Merge pull request #8977 from Azure/New-Schemas

New ASIM Schema YAML files
Azure · Sep 13, 2023 · 1e827ea · 1e827ea
2 parents 9c8c5b1 + 18b8b77
commit 1e827ea
Show file tree

Hide file tree

Showing 6 changed files with 301 additions and 8 deletions.
diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv
@@ -812,16 +812,25 @@ Rule,string,Optional,Dns,,,
 Rule,string,Optional,FileEvent,,,
 Rule,string,Optional,NetworkSession,,,
 Rule,string,Optional,WebSession,,,
+Rule,string,Alias,RegistryEvent,,,RuleName
+Rule,string,Alias,UserManagement,,,RuleName
+Rule,string,Alias,Dhcp,,,RuleName
 RuleName,string,Optional,AuditEvent,,,
 RuleName,string,Optional,Authentication,,,
 RuleName,string,Optional,Dns,,,
 RuleName,string,Optional,FileEvent,,,
 RuleName,string,Optional,WebSession,,,
+RuleName,string,Optional,RegistryEvent,,,
+RuleName,string,Optional,UserManagement,,,
+RuleName,string,Optional,Dhcp,,,
 RuleNumber,int,Optional,AuditEvent,,,
 RuleNumber,int,Optional,Authentication,,,
 RuleNumber,int,Optional,Dns,,,
 RuleNumber,int,Optional,FileEvent,,,
 RuleNumber,int,Optional,WebSession,,,
+RuleNumber,int,Optional,RegistryEvent,,,
+RuleNumber,int,Optional,UserManagement,,,
+RuleNumber,int,Optional,Dhcp,,,
 SessionId,string,Alias,Dhcp,,,DhcpSessionId
 SessionId,string,Alias,Dns,,,DnsSessionId
 SessionId,string,Alias,NetworkSession,,,NetworkSessionId
@@ -1170,31 +1179,46 @@ ThreatCategory,string,Optional,Dns,,,
 ThreatCategory,string,Optional,FileEvent,,,
 ThreatCategory,string,Optional,NetworkSession,,,
 ThreatCategory,string,Optional,WebSession,,,
+ThreatCategory,string,Optional,RegistryEvent,,,
+ThreatCategory,string,Optional,UserManagement,,,
+ThreatCategory,string,Optional,Dhcp,,,
 ThreatConfidence,int,Optional,AuditEvent,ConfidenceLevel,,
 ThreatConfidence,int,Optional,Authentication,ConfidenceLevel,,
 ThreatConfidence,int,Optional,Dns,ConfidenceLevel,,
 ThreatConfidence,int,Optional,FileEvent,,,
 ThreatConfidence,int,Optional,NetworkSession,,,
 ThreatConfidence,int,Optional,WebSession,,,
+ThreatConfidence,int,Optional,RegistryEvent,,,
+ThreatConfidence,int,Optional,UserManagement,,,
+ThreatConfidence,int,Optional,Dhcp,,,
 ThreatField,string,Conditional,AuditEvent,Enumerated,,ThreatIpAddr
 ThreatField,string,Conditional,FileEvent,Enumerated,,ThreatFilePath
 ThreatField,string,Conditional,NetworkSession,Enumerated,,ThreatIpAddr
 ThreatField,string,Optional,Authentication,,,
 ThreatField,string,Optional,Dns,,,
 ThreatField,string,Optional,WebSession,,,
+ThreatField,string,Optional,RegistryEvent,,,
+ThreatField,string,Optional,UserManagement,,,
+ThreatField,string,Optional,Dhcp,,,
 ThreatFilePath,string,Optional,FileEvent,string,,
 ThreatFirstReportedTime,datetime,Optional,AuditEvent,,,
 ThreatFirstReportedTime,datetime,Optional,Authentication,,,
 ThreatFirstReportedTime,datetime,Optional,Dns,,,
 ThreatFirstReportedTime,datetime,Optional,FileEvent,,,
 ThreatFirstReportedTime,datetime,Optional,NetworkSession,,,
 ThreatFirstReportedTime,datetime,Optional,WebSession,,,
+ThreatFirstReportedTime,datetime,Optional,RegistryEvent,,,
+ThreatFirstReportedTime,datetime,Optional,UserManagement,,,
+ThreatFirstReportedTime,datetime,Optional,Dhcp,,,
 ThreatId,string,Optional,AuditEvent,,,
 ThreatId,string,Optional,Authentication,,,
 ThreatId,string,Optional,Dns,,,
 ThreatId,string,Optional,FileEvent,,,
 ThreatId,string,Optional,NetworkSession,,,
 ThreatId,string,Optional,WebSession,,,
+ThreatId,string,Optional,RegistryEvent,,,
+ThreatId,string,Optional,UserManagement,,,
+ThreatId,string,Optional,Dhcp,,,
 ThreatIpAddr,string,Optional,AuditEvent,IP Address,,
 ThreatIpAddr,string,Optional,Authentication,IP Address,,
 ThreatIpAddr,string,Optional,Dns,IP Address,,
@@ -1206,36 +1230,54 @@ ThreatIsActive,bool,Optional,Dns,,,
 ThreatIsActive,bool,Optional,FileEvent,,,
 ThreatIsActive,bool,Optional,NetworkSession,,,
 ThreatIsActive,bool,Optional,WebSession,,,
+ThreatIsActive,bool,Optional,RegistryEvent,,,
+ThreatIsActive,bool,Optional,UserManagement,,,
+ThreatIsActive,bool,Optional,Dhcp,,,
 ThreatLastReportedTime,datetime,Optional,AuditEvent,,,
 ThreatLastReportedTime,datetime,Optional,Authentication,,,
 ThreatLastReportedTime,datetime,Optional,Dns,,,
 ThreatLastReportedTime,datetime,Optional,FileEvent,,,
 ThreatLastReportedTime,datetime,Optional,NetworkSession,,,
 ThreatLastReportedTime,datetime,Optional,WebSession,,,
+ThreatLastReportedTime,datetime,Optional,RegistryEvent,,,
+ThreatLastReportedTime,datetime,Optional,UserManagement,,,
+ThreatLastReportedTime,datetime,Optional,Dhcp,,,
 ThreatName,string,Optional,AuditEvent,,,
 ThreatName,string,Optional,Authentication,,,
 ThreatName,string,Optional,Dns,,,
 ThreatName,string,Optional,FileEvent,,,
 ThreatName,string,Optional,NetworkSession,,,
 ThreatName,string,Optional,WebSession,,,
+ThreatName,string,Optional,RegistryEvent,,,
+ThreatName,string,Optional,UserManagement,,,
+ThreatName,string,Optional,Dhcp,,,
 ThreatOriginalConfidence,string,Optional,AuditEvent,,,
 ThreatOriginalConfidence,string,Optional,Authentication,,,
 ThreatOriginalConfidence,string,Optional,Dns,,,
 ThreatOriginalConfidence,string,Optional,FileEvent,,,
 ThreatOriginalConfidence,string,Optional,NetworkSession,,,
 ThreatOriginalConfidence,string,Optional,WebSession,,,
+ThreatOriginalConfidence,string,Optional,RegistryEvent,,,
+ThreatOriginalConfidence,string,Optional,UserManagement,,,
+ThreatOriginalConfidence,string,Optional,Dhcp,,,
 ThreatOriginalRiskLevel,string,Optional,AuditEvent,,,
 ThreatOriginalRiskLevel,string,Optional,Authentication,,,
 ThreatOriginalRiskLevel,string,Optional,Dns,,,
 ThreatOriginalRiskLevel,string,Optional,FileEvent,,,
 ThreatOriginalRiskLevel,string,Optional,NetworkSession,,,
 ThreatOriginalRiskLevel,string,Optional,WebSession,,,
+ThreatOriginalRiskLevel,string,Optional,RegistryEvent,,,
+ThreatOriginalRiskLevel,string,Optional,UserManagement,,,
+ThreatOriginalRiskLevel,string,Optional,Dhcp,,,
 ThreatRiskLevel,int,Optional,AuditEvent,RiskLevel,,
 ThreatRiskLevel,int,Optional,Authentication,RiskLevel,,
 ThreatRiskLevel,int,Optional,Dns,RiskLevel,,
 ThreatRiskLevel,int,Optional,FileEvent,RiskLevel,,
 ThreatRiskLevel,int,Optional,NetworkSession,RiskLevel,,
 ThreatRiskLevel,int,Optional,WebSession,RiskLevel,,
+ThreatRiskLevel,int,Optional,RegistryEvent,,,
+ThreatRiskLevel,int,Optional,UserManagement,,,
+ThreatRiskLevel,int,Optional,Dhcp,,,
 TimeGenerated,datetime,Mandatory,AuditEvent,,,
 TimeGenerated,datetime,Mandatory,Authentication,,,
 TimeGenerated,datetime,Mandatory,Common,,,

diff --git a/ASIM/schemas/ASimDHCPEvent.yaml b/ASIM/schemas/ASimDHCPEvent.yaml
@@ -0,0 +1,144 @@
+Schema:
+  Schema: Dhcp
+  Version: '0.1.0'
+  Last Updated: Sept 12 2023
+References:
+- Title: ASIM DHCP Schema
+  Link: https://aka.ms/ASimDhcpDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+
+Include:
+
+# Metadata
+- Name: Enumerations
+  File: common/ASimEnumerations.yaml
+
+# Common fields
+- Name: Event Fields
+  File: common/ASimEventFields.yaml
+- Name: Inspection fields
+  File: common/ASimInspectionFields.yaml
+
+# Entities
+- Name: Dvc
+  File: common/ASimDvc.yaml
+- Name: Source user entity
+  File: entities/ASimUser.yaml
+  Role: Src
+- Name: Source system entity
+  File: entities/ASimSystem.yaml
+  Role: Src
+
+Fields:
+# Common fields overrides and additions
+- Name: EventType
+  Type: string
+  Class: Mandatory
+  Logical type: Enumerated
+  List of values: [ Assign, Renew, Release, DNS Update ]
+  Description: Indicate the operation reported by the record.
+
+- Name: EventSchema
+  Type: string
+  Class: Mandatory
+  Logical type: Enumerated
+  List of values: [ Dhcp ]
+
+# Aliases
+- Name: User
+  Type: string
+  Class: Alias
+  Logical type: Username
+  Description: Alias for SrcUsername
+  Aliases: SrcUsername
+
+- Name: IpAddr
+  Type: string
+  Class: Alias
+  Logical type: IP Address
+  Description: Alias to SrcIpAddr
+  Aliases: SrcIpAddr
+
+- Name: Hostname
+  Type: string
+  Class: Alias
+  Description: Alias to SrcHostname
+  Aliases: SrcHostname
+
+# DHCP event fields
+- Name: RequestedIpAddr
+  Class: Optional
+  Type:  string
+  Description: The IP address requested by the DHCP client, when available.
+  Example: '192.168.12.3'
+
+- Name: DhcpLeaseDuration
+  Class: Optional
+  Type: integer
+  Description: The length of the lease granted to a client, in seconds.
+
+- Name: DhcpSessionId
+  Class: Optional
+  Type: string
+  Description: 	The session identifier as reported by the reporting device. For the Windows DHCP server, set this to the TransactionID field.
+  Example: '2099570186'
+
+- Name: SessionId
+  Class: Alias
+  Type: string
+  Description: Alias to DhcpSessionId.
+  Aliases: DhcpSessionId
+
+- Name: DhcpSessionDuration
+  Class: Optional
+  Type:  Integer
+  Description: The amount of time, in milliseconds, for the completion of the DHCP session.
+  Example: 1500
+
+- Name: Duration
+  Class: Alias
+  Type: Integer
+  Description: Alias to DhcpSessionDuration
+  Aliases: DhcpSessionDuration
+
+- Name: DhcpSrcDHCId
+  Class: Optional
+  Type:  string
+  Description: 	The DHCP client ID, as defined by RFC4701.
+
+- Name: DhcpCircuitId
+  Class:  Recommended
+  Type:  string
+  Description:  The DHCP circuit ID, as defined by RFC3046.
+
+- Name: DhcpSubscriberId
+  Class: Optional
+  Type: string
+  Description: The DHCP subscriber ID, as defined by RFC3993.
+
+- Name: DhcpVendorClassId  
+  Class: Optional
+  Type: string
+  Description: 	The DHCP Vendor Class Id, as defined by RFC3925.
+
+- Name: DhcpVendorClass  
+  Class: Optional
+  Type:  string
+  Description: The DHCP Vendor Class, as defined by RFC3925.
+
+- Name: DhcpUserClassId  
+  Class: Optional
+  Type:  string
+  Description: The DHCP User Class Id, as defined by RFC3004.
+
+- Name: DhcpUserClass 
+  Class: Optional
+  Type: string
+  Description: The DHCP User Class, as defined by RFC3004.
+
+- Name: SrcMacAddr
+  Class: Optional
+  Type: string
+  Description: The MAC address of the network interface from which the connection or session originated.
+  Example: '06:10:9f:eb:8f:14'
diff --git a/ASIM/schemas/ASimFileEvent.yaml b/ASIM/schemas/ASimFileEvent.yaml
@@ -1,7 +1,7 @@
 Schema:
   Schema: FileEvent
-  Version: '0.2.1'
-  Last Updated: Dec 27, 2022
+  Version: '0.2.2'
+  Last Updated: Sept 12 2023
 References:
 - Title: ASIM File Event Schema
   Link: https://aka.ms/ASimFileEventDoc
@@ -25,9 +25,6 @@ Include:
   File: entities/ASimDvc.yaml
 - Name: Actor entity
   File: entities/ASimActor.yaml
-- Name: Target user entity
-  File: entities/ASimUser.yaml
-  Role: Target
 - Name: Target application entity
   File: entities/ASimApp.yaml
   Role: Target