From 361ec35b21cf15d2e0ed747f80c4c2c32b4c6edc Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Sun, 10 Sep 2023 15:38:23 +0530 Subject: [PATCH 1/9] New ASIM Schema YAML files --- ASIM/schemas/ASimDHCPEvent.yaml | 142 ++++++++++++++++++++++++++++ ASIM/schemas/ASimRegistryEvent.yaml | 108 +++++++++++++++++++++ 2 files changed, 250 insertions(+) create mode 100644 ASIM/schemas/ASimDHCPEvent.yaml create mode 100644 ASIM/schemas/ASimRegistryEvent.yaml diff --git a/ASIM/schemas/ASimDHCPEvent.yaml b/ASIM/schemas/ASimDHCPEvent.yaml new file mode 100644 index 00000000000..6a3819cbb82 --- /dev/null +++ b/ASIM/schemas/ASimDHCPEvent.yaml @@ -0,0 +1,142 @@ +Schema: + Schema: Dhcp + Version: '0.1.0' + Last Updated: 10 Sept 2023 +References: +- Title: ASIM DHCP Schema + Link: https://aka.ms/ASimDhcpDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM + +Include: + +# Metadata +- Name: Enumerations + File: common/ASimEnumerations.yaml + +# Common fields +- Name: Event Fields + File: common/ASimEventFields.yaml + +# Entities +- Name: Dvc + File: common/ASimDvc.yaml +- Name: Source user entity + File: entities/ASimUser.yaml + Role: Src +- Name: Source system entity + File: entities/ASimSystem.yaml + Role: Src + +Fields: +# Common fields overrides and additions +- Name: EventType + Type: string + Class: Mandatory + Logical type: Enumerated + List of values: [ 'Assign', 'Renew', 'Release', 'DNS Update' ] + Description: Indicate the operation reported by the record. + +- Name: EventSchema + Type: string + Class: Mandatory + Logical type: Enumerated + List of values: [ Dhcp ] + +# Aliases +- Name: User + Type: string + Class: Alias + Logical type: Username + Description: Alias for SrcUsername + Aliases: SrcUsername + +- Name: IpAddr + Type: string + Class: Alias + Logical type: IP Address + Description: Alias to SrcIpAddr + Aliases: SrcIpAddr + +- Name: Hostname + Type: string + Class: Alias + Description: Alias to SrcHostname + Aliases: SrcHostname + +# DHCP event fields +- Name: RequestedIpAddr + Class: Optional + Type: string + Description: The IP address requested by the DHCP client, when available. + Example: '192.168.12.3' + +- Name: DhcpLeaseDuration + Class: Optional + Type: integer + Description: The length of the lease granted to a client, in seconds. + +- Name: DhcpSessionId + Class: Optional + Type: string + Description: The session identifier as reported by the reporting device. For the Windows DHCP server, set this to the TransactionID field. + Example: '2099570186' + +- Name: SessionId + Class: Alias + Type: string + Description: Alias to DhcpSessionId. + Aliases: DhcpSessionId + +- Name: DhcpSessionDuration + Class: Optional + Type: Integer + Description: The amount of time, in milliseconds, for the completion of the DHCP session. + Example: 1500 + +- Name: Duration + Class: Alias + Type: Integer + Description: Alias to DhcpSessionDuration + Aliases: DhcpSessionDuration + +- Name: DhcpSrcDHCId + Class: Optional + Type: string + Description: The DHCP client ID, as defined by RFC4701. + +- Name: DhcpCircuitId + Class: Recommended + Type: string + Description: The DHCP circuit ID, as defined by RFC3046. + +- Name: DhcpSubscriberId + Class: Optional + Type: string + Description: The DHCP subscriber ID, as defined by RFC3993. + +- Name: DhcpVendorClassId + Class: Optional + Type: string + Description: The DHCP Vendor Class Id, as defined by RFC3925. + +- Name: DhcpVendorClass + Class: Optional + Type: string + Description: The DHCP Vendor Class, as defined by RFC3925. + +- Name: DhcpUserClassId + Class: Optional + Type: string + Description: The DHCP User Class Id, as defined by RFC3004. + +- Name: DhcpUserClass + Class: Optional + Type: string + Description: The DHCP User Class, as defined by RFC3004. + +- Name: SrcMacAddr + Class: Optional + Type: string + Description: The MAC address of the network interface from which the connection or session originated. + Example: '06:10:9f:eb:8f:14' \ No newline at end of file diff --git a/ASIM/schemas/ASimRegistryEvent.yaml b/ASIM/schemas/ASimRegistryEvent.yaml new file mode 100644 index 00000000000..7a8db84aed6 --- /dev/null +++ b/ASIM/schemas/ASimRegistryEvent.yaml @@ -0,0 +1,108 @@ +Schema: + Schema: RegistryEvent + Version: '0.1.0' + Last Updated: 10 Sept 2023 +References: +- Title: ASIM DHCP Schema + Link: https://aka.ms/ASimRegistryEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM + +Include: + +# Metadata +- Name: Enumerations + File: common/ASimEnumerations.yaml + +# Common fields +- Name: Event Fields + File: common/ASimEventFields.yaml + +# Entities +- Name: Dvc + File: entities/ASimDvc.yaml +- Name: Actor entity + File: entities/ASimActor.yaml +- Name: Acting process entity + File: entities/ASimProcess.yaml + Role: Acting +- Name: Parent process entity + File: entities/ASimProcess.yaml + Role: Parent + +Fields: +# Common fields overrides and additions +- Name: EventType + Type: string + Class: Mandatory + Logical type: Enumerated + List of values: [ 'RegistryKeyCreated', 'RegistryKeyDeleted', 'RegistryKeyRenamed', 'RegistryValueDeleted', 'RegistryValueSet' ] + Description: Describes the operation reported by the record. + +- Name: EventSchema + Type: string + Class: Mandatory + Logical type: Enumerated + List of values: [ RegistryEvent ] + +# Aliases +- Name: User + Type: string + Class: Alias + Description: Alias to the ActorUsername field. + Aliases: ActorUsername + +- Name: Process + Type: string + Class: Alias + Description: Alias to the ActingProcessName field. + Aliases: ActingProcessName + +# Registry event fields +- Name: RegistryKey + Class: Mandatory + Type: string + Description: The registry key associated with the operation, normalized to standard root key naming conventions. + Example: 'HKEY_LOCAL_MACHINE\SOFTWARE\MTG' + +- Name: RegistryValue + Class: Recommended + Type: string + Description: The registry value associated with the operation. Registry values are similar to files in file systems. + Example: Path + +- Name: RegistryValueType + Class: Recommended + Type: string + Description: The type of registry value, normalized to standard form. + Example: 'Reg_Expand_Sz' + +- Name: RegistryValueData + Class: Recommended + Type: string + Description: The data stored in the registry value. + Example: 'C:\Windows\system32;C:\Windows;' + +- Name: RegistryPreviousKey + Class: Recommended + Type: string + Description: For operations that modify the registry, the original registry key, normalized to standard root key naming. + Example: 'HKEY_LOCAL_MACHINE\SOFTWARE\MTG' + +- Name: RegistryPreviousValue + Class: Recommended + Type: string + Description: For operations that modify the registry, the original value type, normalized to the standard form. + Example: Path + +- Name: RegistryPreviousValueType + Class: Recommended + Type: string + Description: For operations that modify the registry, the original value type. + Example: 'Reg_Expand_Sz' + +- Name: RegistryPreviousValueData + Class: Recommended + Type: string + Description: The original registry data, for operations that modify the registry. + Example: 'C:\Windows\system32;C:\Windows;' \ No newline at end of file From 697f3d93ff8d3a5ef1cbcce1d608a2c75d5dcfd0 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Sun, 10 Sep 2023 15:56:29 +0530 Subject: [PATCH 2/9] remove non-relevant class --- ASIM/schemas/ASimUserManagement.