From 2aa379c6d07e18970e1b8e62d0442febdfdcb592 Mon Sep 17 00:00:00 2001 From: maxhotta Date: Thu, 4 Jan 2024 22:53:58 +0000 Subject: [PATCH 01/10] Porting the Scan event from the ICD schema. This event class describes command or user initiated scan activity. --- dictionary.json | 122 ++++++++++++++++++++++++++++++ events/application/scan.json | 142 +++++++++++++++++++++++++++++++++++ 2 files changed, 264 insertions(+) create mode 100644 events/application/scan.json diff --git a/dictionary.json b/dictionary.json index f3d3da359..c180b01d1 100644 --- a/dictionary.json +++ b/dictionary.json @@ -855,6 +855,11 @@ "is_array": true, "type": "string_t" }, + "command_uid": { + "caption": "Command UID", + "description": "The unique command identifier.", + "type": "string_t" + }, "comment": { "caption": "Comment", "description": "The user-provided comment.", @@ -2253,6 +2258,56 @@ "is_array": true, "type": "string_t" }, + "num_detections": { + "caption": "Detections", + "description": "The number of detections.", + "type": "integer_t" + }, + "num_files": { + "caption": "Scanned Files", + "description": "The number of files scanned.", + "type": "integer_t" + }, + "num_folders": { + "caption": "Scanned Folders", + "description": "The number of folders scanned.", + "type": "integer_t" + }, + "num_network": { + "caption": "Scanned Network Items", + "description": "The number of network items scanned.", + "type": "integer_t" + }, + "num_processes": { + "caption": "Scanned Processes", + "description": "The number of processes scanned.", + "type": "integer_t" + }, + "num_registry": { + "caption": "Scanned Registry Items", + "description": "The number of registry items scanned.", + "type": "integer_t" + }, + "num_resolutions": { + "caption": "Resolutions", + "description": "The number of items that were resolved.", + "type": "integer_t" + }, + "num_skipped": { + "caption": "Skipped", + "description": "The number of skipped items.", + "type": "integer_t" + }, + "num_trusted": { + "caption": "Trusted", + "description": "The number of trusted items.", + "type": "integer_t" + }, + "num_violations": { + "caption": "Violations", + "description": "The number of times the policy or rule was violated.", + "type": "integer_t" + }, "observables": { "caption": "Observables", "description": "The observables associated with the event or a finding.", @@ -2913,6 +2968,68 @@ "description": "The numeric scale factor of display.", "type": "integer_t" }, + "scan_name": { + "caption": "Scan Name", + "description": "The administrator-supplied or application-generated name of the scan. For example:", + "type": "string_t" + }, + "scan_type": { + "caption": "Scan Type", + "description": "The type of scan.", + "type": "string_t" + }, + "scan_type_id": { + "description": "The type id of scan.", + "enum": { + "0": { + "caption": "Unknown" + }, + "1": { + "description": "The scan was manually initiated by the user or administrator.", + "caption": "Manual" + }, + "2": { + "description": "The scan was started based on scheduler.", + "caption": "Scheduled" + }, + "3": { + "description": "The scan was triggered by a content update.", + "caption": "Updated Definitions" + }, + "4": { + "description": "The scan was triggered by newly quarantined items.", + "caption": "Quarantined Items" + }, + "5": { + "description": "The scan was triggered by the attachment of removable media.", + "caption": "Attached Media" + }, + "6": { + "description": "The scan was started due to a user logon.", + "caption": "User Logon" + }, + "7": { + "description": "The scan was triggered by an Early Launch Anti-Malware (ELAM) detection.", + "caption": "ELAM" + }, + "99": { + "caption": "Other", + "description": "The scan type id is not mapped. See the scan_type attribute, which contains a data source specific value." + } + }, + "sibling": "scan_type", + "type": "integer_t" + }, + "scan_uid": { + "caption": "Scan UID", + "description": "The unique identifier of a scan job.", + "type": "string_t" + }, + "schedule_uid": { + "caption": "Schedule UID", + "description": "The unique identifier of the schedule associated with a scan job.", + "type": "string_t" + }, "scheme": { "caption": "Scheme", "description": "The scheme portion of the URL. For example: http, https, ftp, or sftp.", @@ -3406,6 +3523,11 @@ "is_array": true, "type": "email_t" }, + "total": { + "caption": "Total", + "description": "The total number of items. See specific usage.", + "type": "integer_t" + }, "traffic": { "caption": "Traffic", "description": "The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.", diff --git a/events/application/scan.json