Skip to content

Commit

Permalink
Merge branch 'main' into add-policies-to-iam-account-change
Browse files Browse the repository at this point in the history
Signed-off-by: brieger-atlassian <[email protected]>
  • Loading branch information
brieger-atlassian authored Dec 13, 2024
2 parents 7a0950a + 63ddf99 commit 9ea66b4
Show file tree
Hide file tree
Showing 18 changed files with 59 additions and 77 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -110,12 +110,17 @@ Thankyou! -->
1. Relaxed requirements on the `http_request` and `http_response` attributes in the `http_activity` event class and added an `at_least_one` constraint with these attributes. #1274
1. Add `host` profile to base_event.json and remove this profile elsewhere in the event hierarchy. #1280
1. Add the `actor` attribute to the IAM base event. #1280

1. Add `policies` to `Account Change` class. #1282
1. Add `security_control` profile to base_event.json and remove this profile elsewhere in the event hierarchy. #1281
1. Add `policies` to `Account Change` class. #1282
1. Add `Unlock` activity to `account_change` class. #1285
* #### Profiles
1. Added `is_alert`, `confidence_id`, `confidence`, `confidence_score` attributes to the `security_control` profile. #1178
1. Added `risk_level_id`, `risk_level`, `risk_score`, `risk_details` attributes to the `security_control` profile. #1178
1. Added `policy` attribute to the `security_control` profile. #1178
1. Added enum values to `action_id` of 'Observed', 'Modified', and 'Unknown'. #1265
1. Update `action_id` optionality to `recommended` in the `security_control` profile #1281
* #### Objects
1. Added `phone_number` to `user` and `ldap_person` objects. #1155
1. Added `has_mfa` to `user` object. #1155
Expand Down
2 changes: 1 addition & 1 deletion dictionary.json
Original file line number Diff line number Diff line change
Expand Up @@ -234,7 +234,7 @@
},
"attacks": {
"caption": "MITRE ATT&CK® Details",
"description": "An array of <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> objects describing the tactics, techniques & sub-techniques identified by a security control or finding.",
"description": "An array of <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> objects describing identified tactics, techniques & sub-techniques.",
"type": "attack",
"is_array": true
},
Expand Down
8 changes: 1 addition & 7 deletions events/application/datastore_activity.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,6 @@
"extends": "application",
"name": "datastore_activity",
"attributes": {
"$include": [
"profiles/security_control.json"
],
"activity_id": {
"enum": {
"1": {
Expand Down Expand Up @@ -129,8 +126,5 @@
"databucket",
"table"
]
},
"profiles": [
"security_control"
]
}
}
3 changes: 2 additions & 1 deletion events/application/scan_activity.json
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,8 @@
"policy": {
"description": "The policy associated with this Scan event; required if the scan was initiated by a policy.",
"group": "primary",
"requirement": "recommended"
"requirement": "recommended",
"profile": null
},
"scan": {
"description": "The Scan object describes characteristics of the scan job.",
Expand Down
6 changes: 2 additions & 4 deletions events/application/web_resources_activity.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,7 @@
"name": "web_resources_activity",
"attributes": {
"$include": [
"profiles/network_proxy.json",
"profiles/security_control.json"
"profiles/network_proxy.json"
],
"activity_id": {
"enum": {
Expand Down Expand Up @@ -80,7 +79,6 @@
}
},
"profiles": [
"network_proxy",
"security_control"
"network_proxy"
]
}
6 changes: 4 additions & 2 deletions events/base_event.json
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@
"profiles/cloud.json",
"profiles/datetime.json",
"profiles/host.json",
"profiles/osint.json"
"profiles/osint.json",
"profiles/security_control.json"
],
"activity_id": {
"group": "classification",
Expand Down Expand Up @@ -140,6 +141,7 @@
"cloud",
"datetime",
"host",
"osint"
"osint",
"security_control"
]
}
8 changes: 1 addition & 7 deletions events/findings/data_security_finding.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,6 @@
"extends": "finding",
"name": "data_security_finding",
"attributes": {
"$include": [
"profiles/security_control.json"
],
"activity_id": {
"description": "The normalized identifier of the Data Security Finding activity.",
"requirement": "required",
Expand Down Expand Up @@ -143,8 +140,5 @@
"group": "primary",
"requirement": "recommended"
}
},
"profiles": [
"security_control"
]
}
}
8 changes: 1 addition & 7 deletions events/findings/detection_finding.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,6 @@
"extends": "finding",