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/ASIM/schemas/ASimUserManagement.yaml b/ASIM/schemas/ASimUserManagement.yaml index 78d322b889d..937e5f77e32 100644 --- a/ASIM/schemas/ASimUserManagement.yaml +++ b/ASIM/schemas/ASimUserManagement.yaml @@ -17,8 +17,6 @@ Include: # Common fields - Name: Event Fields File: common/ASimEventFields.yaml -- Name: Inspection fields - File: common/ASimInspectionFields.yaml # Entities - Name: Dvc From 7767a305633259f6a49ded33dc144715729b4455 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Sun, 10 Sep 2023 17:12:17 +0530 Subject: [PATCH 3/9] removing target user from file --- ASIM/schemas/ASimFileEvent.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/ASIM/schemas/ASimFileEvent.yaml b/ASIM/schemas/ASimFileEvent.yaml index e4ac9d7dc0b..6543472b346 100644 --- a/ASIM/schemas/ASimFileEvent.yaml +++ b/ASIM/schemas/ASimFileEvent.yaml @@ -25,9 +25,6 @@ Include: File: entities/ASimDvc.yaml - Name: Actor entity File: entities/ASimActor.yaml -- Name: Target user entity - File: entities/ASimUser.yaml - Role: Target - Name: Target application entity File: entities/ASimApp.yaml Role: Target From bfe1de92c57fb4ebff54ae7de7d41878174a09c9 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Mon, 11 Sep 2023 13:47:39 +0530 Subject: [PATCH 4/9] GeoLongitude type change --- ASIM/schemas/entities/ASimSystem.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ASIM/schemas/entities/ASimSystem.yaml b/ASIM/schemas/entities/ASimSystem.yaml index d262d4802f8..b5af881fd85 100644 --- a/ASIM/schemas/entities/ASimSystem.yaml +++ b/ASIM/schemas/entities/ASimSystem.yaml @@ -94,12 +94,12 @@ Fields: Description: The country associated with the IP address. - Name: <>GeoLatitude - Type: real + Type: Double Class: Optional Description: The latitude of the geographical coordinate associated with the IP address. - Name: <>GeoLongitude - Type: real + Type: Double Class: Optional DstDescription: The longitude of the geographical coordinate associated with the IP address. From 750e3787afcf9c5af1eb1944bcdc5d39030aadae Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Tue, 12 Sep 2023 10:27:53 +0530 Subject: [PATCH 5/9] adding inspection fields --- ASIM/schemas/ASimDHCPEvent.yaml | 2 ++ ASIM/schemas/ASimRegistryEvent.yaml | 2 ++ ASIM/schemas/ASimUserManagement.yaml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/ASIM/schemas/ASimDHCPEvent.yaml b/ASIM/schemas/ASimDHCPEvent.yaml index 6a3819cbb82..27b140e46ff 100644 --- a/ASIM/schemas/ASimDHCPEvent.yaml +++ b/ASIM/schemas/ASimDHCPEvent.yaml @@ -17,6 +17,8 @@ Include: # Common fields - Name: Event Fields File: common/ASimEventFields.yaml +- Name: Inspection fields + File: common/ASimInspectionFields.yaml # Entities - Name: Dvc diff --git a/ASIM/schemas/ASimRegistryEvent.yaml b/ASIM/schemas/ASimRegistryEvent.yaml index 7a8db84aed6..6a59a3f8109 100644 --- a/ASIM/schemas/ASimRegistryEvent.yaml +++ b/ASIM/schemas/ASimRegistryEvent.yaml @@ -17,6 +17,8 @@ Include: # Common fields - Name: Event Fields File: common/ASimEventFields.yaml +- Name: Inspection fields + File: common/ASimInspectionFields.yaml # Entities - Name: Dvc diff --git a/ASIM/schemas/ASimUserManagement.yaml b/ASIM/schemas/ASimUserManagement.yaml index 937e5f77e32..78d322b889d 100644 --- a/ASIM/schemas/ASimUserManagement.yaml +++ b/ASIM/schemas/ASimUserManagement.yaml @@ -17,6 +17,8 @@ Include: # Common fields - Name: Event Fields File: common/ASimEventFields.yaml +- Name: Inspection fields + File: common/ASimInspectionFields.yaml # Entities - Name: Dvc From 90802964d40c5bef9de03697c4077068d3020ccc Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Tue, 12 Sep 2023 10:32:06 +0530 Subject: [PATCH 6/9] Fixing date format --- ASIM/schemas/ASimDHCPEvent.yaml | 2 +- ASIM/schemas/ASimFileEvent.yaml | 2 +- ASIM/schemas/ASimRegistryEvent.yaml | 2 +- ASIM/schemas/ASimUserManagement.