b/events/application/scan.json new file mode 100644 index 000000000..cbc967bf1 --- /dev/null +++ b/events/application/scan.json @@ -0,0 +1,142 @@ +{ + "caption": "Scan Activity", + "category": "application", + "description": "Scan events report the start, completion, and results of a scan job. The scan event includes the number of items that were scanned and the number of detections that were resolved.", + "extends": "base_event", + "name": "scan", + "profiles": [ + "host" + ], + "uid": 7, + "attributes": { + "$include": [ + "profiles/host.json" + ], + "command_uid": { + "description": "The command identifier that is associated with this scan event; required if the scan was initiated by a command.", + "group": "primary", + "requirement": "recommended" + }, + "activity_id": { + "enum": { + "1": { + "caption": "Started" + }, + "2": { + "caption": "Completed" + }, + "3": { + "caption": "Cancelled" + }, + "4": { + "description": "The allocated scan time was insufficient to complete the requested scan.", + "caption": "Duration Violation" + }, + "5": { + "description": "The scan was paused, either by the user or by program constraints (e.g. scans that are suspended during certain time intervals), and not resumed within the allotted time.", + "caption": "Pause Violation" + }, + "6": { + "description": "The scan could not be completed due to an internal error.", + "caption": "Error" + }, + "7": { + "caption": "Paused" + }, + "8": { + "description": "The scan was resumed from the pause point.", + "caption": "Resumed" + }, + "9": { + "description": "The scan restarted from the beginning of the file enumeration.", + "caption": "Restarted" + }, + "10": { + "description": "The user delayed the scan.", + "caption": "Delayed" + } + } + }, + "duration": { + "description": "The duration of the scan", + "requirement": "recommended" + }, + "end_time": { + "description": "The end time of the scan job.", + "requirement": "recommended" + }, + "name": { + "description": "The name of the scan job.", + "group": "primary", + "requirement": "required" + }, + "num_detections": { + "group": "primary", + "requirement": "recommended" + }, + "num_files": { + "group": "primary", + "requirement": "recommended" + }, + "num_folders": { + "group": "primary", + "requirement": "recommended" + }, + "num_network": { + "group": "primary", + "requirement": "recommended" + }, + "num_processes": { + "group": "primary", + "requirement": "recommended" + }, + "num_registry": { + "group": "primary", + "requirement": "recommended" + }, + "num_resolutions": { + "group": "primary", + "requirement": "recommended" + }, + "num_skipped": { + "group": "primary", + "requirement": "recommended" + }, + "num_trusted": { + "group": "primary", + "requirement": "recommended" + }, + "policy": { + "description": "The policy associated with this Scan event; required if the scan was initiated by a policy.", + "group": "primary", + "requirement": "recommended" + }, + "schedule_uid": { + "group": "primary", + "requirement": "recommended" + }, + "start_time": { + "description": "The start time of the scan job.", + "requirement": "recommended" + }, + "total": { + "description": "The total number of items that were scanned; zero if no items were scanned.", + "group": "primary", + "requirement": "recommended" + }, + "scan_type": { + "group": "primary", + "requirement": "optional" + }, + "scan_type_id": { + "group": "primary", + "requirement": "required" + }, + "uid": { + "description": "The unique identifier of the scan job.", + "group": "primary", + "caption": "Scan UID", + "requirement": "required" + } + } +} \ No newline at end of file From 4d3ae7c6a011e7dcb3ebf8367551141e8c787ff1 Mon Sep 17 00:00:00 2001 From: maxhotta Date: Thu, 4 Jan 2024 23:01:48 +0000 Subject: [PATCH 02/10] corrected the scan name attribute --- events/application/scan.json | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/events/application/scan.json b/events/application/scan.json index cbc967bf1..9d5a0046c 100644 --- a/events/application/scan.json +++ b/events/application/scan.json @@ -65,11 +65,6 @@ "description": "The end time of the scan job.", "requirement": "recommended" }, - "name": { - "description": "The name of the scan job.", - "group": "primary", - "requirement": "required" - }, "num_detections": { "group": "primary", "requirement": "recommended" @@ -111,6 +106,10 @@ "group": "primary", "requirement": "recommended" }, + "scan_name": { + "group": "primary", + "requirement": "recommended" + }, "schedule_uid": { "group": "primary", "requirement": "recommended" From 0dd7c437d74586dae5794db657742590efc756c5 Mon Sep 17 00:00:00 2001 From: maxhotta Date: Thu, 4 Jan 2024 23:11:50 +0000 Subject: [PATCH 03/10] Try to address failed validation --- dictionary.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dictionary.json b/dictionary.json index c180b01d1..615c65d11 100644 --- a/dictionary.json +++ b/dictionary.json @@ -2970,7 +2970,7 @@ }, "scan_name": { "caption": "Scan Name", - "description": "The administrator-supplied or application-generated name of the scan. For example:
  • \"Home office weekly user database scan\"
  • \"Scan folders for viruses\"
  • \"Full system virus scan\"
", + "description": "The administrator-supplied or application-generated name of the scan. For example: \"Home office weekly user database scan\", \"Scan folders for viruses\", \"Full system virus scan\"", "type": "string_t" }, "scan_type": { From 824e8b31209aefd0968c5d1dd638b69acfc855c7 Mon Sep 17 00:00:00 2001 From: maxhotta Date: Tue, 9 Jan 2024 00:36:54 +0000 Subject: [PATCH 04/10] Address failed validation --- dictionary.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dictionary.json b/dictionary.json index 615c65d11..6cb3afd50 100644 --- a/dictionary.json +++ b/dictionary.json @@ -2979,7 +2979,8 @@ "type": "string_t" }, "scan_type_id": { - "description": "The type id of scan.", + "caption": "Scan Type ID", + "description": "The type id of the scan.", "enum": { "0": { "caption": "Unknown" From bc6bafe202f0c39de684831a9d544c041e92970a Mon Sep 17 00:00:00 2001 From: maxhotta Date: Thu, 11 Jan 2024 00:27:52 +0000 Subject: [PATCH 05/10] Addressing feedback --- events/application/scan.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/events/application/scan.json b/events/application/scan.json index 9d5a0046c..590ee6e8d 100644 --- a/events/application/scan.json +++ b/events/application/scan.json @@ -3,7 +3,7 @@ "category": "application", "description": "Scan events report the start, completion, and results of a scan job. The scan event includes the number of items that were scanned and the number of detections that were resolved.", "extends": "base_event", - "name": "scan", + "name": "scan_activity", "profiles": [ "host" ], @@ -20,12 +20,15 @@ "activity_id": { "enum": { "1": { + "description": "The scan was started.", "caption": "Started" }, "2": { + "description": "The scan was completed.", "caption": "Completed" }, "3": { + "description": "The scan was cancelled.", "caption": "Cancelled" }, "4": { @@ -41,6 +44,7 @@ "caption": "Error" }, "7": { + "description": "The scan was paused.", "caption": "Paused" }, "8": { From 7275497cae8579c16b71e1d0dd70d6778d814686 Mon Sep 17 00:00:00 2001 From: maxhotta Date: Thu, 11 Jan 2024 00:57:08 +0000 Subject: [PATCH 06/10] Clarify the difference between command_uid and uid for scan events --- events/application/scan.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/events/application/scan.json b/events/application/scan.json index 590ee6e8d..a6aa98003 100644 --- a/events/application/scan.json +++ b/events/application/scan.json @@ -13,7 +13,7 @@ "profiles/host.json" ], "command_uid": { - "description": "The command identifier that is associated with this scan event; required if the scan was initiated by a command.", + "description": "The command identifier that is associated with this scan event. This ID uniquely identifies the proactive scan command, e.g., if remotely initiated.", "group": "primary", "requirement": "recommended" }, @@ -136,7 +136,7 @@ "requirement": "required" }, "uid": { - "description": "The unique identifier of the scan job.", + "description": "The application-defined unique identifier assigned to an instance of a scan.", "group": "primary", "caption": "Scan UID", "requirement": "required" From e5bd37377cd65944dfcca9bb78f7ee4c13deac7b Mon Sep 17 00:00:00 2001 From: maxhotta Date: Fri, 12 Jan 2024 05:06:12 +0000 Subject: [PATCH 07/10] Use scan_uid for the per-scan unique identifier. --- events/application/scan.