Skip to content

v1.4.0

Latest
Latest
Compare
Choose a tag to compare
@mikeradka mikeradka released this 31 Jan 18:22
· 1 commit to main since this release
1.4.0
41a4ac6
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

[v1.4.0] - January 31st, 2025

Added

  • Categories

    1. Added new Unmanned Systems Category. #1169

  • Event Classes

    1. Added OSINT Inventory Info event class to the Discovery category. #1154
    2. Added Script Activity event class to the System category. #1159
    3. Added Startup Item Query event class. #1119
    4. Added Drone Flights Activity event class to the Unmanned Systems category. #1169
    5. Added Cloud Resources Inventory Info event class to the Discovery category. #1250
    6. Added Airborne Broadcast Activity event class to the Unmanned Systems category. #1253
    7. Added Application Error event class to the Application Activity category. #1299

  • Profiles

    1. Added incident profile. #1293

  • Dictionary Attributes

    1. Added has_mfa as a boolean_t. #1155
    2. Added environment_variables as an array of environment_variable object. #1172
    3. Added forward_addr as an email_t. #1179
    4. Added related_cves, related_cwes as arrays of cve, cwe objects respectively. #1176
    5. Added exploit_last_seen_time as a timestamp_t. #1176
    6. Added is_alert as a boolean_t. #1179
    7. Added working_directory as a string_t. #1195
    8. Added is_deleted as a boolean_t. #1196
    9. Added body_length as an integer_t. #1200
    10. Added is_public as a boolean_t. #1208
    11. Added tags, control_parameters as an array of key_value_object object. #1219
    12. Added community_uid as a string_t. #1202
    13. Added location to the managed_entity object. #1169
    14. Added unmanned_system_operator to the dictionary, extends user. #1169
    15. Added locations to the dictionary, an array type of the location object, used within the new operating_area object. #1169
    16. Added altitude_ceiling, altitude_floor, geodetic_altitude, aerial_height, horizontal_accuracy, pressure_altitude, radius, speed, track_direction, and vertical_speed all to support operating_area and unmanned_aerial_system objects. #1169
    17. Added imei_list as an array string_t. #1225
    18. Added is_encrypted as boolean_t; column_name, cell_name, storage_class, key_uid, json_path as string_t & column_number, row_number, page_number, record_index_in_array as integer_t. #1245
    19. Added group_provisioning_enabled, scim_group_schema, user_provisioning_enabled, scim_user_schema, scopes, idle_timeout, login_endpoint, logout_endpoint, and metadata_url entries to the dictionary to support the new scim and sso objects. #1239
    20. Added new 11: Basic Authentication enum value to auth_protocol_id. #1239
    21. Added values as an array of string_t. #1251
    22. Added files urls and message_trace_uid. #1259
    23. Added kernel_release as a string_t. #1249
    24. Added os_machine_uuid as a uuid_t. #1268
    25. Added sbom, author, related_component, relationship, relationship_id and software_component to support SBOMs. #1262
    26. Added related_events_count as an int_t. #1271
    27. Added event_uid as a string_t. #1312
    28. Added debug attribute as a string_t array, used in the metadata object. #1308
    29. Added ancestry as a list of process_entity. #1317
    30. Added internal_name as a string_t. #1322
    31. Added cc_mailboxes, from_mailbox, to_mailboxes, delivered_to_list and reply_to_mailboxes. #1307
    32. Added flag_history and bytes_missed attributes. #1316

  • Objects

    1. Added environment_variable object. #1172, #1288
    2. Added advisory object. #1176
    3. Added a generic key_value_object object. #1219
    4. Added unmanned_aerial_system and unmanned_system_operating_area objects. #1169
    5. Added a long_string object. #1228
    6. Added discovery_details, encryption_details, occurrence_details objects. #1245
    7. Added scim object. #1239
    8. Added sso object. #1239
    9. Added vendor_attributes object. #1257
    10. Added aircraft object. #1253
    11. Added software_component and sbom objects. #1262
    12. Added drive_type and drive_type_id objects. #1287
    13. Added cpu_architecture and cpu_architecture_id objects. #1278
    14. Added process_entity object. #1317