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ASIM/schemas/ASimDHCPEvent.yaml b/ASIM/schemas/ASimDHCPEvent.yaml index 27b140e46ff..2c608a64a05 100644 --- a/ASIM/schemas/ASimDHCPEvent.yaml +++ b/ASIM/schemas/ASimDHCPEvent.yaml @@ -1,7 +1,7 @@ Schema: Schema: Dhcp Version: '0.1.0' - Last Updated: 10 Sept 2023 + Last Updated: Sept 12 2023 References: - Title: ASIM DHCP Schema Link: https://aka.ms/ASimDhcpDoc diff --git a/ASIM/schemas/ASimFileEvent.yaml b/ASIM/schemas/ASimFileEvent.yaml index 6543472b346..2ff38e7e1f5 100644 --- a/ASIM/schemas/ASimFileEvent.yaml +++ b/ASIM/schemas/ASimFileEvent.yaml @@ -1,7 +1,7 @@ Schema: Schema: FileEvent Version: '0.2.1' - Last Updated: Dec 27, 2022 + Last Updated: Sept 12 2023 References: - Title: ASIM File Event Schema Link: https://aka.ms/ASimFileEventDoc diff --git a/ASIM/schemas/ASimRegistryEvent.yaml b/ASIM/schemas/ASimRegistryEvent.yaml index 6a59a3f8109..e5c977b66db 100644 --- a/ASIM/schemas/ASimRegistryEvent.yaml +++ b/ASIM/schemas/ASimRegistryEvent.yaml @@ -1,7 +1,7 @@ Schema: Schema: RegistryEvent Version: '0.1.0' - Last Updated: 10 Sept 2023 + Last Updated: Sept 12 2023 References: - Title: ASIM DHCP Schema Link: https://aka.ms/ASimRegistryEventDoc diff --git a/ASIM/schemas/ASimUserManagement.yaml b/ASIM/schemas/ASimUserManagement.yaml index 78d322b889d..bf09335b1e4 100644 --- a/ASIM/schemas/ASimUserManagement.yaml +++ b/ASIM/schemas/ASimUserManagement.yaml @@ -1,7 +1,7 @@ Schema: Schema: User Management Version: '0.1.1' - Last Updated: 18 Jul, 2023 + Last Updated: Sept 12 2023 References: - Title: ASIM Authentication Schema Link: https://aka.ms/ASimUserManagementDoc From 8c06be580c81c91bc8650906170ff08ae5e96121 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Tue, 12 Sep 2023 10:34:38 +0530 Subject: [PATCH 7/9] changing version --- ASIM/schemas/ASimFileEvent.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ASIM/schemas/ASimFileEvent.yaml b/ASIM/schemas/ASimFileEvent.yaml index 2ff38e7e1f5..f42992825cd 100644 --- a/ASIM/schemas/ASimFileEvent.yaml +++ b/ASIM/schemas/ASimFileEvent.yaml @@ -1,6 +1,6 @@ Schema: Schema: FileEvent - Version: '0.2.1' + Version: '0.2.2' Last Updated: Sept 12 2023 References: - Title: ASIM File Event Schema From cccec0b7e567a0e9483406683c094a6a171eb282 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Tue, 12 Sep 2023 12:23:03 +0530 Subject: [PATCH 8/9] added inspection fields in tester.csv --- ASIM/dev/ASimTester/ASimTester.csv | 42 ++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv index ad67f24de97..82fdba506a5 100644 --- a/ASIM/dev/ASimTester/ASimTester.csv +++ b/ASIM/dev/ASimTester/ASimTester.csv @@ -812,16 +812,25 @@ Rule,string,Optional,Dns,,, Rule,string,Optional,FileEvent,,, Rule,string,Optional,NetworkSession,,, Rule,string,Optional,WebSession,,, +Rule,string,Alias,RegistryEvent,,,RuleName +Rule,string,Alias,UserManagement,,,RuleName +Rule,string,Alias,Dhcp,,,RuleName