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/events/application/scan.json b/events/application/scan.json index a6aa98003..bc1f9d29e 100644 --- a/events/application/scan.json +++ b/events/application/scan.json @@ -135,7 +135,7 @@ "group": "primary", "requirement": "required" }, - "uid": { + "scan_uid": { "description": "The application-defined unique identifier assigned to an instance of a scan.", "group": "primary", "caption": "Scan UID", From c3cc96eaeb77f988b9b02359f9e2f78983ae0587 Mon Sep 17 00:00:00 2001 From: maxhotta Date: Wed, 17 Jan 2024 01:36:07 +0000 Subject: [PATCH 08/10] Moved scan attributes into its own object. Renamed fields for consistency. --- dictionary.json | 69 +++++------------------------------- events/application/scan.json | 27 ++++---------- objects/scan.json | 68 +++++++++++++++++++++++++++++++++++ 3 files changed, 83 insertions(+), 81 deletions(-) create mode 100644 objects/scan.json diff --git a/dictionary.json b/dictionary.json index 6cb3afd50..81dbd643a 100644 --- a/dictionary.json +++ b/dictionary.json @@ -2273,7 +2273,7 @@ "description": "The number of folders scanned.", "type": "integer_t" }, - "num_network": { + "num_network_items": { "caption": "Scanned Network Items", "description": "The number of network items scanned.", "type": "integer_t" @@ -2283,7 +2283,7 @@ "description": "The number of processes scanned.", "type": "integer_t" }, - "num_registry": { + "num_registry_items": { "caption": "Scanned Registry Items", "description": "The number of registry items scanned.", "type": "integer_t" @@ -2293,12 +2293,12 @@ "description": "The number of items that were resolved.", "type": "integer_t" }, - "num_skipped": { + "num_skipped_items": { "caption": "Skipped", "description": "The number of skipped items.", "type": "integer_t" }, - "num_trusted": { + "num_trusted_items": { "caption": "Trusted", "description": "The number of trusted items.", "type": "integer_t" @@ -2968,63 +2968,10 @@ "description": "The numeric scale factor of display.", "type": "integer_t" }, - "scan_name": { - "caption": "Scan Name", - "description": "The administrator-supplied or application-generated name of the scan. For example: \"Home office weekly user database scan\", \"Scan folders for viruses\", \"Full system virus scan\"", - "type": "string_t" - }, - "scan_type": { - "caption": "Scan Type", - "description": "The type of scan.", - "type": "string_t" - }, - "scan_type_id": { - "caption": "Scan Type ID", - "description": "The type id of the scan.", - "enum": { - "0": { - "caption": "Unknown" - }, - "1": { - "description": "The scan was manually initiated by the user or administrator.", - "caption": "Manual" - }, - "2": { - "description": "The scan was started based on scheduler.", - "caption": "Scheduled" - }, - "3": { - "description": "The scan was triggered by a content update.", - "caption": "Updated Definitions" - }, - "4": { - "description": "The scan was triggered by newly quarantined items.", - "caption": "Quarantined Items" - }, - "5": { - "description": "The scan was triggered by the attachment of removable media.", - "caption": "Attached Media" - }, - "6": { - "description": "The scan was started due to a user logon.", - "caption": "User Logon" - }, - "7": { - "description": "The scan was triggered by an Early Launch Anti-Malware (ELAM) detection.", - "caption": "ELAM" - }, - "99": { - "caption": "Other", - "description": "The scan type id is not mapped. See the scan_type attribute, which contains a data source specific value." - } - }, - "sibling": "scan_type", - "type": "integer_t" - }, - "scan_uid": { - "caption": "Scan UID", - "description": "The unique identifier of a scan job.", - "type": "string_t" + "scan": { + "caption": "Scan", + "description": "The Scan object describes characteristics of a scan. See specific usage.", + "type": "scan" }, "schedule_uid": { "caption": "Schedule UID", diff --git a/events/application/scan.json b/events/application/scan.json index bc1f9d29e..a2b74cc6f 100644 --- a/events/application/scan.json +++ b/events/application/scan.json @@ -81,7 +81,7 @@ "group": "primary", "requirement": "recommended" }, - "num_network": { + "num_network_items": { "group": "primary", "requirement": "recommended" }, @@ -89,7 +89,7 @@ "group": "primary", "requirement": "recommended" }, - "num_registry": { + "num_registry_items": { "group": "primary", "requirement": "recommended" }, @@ -97,11 +97,11 @@ "group": "primary", "requirement": "recommended" }, - "num_skipped": { + "num_skipped_items": { "group": "primary", "requirement": "recommended" }, - "num_trusted": { + "num_trusted_items": { "group": "primary", "requirement": "recommended" }, @@ -110,9 +110,10 @@ "group": "primary", "requirement": "recommended" }, - "scan_name": { + "scan": { + "description": "The Scan object describes characteristics of the scan job.", "group": "primary", - "requirement": "recommended" + "requirement": "required" }, "schedule_uid": { "group": "primary", @@ -126,20 +127,6 @@ "description": "The total number of items that were scanned; zero if no items were scanned.", "group": "primary", "requirement": "recommended" - }, - "scan_type": { - "group": "primary", - "requirement": "optional" - }, - "scan_type_id": { - "group": "primary", - "requirement": "required" - }, - "scan_uid": { - "description": "The