Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Porting the Scan event from the ICD schema. #915

Merged
merged 10 commits into from
Jan 19, 2024
Merged

Porting the Scan event from the ICD schema. #915

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
2aa379c
Porting the Scan event from the ICD schema. This event class describ…
maxhotta Jan 4, 2024
4d3ae7c
corrected the scan name attribute
maxhotta Jan 4, 2024
0dd7c43
Try to address failed validation
maxhotta Jan 4, 2024
824e8b3
Address failed validation
maxhotta Jan 9, 2024
bc6bafe
Addressing feedback
maxhotta Jan 11, 2024
7275497
Clarify the difference between command_uid and uid for scan events
maxhotta Jan 11, 2024
e5bd373
Use scan_uid for the per-scan unique identifier.
maxhotta Jan 12, 2024
c3cc96e
Moved scan attributes into its own object. Renamed fields for consis…
maxhotta Jan 17, 2024
99288d3
Renamed the scan activity class for consistency.
maxhotta Jan 17, 2024
5d7a82e
Addressed more feedback: use entity as the base, clarify text associa…
maxhotta Jan 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 70 additions & 0 deletions dictionary.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -855,6 +855,11 @@
"is_array": true,
"type": "string_t"
},
"command_uid": {
"caption": "Command UID",
"description": "The unique command identifier.",
"type": "string_t"
},
"comment": {
"caption": "Comment",
"description": "The user-provided comment.",
Expand Down Expand Up @@ -2253,6 +2258,56 @@
"is_array": true,
"type": "string_t"
},
"num_detections": {
"caption": "Detections",
"description": "The number of detections.",
"type": "integer_t"
},
"num_files": {
"caption": "Scanned Files",
"description": "The number of files scanned.",
"type": "integer_t"
},
"num_folders": {
"caption": "Scanned Folders",
"description": "The number of folders scanned.",
"type": "integer_t"
},
"num_network_items": {
"caption": "Scanned Network Items",
"description": "The number of network items scanned.",
"type": "integer_t"
},
"num_processes": {
"caption": "Scanned Processes",
"description": "The number of processes scanned.",
"type": "integer_t"
},
"num_registry_items": {
"caption": "Scanned Registry Items",
"description": "The number of registry items scanned.",
"type": "integer_t"
},
"num_resolutions": {
"caption": "Resolutions",
"description": "The number of items that were resolved.",
"type": "integer_t"
},
"num_skipped_items": {
"caption": "Skipped",
"description": "The number of skipped items.",
"type": "integer_t"
},
"num_trusted_items": {
"caption": "Trusted",
"description": "The number of trusted items.",
"type": "integer_t"
},
"num_violations": {
"caption": "Violations",
"description": "The number of times the policy or rule was violated.",
"type": "integer_t"
},
"observables": {
"caption": "Observables",
"description": "The observables associated with the event or a finding.",
Expand Down Expand Up @@ -2913,6 +2968,16 @@
"description": "The numeric scale factor of display.",
"type": "integer_t"
},
"scan": {
"caption": "Scan",
"description": "The Scan object describes characteristics of a scan. See specific usage.",
"type": "scan"
},
"schedule_uid": {
"caption": "Schedule UID",
"description": "The unique identifier of the schedule associated with a scan job.",
"type": "string_t"
},
"scheme": {
"caption": "Scheme",
"description": "The scheme portion of the URL. For example: <code>http</code>, <code>https</code>, <code>ftp</code>, or <code>sftp</code>.",
Expand Down Expand Up @@ -3406,6 +3471,11 @@
"is_array": true,
"type": "email_t"
},
"total": {
"caption": "Total",
"description": "The total number of items. See specific usage.",
"type": "integer_t"
},
"traffic": {
"caption": "Traffic",
"description": "The network traffic refers to the amount of data moving across a network at a given point of time. Intended to be used alongside Network Connection.",
Expand Down
132 changes: 132 additions & 0 deletions events/application/scan_activity.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
{
"caption": "Scan Activity",
"category": "application",
"description": "Scan events report the start, completion, and results of a scan job. The scan event includes the number of items that were scanned and the number of detections that were resolved.",
"extends": "base_event",
"name": "scan_activity",
"profiles": [
"host"
],
"uid": 7,
"attributes": {
"$include": [
"profiles/host.json"
],
"command_uid": {
"description": "The command identifier that is associated with this scan event. This ID uniquely identifies the proactive scan command, e.g., if remotely initiated.",
"group": "primary",