Improved

  • Event Classes

    1. Added evidences to compliance_finding class. #1157
    2. Added is_alert to detection_finding and data_security_finding classes. #1178
    3. Added risk_details to data_security_finding class. #1178
    4. Removed constraint from group_management class. #1193
    5. Added Archived|5 as an enum item to status_id attribute in Findings classes. #1219
    6. Added a Trace activity_id to the Email Activity class. #1252
    7. Added a message_trace_uid to the Email Activity class. #1259
    8. Added vendor_attributes to all Findings Category classes. #1257
    9. Added sbom to Software Inventory Info class. #1262
    10. Relaxed requirements on the dst_endpoint attribute in the network_activity event class and added an at_least_one constraint with src_endpoint and dst_endpoint. #1274
    11. Relaxed requirements on the http_request and http_response attributes in the http_activity event class and added an at_least_one constraint with these attributes. #1274
    12. Added host profile to base_event and removed this profile elsewhere in the event hierarchy. #1280
    13. Added the actor attribute to the IAM base event. #1280
    14. Added security_control profile to base_event and removed this profile elsewhere in the event hierarchy. #1281
    15. Added policies to Account Change class. #1282
    16. Added Unlock activity to account_change class. #1285
    17. Added incident profile to finding to affect classes that extend it. #1293
    18. Added keyboard_info object to RDP event class. #1313
    19. Added attributes and a new Activity ID to the File Hosting Activity class for network file share services and authorization check result. Activity ID added: 17 - "Access Check". Optional context group attributes added: access_list, access_mask, access_result, share, share_type, and share_type_id. #1315
    20. Added command and protocol_name to Email Activity event class. #1307

  • Profiles

    1. Added is_alert, confidence_id, confidence, confidence_score attributes to the security_control profile. #1178
    2. Added risk_level_id, risk_level, risk_score, risk_details attributes to the security_control profile. #1178
    3. Added policy attribute to the security_control profile. #1178
    4. Added enum values to action_id of 'Observed', 'Modified', and 'Unknown'. #1265
    5. Updated action_id optionality to recommended in the security_control profile #1281

  • Objects

    1. Added phone_number to user and ldap_person objects. #1155
    2. Added has_mfa to user object. #1155
    3. Added vendor_name to cvss object. #1165
    4. Added file, reputation, subnet, and script to osint object. #1168
    5. Added environment_variables attribute to the process object. #1172
    6. Added forward_addr to the user object. #1179
    7. Added src_url to the cvss object. #1176
    8. Added advisory, exploit_last_seen_time to the vulnerability object. #1176
    9. Added related_cwes to the cve object. #1176
    10. Added vendor_name and model to device object. #1188
    11. Added http_headers to email object. #1199
    12. Added working_directory to process object. #1195
    13. Added is_deleted to file object. #1196
    14. Added entry for VBA macros to type_id enum in script object. #1198
    15. Added body_length to the http_response and http_request objects. #1200
    16. Added is_public to the databucket object. #1208
    17. Added tags to the account, container, image, ldap_person, metadata, resource_details, service, web_resource objects. #1207
    18. Added domain as a constraint to network_endpoint object. #1224
    19. Added http_request and http_response to the evidences object. #1212
    20. Added control_parameters and status_details to the compliance object. #1219
    21. Added geodetic_altitude, height, horizontal_accuracy, and pressure_altitude to location. #1169
    22. Added location to managed_entity. #1169
    23. Added imei_list to the device object. #1225
    24. Added tls and ja4_fingerprint_list object to the evidences object. #1244
    25. Added storage_class & is_public as cloud profile attributes to file object. Also added is_encrypted, encryption_details, tags to the file object. #1245
    26. Added discovery_details, occurrence_details, status trio, total, uid, size, & src_url to the data_classification object. #1245
    27. data_bucket object now inherits resource_details instead of _entity. Also, added encryption_details object to the data_bucket object. #1245
    28. Added auth_factors, domain, fingerprint, has_mfa, issuer, protocol_name, scim, sso, state, state_id, tenant_uid, and uid to idp. #1239
    29. Added hostname, ip, and name to resource_details for purposes of assigning an Observable number. #1250
    30. Added values to key_value_object. #1251
    31. Added files, urls, to the email object. Relaxed requirements on the from and to attributes of the object and added the at_least_one constraint. #1259
    32. Added kernel_release to os object. #1249
    33. Added related_analytics to osint object. #1264
    34. Added os_machine_uuid to the device object. #1268
    35. Added uuid to the device_hw_info object. #1268
    36. unmanned_aerial_system now extends from aircraft. #1253
    37. Added references metadata for win/reg_key, win/reg_value, account, container, database, fingerprint, group, http_cookie, job, script objects. #1266
    38. Added cloud_partition to the cloud object. #1271
    39. Added product, related_events_count, uid_alt, tags to finding_info object. #1271
    40. Added count, created_time, desc, first_seen_time, last_seen_time, modified_time, product, severity, severity_id, tags & title to related_event object. #1271
    41. Added drive_type and drive_type_id to the file object. #1287
    42. Added cpu_architecture and cpu_architecture_id to device_hw_info object. #1278
    43. Added name to script object. #1284
    44. Relax requirement of fingerprints in certificate object. #1302
    45. Added event_uid to the logger object. #1312
    46. Added debug attribute to metadata object. #1308
    47. Added optional url attribute to the file object. This allows capturing a file's URL in the File Hosting Activity (6006) event class. #1289
    48. Changed the process object to extend the process_entity object. #1317
    49. Added ancestry to the process object. #1317
    50. Added internal_name to the file object. #1322
    51. Added cc_mailboxes, from_mailbox, to_mailboxes, delivered_to_list and reply_to_mailboxes to email object. #1307
    52. Added sans array to certificate object. #1325
    53. Added flag_history attribute to the network_connection_info object. #1316
    54. Added bytes_missed attribute to the network_traffic object. #1316