RuleName,string,Optional,AuditEvent,,, RuleName,string,Optional,Authentication,,, RuleName,string,Optional,Dns,,, RuleName,string,Optional,FileEvent,,, RuleName,string,Optional,WebSession,,, +RuleName,string,Optional,RegistryEvent,,, +RuleName,string,Optional,UserManagement,,, +RuleName,string,Optional,Dhcp,,, RuleNumber,int,Optional,AuditEvent,,, RuleNumber,int,Optional,Authentication,,, RuleNumber,int,Optional,Dns,,, RuleNumber,int,Optional,FileEvent,,, RuleNumber,int,Optional,WebSession,,, +RuleNumber,int,Optional,RegistryEvent,,, +RuleNumber,int,Optional,UserManagement,,, +RuleNumber,int,Optional,Dhcp,,, SessionId,string,Alias,Dhcp,,,DhcpSessionId SessionId,string,Alias,Dns,,,DnsSessionId SessionId,string,Alias,NetworkSession,,,NetworkSessionId @@ -1170,18 +1179,27 @@ ThreatCategory,string,Optional,Dns,,, ThreatCategory,string,Optional,FileEvent,,, ThreatCategory,string,Optional,NetworkSession,,, ThreatCategory,string,Optional,WebSession,,, +ThreatCategory,string,Optional,RegistryEvent,,, +ThreatCategory,string,Optional,UserManagement,,, +ThreatCategory,string,Optional,Dhcp,,, ThreatConfidence,int,Optional,AuditEvent,ConfidenceLevel,, ThreatConfidence,int,Optional,Authentication,ConfidenceLevel,, ThreatConfidence,int,Optional,Dns,ConfidenceLevel,, ThreatConfidence,int,Optional,FileEvent,,, ThreatConfidence,int,Optional,NetworkSession,,, ThreatConfidence,int,Optional,WebSession,,, +ThreatConfidence,int,Optional,RegistryEvent,,, +ThreatConfidence,int,Optional,UserManagement,,, +ThreatConfidence,int,Optional,Dhcp,,, ThreatField,string,Conditional,AuditEvent,Enumerated,,ThreatIpAddr ThreatField,string,Conditional,FileEvent,Enumerated,,ThreatFilePath ThreatField,string,Conditional,NetworkSession,Enumerated,,ThreatIpAddr ThreatField,string,Optional,Authentication,,, ThreatField,string,Optional,Dns,,, ThreatField,string,Optional,WebSession,,, +ThreatField,string,Optional,RegistryEvent,,, +ThreatField,string,Optional,UserManagement,,, +ThreatField,string,Optional,Dhcp,,, ThreatFilePath,string,Optional,FileEvent,string,, ThreatFirstReportedTime,datetime,Optional,AuditEvent,,, ThreatFirstReportedTime,datetime,Optional,Authentication,,, @@ -1189,12 +1207,18 @@ ThreatFirstReportedTime,datetime,Optional,Dns,,, ThreatFirstReportedTime,datetime,Optional,FileEvent,,, ThreatFirstReportedTime,datetime,Optional,NetworkSession,,, ThreatFirstReportedTime,datetime,Optional,WebSession,,, +ThreatFirstReportedTime,datetime,Optional,RegistryEvent,,, +ThreatFirstReportedTime,datetime,Optional,UserManagement,,, +ThreatFirstReportedTime,datetime,Optional,Dhcp,,, ThreatId,string,Optional,AuditEvent,,, ThreatId,string,Optional,Authentication,,, ThreatId,string,Optional,Dns,,, ThreatId,string,Optional,FileEvent,,, ThreatId,string,Optional,NetworkSession,,, ThreatId,string,Optional,WebSession,,, +ThreatId,string,Optional,RegistryEvent,,, +ThreatId,string,Optional,UserManagement,,, +ThreatId,string,Optional,Dhcp,,, ThreatIpAddr,string,Optional,AuditEvent,IP Address,, ThreatIpAddr,string,Optional,Authentication,IP Address,, ThreatIpAddr,string,Optional,Dns,IP Address,, @@ -1206,36 +1230,54 @@ ThreatIsActive,bool,Optional,Dns,,, ThreatIsActive,bool,Optional,FileEvent,,, ThreatIsActive,bool,Optional,NetworkSession,,, ThreatIsActive,bool,Optional,WebSession,,, +ThreatIsActive,bool,Optional,RegistryEvent,,, +ThreatIsActive,bool,Optional,UserManagement,,, +ThreatIsActive,bool,Optional,Dhcp,,, ThreatLastReportedTime,datetime,Optional,AuditEvent,,, ThreatLastReportedTime,datetime,Optional,Authentication,,, ThreatLastReportedTime,datetime,Optional,Dns,,, ThreatLastReportedTime,datetime,Optional,FileEvent,,, ThreatLastReportedTime,datetime,Optional,NetworkSession