application-defined unique identifier assigned to an instance of a scan.", - "group": "primary", - "caption": "Scan UID", - "requirement": "required" } } } \ No newline at end of file diff --git a/objects/scan.json b/objects/scan.json new file mode 100644 index 000000000..9d0f2151e --- /dev/null +++ b/objects/scan.json @@ -0,0 +1,68 @@ +{ + "caption": "Scan", + "description": "The Scan object describes characteristics of a proactive scan.", + "extends": "object", + "name": "scan", + "attributes": { + "name": { + "description": "The administrator-supplied or application-generated name of the scan. For example: \"Home office weekly user database scan\", \"Scan folders for viruses\", \"Full system virus scan\"", + "group": "primary", + "requirement": "recommended" + }, + "type": { + "description": "The type of scan.", + "group": "primary", + "requirement": "optional" + }, + "type_id": { + "description": "The type id of the scan.", + "group": "primary", + "requirement": "required", + "enum": { + "0": { + "caption": "Unknown" + }, + "1": { + "description": "The scan was manually initiated by the user or administrator.", + "caption": "Manual" + }, + "2": { + "description": "The scan was started based on scheduler.", + "caption": "Scheduled" + }, + "3": { + "description": "The scan was triggered by a content update.", + "caption": "Updated Definitions" + }, + "4": { + "description": "The scan was triggered by newly quarantined items.", + "caption": "Quarantined Items" + }, + "5": { + "description": "The scan was triggered by the attachment of removable media.", + "caption": "Attached Media" + }, + "6": { + "description": "The scan was started due to a user logon.", + "caption": "User Logon" + }, + "7": { + "description": "The scan was triggered by an Early Launch Anti-Malware (ELAM) detection.", + "caption": "ELAM" + }, + "99": { + "caption": "Other", + "description": "The scan type id is not mapped. See the type attribute, which contains a data source specific value." + } + }, + "sibling": "type", + "type": "integer_t" + }, + "uid": { + "description": "The application-defined unique identifier assigned to an instance of a scan.", + "group": "primary", + "caption": "Scan UID", + "requirement": "required" + } + } +} From 99288d3b16a47ea31c0366f34bef07d3d2dd98ac Mon Sep 17 00:00:00 2001 From: maxhotta Date: Wed, 17 Jan 2024 01:41:34 +0000 Subject: [PATCH 09/10] Renamed the scan activity class for consistency. --- events/application/{scan.json => scan_activity.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename events/application/{scan.json => scan_activity.json} (100%) diff --git a/events/application/scan.json b/events/application/scan_activity.json similarity index 100% rename from events/application/scan.json rename to events/application/scan_activity.json From 5d7a82ecaf5a9162fb88eafcdd5e4df0532219c8 Mon Sep 17 00:00:00 2001 From: maxhotta Date: Wed, 17 Jan 2024 18:16:40 +0000 Subject: [PATCH 10/10] Addressed more feedback: use entity as the base, clarify text associated with content updates --- objects/scan.json | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/objects/scan.json b/objects/scan.json index 9d0f2151e..d6d902601 100644 --- a/objects/scan.json +++ b/objects/scan.json @@ -1,22 +1,18 @@ { "caption": "Scan", "description": "The Scan object describes characteristics of a proactive scan.", - "extends": "object", + "extends": "_entity", "name": "scan", "attributes": { "name": { - "description": "The administrator-supplied or application-generated name of the scan. For example: \"Home office weekly user database scan\", \"Scan folders for viruses\", \"Full system virus scan\"", - "group": "primary", - "requirement": "recommended" + "description": "The administrator-supplied or application-generated name of the scan. For example: \"Home office weekly user database scan\", \"Scan folders for viruses\", \"Full system virus scan\"" }, "type": { "description": "The type of scan.", - "group": "primary", "requirement": "optional" }, "type_id": { "description": "The type id of the scan.", - "group": "primary", "requirement": "required", "enum": { "0": { @@ -32,7 +28,7 @@ }, "3": { "description": "The scan was triggered by a content update.", - "caption": "Updated Definitions" + "caption": "Updated Content" }, "4": { "description": "The scan was triggered by newly quarantined items.", @@ -60,9 +56,7 @@ }, "uid": { "description": "The application-defined unique identifier assigned to an instance of a scan.", - "group": "primary", - "caption": "Scan UID", - "requirement": "required" + "caption": "Scan UID" } } }