Bugfixes

  1. Added sibling definition to confidence_id in dictionary, accurately associating confidence as its sibling. #1180
  2. Added a fix (profile: null) to OSINT Inventory Info so that the osint attribute is present w/o the OSINT profile, per the class definition.
  3. Added http_response to all classes that have http_request, but no http_response object. #1200
  4. Removed redundant name attribute from Windows extension to the startup_item object for consistency with other extensions. #1203
  5. Changed activity_id requirement from optional to required in email_activity, email_file_activity and email_url_activity classes. #1307

Deprecated

  1. Deprecated project_uid in favor of account.uid. #1166
  2. Deprecated kb_article_list in favor of advisory in the vulnerability object. #1176
  3. Deprecated cwe in favor of related_cwes in the cve object. #1176
  4. Deprecated tag in favor of labels or tags in image & container object. #1207
  5. Deprecated status_detail in favor of status_details in compliance object. #1219
  6. Deprecated imei in favor of imei_list in device object. #1225
  7. Deprecated data_classification in favor of data_classifications in the data_classification profile. #1245
  8. Deprecated activity_id 4|Suppressed in the Data Security Finding event class. This shouldn't have been added when we first created it, as the right place for this info is status_id. #1245
  9. Deprecated email_file_activity and email_url_activity in favor of updated email_activity. #1259
  10. Deprecated package in Software Inventory Info in favour of sbom. #1262
  11. Deprecated product_uid in favor of the product object. #1271
  12. Deprecated policy in favor of policies in Account Change class. #1282
  13. Deprecated lineage in the process object. #1317
  14. Deprecated smtp_hello, smtp_from, smtp_to, delivered_to and reply_to in favor of command, from, to, delivered_to_list and reply_to_mailboxes respectively. #1307
  15. Deprecated tls.sans array in favor of added tls.certificate.sans array. #1325

Misc

  1. Added user.uid as an Observable type - type_id: 31. #1155
  2. Added group.name and group.uid as Observable types - type_id: 32 and type_id: 33, respectively. #1155
  3. Added account.name and account.uid as Observable types - type_id: 34 and type_id: 35, respectively. #1155
  4. Added new enumeration items to account.type_id. #1166
  5. Cleaned up event class definition files, removed /includes dir, simplified definition of base_event. #1167, #1171
  6. Added new file enum to osint.type_id. #1168
  7. Relaxed data-type constraints for file_hash_t, resource_uid_t & string_t. Fixed regex for datetime_t. #1174
  8. Added new Email Account enum to account.type_id. #1179
  9. Removing regex for hostname_t, considering the vast variance in its values. #1182
  10. In the metaschema, added support for additional metadata fields: source and references. #1189 #1237
    • The source attribute is a string for describing the location where an attribute's value comes from.
    • The references attribute is a list objects with url and description fields. These are intended to for reference to external resources. The url and description attributes are used to construct anchor (a) tags with the url used in the anchor's href attribute, and description used in the entity portion of the tag.
    • The source field can be used in attributes defined anywhere in the schema, specifically:
      • Dictionary attributes
      • Event class attributes
      • Object attributes
      • Profile attributes
      • Enum values in all places where attributes occur (the 4 cases above)
    • The references field can also be used in attributes anywhere in the schema, as well as for event classes, objects, and enum values; specifically:
      • Dictionary attributes
      • Event class attributes
      • Object attributes
      • Profile attributes
      • Enum values in all places where attributes occur
      • Event classes; top level attribute allowing link(s) about an event class
      • Objects; top level attribute allowing link(s) about an object
    • The source and references attributes are also supported in when extending or patching event classes and objects.
  11. Fixed minor spelling mistakes in attribute descriptions in dictionary.json. #1213
  12. In the metaschema, added support for @deprecated in enum values. #1237
  13. Fixed some more formatting of attribute descriptions in dictionary.json and idp.json. #1239
  14. Added resource_details.name as an Observable type type_id: 38. #1250
  15. Added 3 new enums (Registry Value, Registry Key, Command Line) to osint.type_id and added TLP:WHITE to osint.tlp enums. #1264
  16. Relaxed attribute requirement for name in observables object; title in finding_info object. #1271
  17. Relaxed attribute requirement for vendor_name in the product object. #1300
Assets 2
Loading