,,, ThreatLastReportedTime,datetime,Optional,WebSession,,, +ThreatLastReportedTime,datetime,Optional,RegistryEvent,,, +ThreatLastReportedTime,datetime,Optional,UserManagement,,, +ThreatLastReportedTime,datetime,Optional,Dhcp,,, ThreatName,string,Optional,AuditEvent,,, ThreatName,string,Optional,Authentication,,, ThreatName,string,Optional,Dns,,, ThreatName,string,Optional,FileEvent,,, ThreatName,string,Optional,NetworkSession,,, ThreatName,string,Optional,WebSession,,, +ThreatName,string,Optional,RegistryEvent,,, +ThreatName,string,Optional,UserManagement,,, +ThreatName,string,Optional,Dhcp,,, ThreatOriginalConfidence,string,Optional,AuditEvent,,, ThreatOriginalConfidence,string,Optional,Authentication,,, ThreatOriginalConfidence,string,Optional,Dns,,, ThreatOriginalConfidence,string,Optional,FileEvent,,, ThreatOriginalConfidence,string,Optional,NetworkSession,,, ThreatOriginalConfidence,string,Optional,WebSession,,, +ThreatOriginalConfidence,string,Optional,RegistryEvent,,, +ThreatOriginalConfidence,string,Optional,UserManagement,,, +ThreatOriginalConfidence,string,Optional,Dhcp,,, ThreatOriginalRiskLevel,string,Optional,AuditEvent,,, ThreatOriginalRiskLevel,string,Optional,Authentication,,, ThreatOriginalRiskLevel,string,Optional,Dns,,, ThreatOriginalRiskLevel,string,Optional,FileEvent,,, ThreatOriginalRiskLevel,string,Optional,NetworkSession,,, ThreatOriginalRiskLevel,string,Optional,WebSession,,, +ThreatOriginalRiskLevel,string,Optional,RegistryEvent,,, +ThreatOriginalRiskLevel,string,Optional,UserManagement,,, +ThreatOriginalRiskLevel,string,Optional,Dhcp,,, ThreatRiskLevel,int,Optional,AuditEvent,RiskLevel,, ThreatRiskLevel,int,Optional,Authentication,RiskLevel,, ThreatRiskLevel,int,Optional,Dns,RiskLevel,, ThreatRiskLevel,int,Optional,FileEvent,RiskLevel,, ThreatRiskLevel,int,Optional,NetworkSession,RiskLevel,, ThreatRiskLevel,int,Optional,WebSession,RiskLevel,, +ThreatRiskLevel,int,Optional,RegistryEvent,,, +ThreatRiskLevel,int,Optional,UserManagement,,, +ThreatRiskLevel,int,Optional,Dhcp,,, TimeGenerated,datetime,Mandatory,AuditEvent,,, TimeGenerated,datetime,Mandatory,Authentication,,, TimeGenerated,datetime,Mandatory,Common,,, From 18b8b779d937cf20ac11b01a639faf1949be35a1 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Wed, 13 Sep 2023 15:39:00 +0530 Subject: [PATCH 9/9] removing quotes from arrary --- ASIM/schemas/ASimDHCPEvent.yaml | 2 +- ASIM/schemas/ASimRegistryEvent.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ASIM/schemas/ASimDHCPEvent.yaml b/ASIM/schemas/ASimDHCPEvent.yaml index 2c608a64a05..620b6d26acc 100644 --- a/ASIM/schemas/ASimDHCPEvent.yaml +++ b/ASIM/schemas/ASimDHCPEvent.yaml @@ -36,7 +36,7 @@ Fields: Type: string Class: Mandatory Logical type: Enumerated - List of values: [ 'Assign', 'Renew', 'Release', 'DNS Update' ] + List of values: [ Assign, Renew, Release, DNS Update ] Description: Indicate the operation reported by the record. - Name: EventSchema diff --git a/ASIM/schemas/ASimRegistryEvent.yaml b/ASIM/schemas/ASimRegistryEvent.yaml index e5c977b66db..6109f3769ec 100644 --- a/ASIM/schemas/ASimRegistryEvent.yaml +++ b/ASIM/schemas/ASimRegistryEvent.yaml @@ -38,7 +38,7 @@ Fields: Type: string Class: Mandatory Logical type: Enumerated - List of values: [ 'RegistryKeyCreated', 'RegistryKeyDeleted', 'RegistryKeyRenamed', 'RegistryValueDeleted', 'RegistryValueSet' ] + List of values: [ RegistryKeyCreated, RegistryKeyDeleted, RegistryKeyRenamed, RegistryValueDeleted, RegistryValueSet ] Description: Describes the operation reported by the record. - Name: EventSchema