"requirement": "recommended"
},
"activity_id": {
"enum": {
"1": {
"description": "The scan was started.",
"caption": "Started"
},
"2": {
"description": "The scan was completed.",
"caption": "Completed"
},
"3": {
"description": "The scan was cancelled.",
"caption": "Cancelled"
},
"4": {
"description": "The allocated scan time was insufficient to complete the requested scan.",
"caption": "Duration Violation"
},
"5": {
"description": "The scan was paused, either by the user or by program constraints (e.g. scans that are suspended during certain time intervals), and not resumed within the allotted time.",
"caption": "Pause Violation"
},
"6": {
"description": "The scan could not be completed due to an internal error.",
"caption": "Error"
},
"7": {
"description": "The scan was paused.",
"caption": "Paused"
},
"8": {
"description": "The scan was resumed from the pause point.",
"caption": "Resumed"
},
"9": {
"description": "The scan restarted from the beginning of the file enumeration.",
"caption": "Restarted"
},
"10": {
"description": "The user delayed the scan.",
"caption": "Delayed"
}
}
},
"duration": {
"description": "The duration of the scan",
"requirement": "recommended"
},
"end_time": {
"description": "The end time of the scan job.",
"requirement": "recommended"
},
"num_detections": {
"group": "primary",
"requirement": "recommended"
},
"num_files": {
"group": "primary",
"requirement": "recommended"
},
"num_folders": {
"group": "primary",
"requirement": "recommended"
},
"num_network_items": {
"group": "primary",
"requirement": "recommended"
},
"num_processes": {
"group": "primary",
"requirement": "recommended"
},
"num_registry_items": {
"group": "primary",
"requirement": "recommended"
},
"num_resolutions": {
"group": "primary",
"requirement": "recommended"
},
"num_skipped_items": {
"group": "primary",
"requirement": "recommended"
},
"num_trusted_items": {
"group": "primary",
"requirement": "recommended"
},
"policy": {
"description": "The policy associated with this Scan event; required if the scan was initiated by a policy.",
"group": "primary",
"requirement": "recommended"
},
"scan": {
"description": "The Scan object describes characteristics of the scan job.",
"group": "primary",
"requirement": "required"
},
"schedule_uid": {
"group": "primary",
"requirement": "recommended"
},
"start_time": {
"description": "The start time of the scan job.",
"requirement": "recommended"
},
"total": {
"description": "The total number of items that were scanned; zero if no items were scanned.",
"group": "primary",
"requirement": "recommended"
}
}
}
68 changes: 68 additions & 0 deletions objects/scan.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
{
"caption": "Scan",
"description": "The Scan object describes characteristics of a proactive scan.",
"extends": "object",
maxhotta marked this conversation as resolved.
Show resolved Hide resolved
"name": "scan",
"attributes": {
"name": {
"description": "The administrator-supplied or application-generated name of the scan. For example: \"Home office weekly user database scan\", \"Scan folders for viruses\", \"Full system virus scan\"",
"group": "primary",
"requirement": "recommended"
},
"type": {
"description": "The type of scan.",
"group": "primary",
"requirement": "optional"
},
"type_id": {
"description": "The type id of the scan.",
"group": "primary",
"requirement": "required",
"enum": {
"0": {
"caption": "Unknown"
},
"1": {
"description": "The scan was manually initiated by the user or administrator.",
"caption": "Manual"
},
"2": {
"description": "The scan was started based on scheduler.",
"caption": "Scheduled"
},
"3": {
"description": "The scan was triggered by a content update.",
"caption": "Updated Definitions"
},
maxhotta marked this conversation as resolved.
Show resolved Hide resolved
"4": {
"description": "The scan was triggered by newly quarantined items.",
"caption": "Quarantined Items"
},
"5": {
"description": "The scan was triggered by the attachment of removable media.",
"caption": "Attached Media"
},
"6": {
"description": "The scan was started due to a user logon.",
"caption": "User Logon"
},
"7": {
"description": "The scan was triggered by an Early Launch Anti-Malware (ELAM) detection.",
"caption": "ELAM"
},
"99": {
"caption": "Other",
"description": "The scan type id is not mapped. See the <code>type</code> attribute, which contains a data source specific value."
}
},
"sibling": "type",
"type": "integer_t"
},
"uid": {
"description": "The application-defined unique identifier assigned to an instance of a scan.",
"group": "primary",
"caption": "Scan UID",
"requirement": "required"
}
}
}
Loading