, | |||
| "type": "affected_code" | |||
| "type": "affected_code", | |||
There was a problem hiding this comment.
I wish all keys were alphabetically sorted. The change have alphabetical sorting for event names but not attributes.
srotsinha
approved these changes
Aug 26, 2024
| # Any matching paths below will be deprecated in the schema patch. They will | ||
| # be preserved in the new schema, but with an @deprecated annotation. | ||
| deprecate = [ | ||
| #"events.email_delivery_activity.*", |
There was a problem hiding this comment.
We can safely remove email_delivery_activity since It has been updated to EmailAcitivity in all the drivers.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Query Data Model v1.3.0
This PR upgrades QDM's OCSF dependency to OCSF v1.3.0.
It also cherry picks the following upstream OCSF issues that are slated for OCSF 1.4 (anticipated in November):
OSINT Inventory InfoDiscovery Event ocsf/ocsf-schema#1154userObject expansion and related Observables creation ocsf/ocsf-schema#1155cloud.accountandcloud.org& deprecateproject_uidocsf/ocsf-schema#1166Included in the PR is the output of
qdm-curator: a pickled Schema Patch, an updatedordering.pkl, and a new exportedschema.jsonfile.It passes
qdm-check: