diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv index ad67f24de97..82fdba506a5 100644 --- a/ASIM/dev/ASimTester/ASimTester.csv +++ b/ASIM/dev/ASimTester/ASimTester.csv @@ -812,16 +812,25 @@ Rule,string,Optional,Dns,,, Rule,string,Optional,FileEvent,,, Rule,string,Optional,NetworkSession,,, Rule,string,Optional,WebSession,,, +Rule,string,Alias,RegistryEvent,,,RuleName +Rule,string,Alias,UserManagement,,,RuleName +Rule,string,Alias,Dhcp,,,RuleName RuleName,string,Optional,AuditEvent,,, RuleName,string,Optional,Authentication,,, RuleName,string,Optional,Dns,,, RuleName,string,Optional,FileEvent,,, RuleName,string,Optional,WebSession,,, +RuleName,string,Optional,RegistryEvent,,, +RuleName,string,Optional,UserManagement,,, +RuleName,string,Optional,Dhcp,,, RuleNumber,int,Optional,AuditEvent,,, RuleNumber,int,Optional,Authentication,,, RuleNumber,int,Optional,Dns,,, RuleNumber,int,Optional,FileEvent,,, RuleNumber,int,Optional,WebSession,,, +RuleNumber,int,Optional,RegistryEvent,,, +RuleNumber,int,Optional,UserManagement,,, +RuleNumber,int,Optional,Dhcp,,, SessionId,string,Alias,Dhcp,,,DhcpSessionId SessionId,string,Alias,Dns,,,DnsSessionId SessionId,string,Alias,NetworkSession,,,NetworkSessionId @@ -1170,18 +1179,27 @@ ThreatCategory,string,Optional,Dns,,, ThreatCategory,string,Optional,FileEvent,,, ThreatCategory,string,Optional,NetworkSession,,, ThreatCategory,string,Optional,WebSession,,, +ThreatCategory,string,Optional,RegistryEvent,,, +ThreatCategory,string,Optional,UserManagement,,, +ThreatCategory,string,Optional,Dhcp,,, ThreatConfidence,int,Optional,AuditEvent,ConfidenceLevel,, ThreatConfidence,int,Optional,Authentication,ConfidenceLevel,, ThreatConfidence,int,Optional,Dns,ConfidenceLevel,, ThreatConfidence,int,Optional,FileEvent,,, ThreatConfidence,int,Optional,NetworkSession,,, ThreatConfidence,int,Optional,WebSession,,, +ThreatConfidence,int,Optional,RegistryEvent,,, +ThreatConfidence,int,Optional,UserManagement,,, +ThreatConfidence,int,Optional,Dhcp,,, ThreatField,string,Conditional,AuditEvent,Enumerated,,ThreatIpAddr ThreatField,string,Conditional,FileEvent,Enumerated,,ThreatFilePath ThreatField,string,Conditional,NetworkSession,Enumerated,,ThreatIpAddr ThreatField,string,Optional,Authentication,,, ThreatField,string,Optional,Dns,,, ThreatField,string,Optional,WebSession,,, +ThreatField,string,Optional,RegistryEvent,,, +ThreatField,string,Optional,UserManagement,,, +ThreatField,string,Optional,Dhcp,,, ThreatFilePath,string,Optional,FileEvent,string,, ThreatFirstReportedTime,datetime,Optional,AuditEvent,,, ThreatFirstReportedTime,datetime,Optional,Authentication,,, @@ -1189,12 +1207,18 @@ ThreatFirstReportedTime,datetime,Optional,Dns,,, ThreatFirstReportedTime,datetime,Optional,FileEvent,,, ThreatFirstReportedTime,datetime,Optional,NetworkSession,,, ThreatFirstReportedTime,datetime,Optional,WebSession,,, +ThreatFirstReportedTime,datetime,Optional,RegistryEvent,,, +ThreatFirstReportedTime,datetime,Optional,UserManagement,,, +ThreatFirstReportedTime,datetime,Optional,Dhcp,,, ThreatId,string,Optional,AuditEvent,,, ThreatId,string,Optional,Authentication,,, ThreatId,string,Optional,Dns,,, ThreatId,string,Optional,FileEvent,,, ThreatId,string,Optional,NetworkSession,,, ThreatId,string,Optional,WebSession,,, +ThreatId,string,Optional,RegistryEvent,,, +ThreatId,string,Optional,UserManagement,,, +ThreatId,string,Optional,Dhcp,,, ThreatIpAddr,string,Optional,AuditEvent,IP Address,, ThreatIpAddr,string,Optional,Authentication,IP Address,, ThreatIpAddr,string,Optional,Dns,IP Address,, @@ -1206,36 +1230,54 @@ ThreatIsActive,bool,Optional,Dns,,, ThreatIsActive,bool,Optional,FileEvent,,, ThreatIsActive,bool,Optional,NetworkSession,,, ThreatIsActive,bool,Optional,WebSession,,, +ThreatIsActive,bool,Optional,RegistryEvent,,, +ThreatIsActive,bool,Optional,UserManagement,,, +ThreatIsActive,bool,Optional,Dhcp,,, ThreatLastReportedTime,datetime,Optional,AuditEvent,,, ThreatLastReportedTime,datetime,Optional,Authentication,,, ThreatLastReportedTime,datetime,Optional,Dns,,, ThreatLastReportedTime,datetime,Optional,FileEvent,,, ThreatLastReportedTime,datetime,Optional,NetworkSession,,, ThreatLastReportedTime,datetime,Optional,WebSession,,, +ThreatLastReportedTime,datetime,Optional,RegistryEvent,,, +ThreatLastReportedTime,datetime,Optional,UserManagement,,, +ThreatLastReportedTime,datetime,Optional,Dhcp,,, ThreatName,string,Optional,AuditEvent,,, ThreatName,string,Optional,Authentication,,, ThreatName,string,Optional,Dns,,, ThreatName,string,Optional,FileEvent,,, ThreatName,string,Optional,NetworkSession,,, ThreatName,string,Optional,WebSession,,, +ThreatName,string,Optional,RegistryEvent,,, +ThreatName,string,Optional,UserManagement,,, +ThreatName,string,Optional,Dhcp,,, ThreatOriginalConfidence,string,Optional,AuditEvent,,, ThreatOriginalConfidence,string,Optional,Authentication,,, ThreatOriginalConfidence,string,Optional,Dns,,, ThreatOriginalConfidence,string,Optional,FileEvent,,, ThreatOriginalConfidence,string,Optional,NetworkSession,,, ThreatOriginalConfidence,string,Optional,WebSession,,, +ThreatOriginalConfidence,string,Optional,RegistryEvent,,, +ThreatOriginalConfidence,string,Optional,UserManagement,,, +ThreatOriginalConfidence,string,Optional,Dhcp,,, ThreatOriginalRiskLevel,string,Optional,AuditEvent,,, ThreatOriginalRiskLevel,string,Optional,Authentication,,, ThreatOriginalRiskLevel,string,Optional,Dns,,, ThreatOriginalRiskLevel,string,Optional,FileEvent,,, ThreatOriginalRiskLevel,string,Optional,NetworkSession,,, ThreatOriginalRiskLevel,string,Optional,WebSession,,, +ThreatOriginalRiskLevel,string,Optional,RegistryEvent,,, +ThreatOriginalRiskLevel,string,Optional,UserManagement,,, +ThreatOriginalRiskLevel,string,Optional,Dhcp,,, ThreatRiskLevel,int,Optional,AuditEvent,RiskLevel,, ThreatRiskLevel,int,Optional,Authentication,RiskLevel,, ThreatRiskLevel,int,Optional,Dns,RiskLevel,, ThreatRiskLevel,int,Optional,FileEvent,RiskLevel,, ThreatRiskLevel,int,Optional,NetworkSession,RiskLevel,, ThreatRiskLevel,int,Optional,WebSession,RiskLevel,, +ThreatRiskLevel,int,Optional,RegistryEvent,,, +ThreatRiskLevel,int,Optional,UserManagement,,, +ThreatRiskLevel,int,Optional,Dhcp,,, TimeGenerated,datetime,Mandatory,AuditEvent,,, TimeGenerated,datetime,Mandatory,Authentication,,, TimeGenerated,datetime,Mandatory,Common,,, diff --git a/ASIM/schemas/ASimDHCPEvent.yaml b/ASIM/schemas/ASimDHCPEvent.yaml new file mode 100644 index 00000000000..620b6d26acc --- /dev/null +++ b/ASIM/schemas/ASimDHCPEvent.yaml @@ -0,0 +1,144 @@ +Schema: + Schema: Dhcp + Version: '0.1.0' + Last Updated: Sept 12 2023 +References: +- Title: ASIM DHCP Schema + Link: https://aka.ms/ASimDhcpDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM + +Include: + +# Metadata +- Name: Enumerations + File: common/ASimEnumerations.yaml + +# Common fields +- Name: Event Fields + File: common/ASimEventFields.yaml +- Name: Inspection fields + File: common/ASimInspectionFields.yaml + +# Entities +- Name: Dvc + File: common/ASimDvc.yaml +- Name: Source user entity + File: entities/ASimUser.yaml + Role: Src +- Name: Source system entity + File: entities/ASimSystem.yaml + Role: Src + +Fields: +# Common fields overrides and additions +- Name: EventType + Type: string + Class: Mandatory + Logical type: Enumerated + List of values: [ Assign, Renew, Release, DNS Update ] + Description: Indicate the operation reported by the record. + +- Name: EventSchema + Type: string + Class: Mandatory + Logical type: Enumerated + List of values: [ Dhcp ] + +# Aliases +- Name: User + Type: string + Class: Alias + Logical type: Username + Description: Alias for SrcUsername + Aliases: SrcUsername + +- Name: IpAddr + Type: string + Class: Alias + Logical type: IP Address + Description: Alias to SrcIpAddr + Aliases: SrcIpAddr + +- Name: Hostname + Type: string + Class: Alias + Description: Alias to SrcHostname + Aliases: SrcHostname + +# DHCP event fields +- Name: RequestedIpAddr + Class: Optional + Type: string + Description: The IP address requested by the DHCP client, when available. + Example: '192.168.12.3' + +- Name: DhcpLeaseDuration + Class: Optional + Type: integer + Description: The length of the lease granted to a client, in seconds. + +- Name: DhcpSessionId + Class: Optional + Type: string + Description: The session identifier as reported by the reporting device. For the Windows DHCP server, set this to the TransactionID field. + Example: '2099570186' + +- Name: SessionId + Class: Alias + Type: string + Description: Alias to DhcpSessionId. + Aliases: DhcpSessionId + +- Name: DhcpSessionDuration + Class: Optional + Type: Integer + Description: The amount of time, in milliseconds, for the completion of the DHCP session. + Example: 1500 + +- Name: Duration + Class: Alias + Type: Integer + Description: Alias to DhcpSessionDuration + Aliases: DhcpSessionDuration + +- Name: DhcpSrcDHCId + Class: Optional + Type: string + Description: The DHCP client ID, as defined by RFC4701. + +- Name: DhcpCircuitId + Class: Recommended + Type: string + Description: The DHCP circuit ID, as defined by RFC3046. + +- Name: DhcpSubscriberId + Class: Optional + Type: string + Description: The DHCP subscriber ID, as defined by RFC3993. + +- Name: DhcpVendorClassId + Class: Optional + Type: string + Description: The DHCP Vendor Class Id, as defined by RFC3925. + +- Name: DhcpVendorClass + Class: Optional + Type: string + Description: The DHCP Vendor Class, as defined by RFC3925. + +- Name: DhcpUserClassId + Class: Optional + Type: string + Description: The DHCP User Class Id, as defined by RFC3004. + +- Name: DhcpUserClass + Class: Optional + Type: string + Description: The DHCP User Class, as defined by RFC3004. + +- Name: SrcMacAddr + Class: Optional + Type: string + Description: The MAC address of the network interface from which the connection or session originated. + Example: '06:10:9f:eb:8f:14' \ No newline at end of file diff --git a/ASIM/schemas/ASimFileEvent.yaml b/ASIM/schemas/ASimFileEvent.yaml index e4ac9d7dc0b..f42992825cd 100644 --- a/ASIM/schemas/ASimFileEvent.yaml +++ b/ASIM/schemas/ASimFileEvent.yaml @@ -1,7 +1,7 @@ Schema: Schema: FileEvent - Version: '0.2.1' - Last Updated: Dec 27, 2022 + Version: '0.2.2' + Last Updated: Sept 12 2023 References: - Title: ASIM File Event Schema Link: https://aka.ms/ASimFileEventDoc @@ -25,9 +25,6 @@ Include: File: entities/ASimDvc.yaml - Name: Actor entity File: entities/ASimActor.yaml -- Name: Target user entity - File: entities/ASimUser.yaml - Role: Target - Name: Target application entity File: entities/ASimApp.yaml Role: Target diff --git a/ASIM/schemas/ASimRegistryEvent.yaml b/ASIM/schemas/ASimRegistryEvent.yaml new file mode 100644 index 00000000000..6109f3769ec --- /dev/null +++ b/ASIM/schemas/ASimRegistryEvent.yaml @@ -0,0 +1,110 @@ +Schema: + Schema: RegistryEvent + Version: '0.1.0' + Last Updated: Sept 12 2023 +References: +- Title: ASIM DHCP Schema + Link: https://aka.ms/ASimRegistryEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM + +Include: + +# Metadata +- Name: Enumerations + File: common/ASimEnumerations.yaml + +# Common fields +- Name: Event Fields + File: common/ASimEventFields.yaml +- Name: Inspection fields + File: common/ASimInspectionFields.yaml + +# Entities +- Name: Dvc + File: entities/ASimDvc.yaml +- Name: Actor entity + File: entities/ASimActor.yaml +- Name: Acting process entity + File: entities/ASimProcess.yaml + Role: Acting +- Name: Parent process entity + File: entities/ASimProcess.yaml + Role: Parent + +Fields: +# Common fields overrides and additions +- Name: EventType + Type: string + Class: Mandatory + Logical type: Enumerated + List of values: [ RegistryKeyCreated, RegistryKeyDeleted, RegistryKeyRenamed, RegistryValueDeleted, RegistryValueSet ] + Description: Describes the operation reported by the record. + +- Name: EventSchema + Type: string + Class: Mandatory + Logical type: Enumerated + List of values: [ RegistryEvent ] + +# Aliases +- Name: User + Type: string + Class: Alias + Description: Alias to the ActorUsername field. + Aliases: ActorUsername + +- Name: Process + Type: string + Class: Alias + Description: Alias to the ActingProcessName field. + Aliases: ActingProcessName + +# Registry event fields +- Name: RegistryKey + Class: Mandatory + Type: string + Description: The registry key associated with the operation, normalized to standard root key naming conventions. + Example: 'HKEY_LOCAL_MACHINE\SOFTWARE\MTG' + +- Name: RegistryValue + Class: Recommended + Type: string + Description: The registry value associated with the operation. Registry values are similar to files in file systems. + Example: Path + +- Name: RegistryValueType + Class: Recommended + Type: string + Description: The type of registry value, normalized to standard form. + Example: 'Reg_Expand_Sz' + +- Name: RegistryValueData + Class: Recommended + Type: string + Description: The data stored in the registry value. + Example: 'C:\Windows\system32;C:\Windows;' + +- Name: RegistryPreviousKey + Class: Recommended + Type: string + Description: For operations that modify the registry, the original registry key, normalized to standard root key naming. + Example: 'HKEY_LOCAL_MACHINE\SOFTWARE\MTG' + +- Name: RegistryPreviousValue + Class: Recommended + Type: string + Description: For operations that modify the registry, the original value type, normalized to the standard form. + Example: Path + +- Name: RegistryPreviousValueType + Class: Recommended + Type: string + Description: For operations that modify the registry, the original value type. + Example: 'Reg_Expand_Sz' + +- Name: RegistryPreviousValueData + Class: Recommended + Type: string + Description: The original registry data, for operations that modify the registry. + Example: 'C:\Windows\system32;C:\Windows;' \ No newline at end of file diff --git a/ASIM/schemas/ASimUserManagement.yaml b/ASIM/schemas/ASimUserManagement.yaml index 78d322b889d..bf09335b1e4 100644 --- a/ASIM/schemas/ASimUserManagement.yaml +++ b/ASIM/schemas/ASimUserManagement.yaml @@ -1,7 +1,7 @@ Schema: Schema: User Management Version: '0.1.1' - Last Updated: 18 Jul, 2023 + Last Updated: Sept 12 2023 References: - Title: ASIM Authentication Schema Link: https://aka.ms/ASimUserManagementDoc diff --git a/ASIM/schemas/entities/ASimSystem.yaml b/ASIM/schemas/entities/ASimSystem.yaml index d262d4802f8..b5af881fd85 100644 --- a/ASIM/schemas/entities/ASimSystem.yaml +++ b/ASIM/schemas/entities/ASimSystem.yaml @@ -94,12 +94,12 @@ Fields: Description: The country associated with the IP address. - Name: <>GeoLatitude - Type: real + Type: Double Class: Optional Description: The latitude of the geographical coordinate associated with the IP address. - Name: <>GeoLongitude - Type: real + Type: Double Class: Optional DstDescription: The longitude of the geographical coordinate associated with the IP address.