"name": "detection_finding",
"attributes": {
"$include": [
"profiles/security_control.json"
],
"confidence": {
"profile": null,
"group": "context",
Expand Down Expand Up @@ -81,8 +78,5 @@
"group": "context",
"requirement": "optional"
}
},
"profiles": [
"security_control"
]
}
}
9 changes: 6 additions & 3 deletions events/findings/finding.json
Original file line number Diff line number Diff line change
Expand Up @@ -32,15 +32,18 @@
},
"confidence": {
"group": "context",
"requirement": "optional"
"requirement": "optional",
"profile": null
},
"confidence_id": {
"group": "context",
"requirement": "recommended"
"requirement": "recommended",
"profile": null
},
"confidence_score": {
"group": "context",
"requirement": "optional"
"requirement": "optional",
"profile": null
},
"device": {
"description": "Describes the affected device/host. It can be used in conjunction with <code>Affected Resource(s)</code>. <p> e.g. Specific details about an AWS EC2 instance, that is affected by the Finding.</p>",
Expand Down
12 changes: 8 additions & 4 deletions events/findings/incident_finding.json
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,8 @@
"attacks": {
"description": "An array of <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> objects describing the tactics, techniques & sub-techniques associated to the Incident.",
"group": "context",
"requirement": "optional"
"requirement": "optional",
"profile": null
},
"comment": {
"description": "Additional user supplied details for updating or closing the incident.",
Expand All @@ -48,15 +49,18 @@
},
"confidence": {
"group": "context",
"requirement": "optional"
"requirement": "optional",
"profile": null
},
"confidence_id": {
"group": "context",
"requirement": "recommended"
"requirement": "recommended",
"profile": null
},
"confidence_score": {
"group": "context",
"requirement": "optional"
"requirement": "optional",
"profile": null
},
"desc": {
"description": "The short description of the Incident.",
Expand Down
26 changes: 17 additions & 9 deletions events/findings/security_finding.json
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,10 @@
"requirement": "recommended"
},
"attacks": {
"description": "The attack object describes the technique and associated tactics as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK Matrix<sup>TM</sup></a>.",
"description": "An array of <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> objects describing the tactics, techniques & sub-techniques associated to the Finding.",
"group": "context",
"requirement": "optional"
"requirement": "optional",
"profile": null
},
"cis_csc": {
"group": "context",
Expand All @@ -45,16 +46,19 @@
},
"confidence": {
"group": "primary",
"requirement": "recommended"
"requirement": "recommended",
"profile": null
},
"confidence_id": {
"group": "primary",
"requirement": "recommended",
"sibling": "confidence"
"sibling": "confidence",
"profile": null
},
"confidence_score": {
"group": "primary",
"requirement": "recommended"
"requirement": "recommended",
"profile": null
},
"data_sources": {
"group": "context",
Expand Down Expand Up @@ -87,7 +91,8 @@
},
"malware": {
"group": "context",
"requirement": "optional"
"requirement": "optional",
"profile": null
},
"nist": {
"group": "context",
Expand All @@ -103,16 +108,19 @@
},
"risk_level": {
"group": "primary",
"requirement": "recommended"
"requirement": "recommended",
"profile": null
},
"risk_level_id": {
"group": "primary",
"requirement": "recommended",
"sibling": "risk_level"
"sibling": "risk_level",
"profile": null
},
"risk_score": {
"group": "primary",
"requirement": "recommended"
"requirement": "recommended",
"profile": null
},
"state": {
"description": "The normalized state of a security finding.",
Expand Down
7 changes: 6 additions & 1 deletion events/iam/account_change.json
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,10 @@
"11": {
"caption": "MFA Factor Disable",
"description": "An authentication factor was disabled for an account."
},
"12": {
"caption": "Unlock",
"description": "A user account was unlocked."
}
}
},
Expand All @@ -66,6 +70,7 @@
"message": "Use the <code>policies</code> attribute instead.",
"since": "1.4.0"
}
"profile": null
},
"user": {
"description": "The user that was a target of an activity.",
Expand All @@ -77,4 +82,4 @@
"requirement": "recommended"
}
}
}
}
8 changes: 1 addition & 7 deletions events/network/email_activity.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,6 @@
"extends": "base_event",
"name": "email_activity",
"attributes": {
"$include": [
"profiles/security_control.json"
],
"activity_id": {
"requirement": "optional",
"enum": {
Expand Down Expand Up @@ -99,8 +96,5 @@
"group": "primary",
"requirement": "recommended"
}
},
"profiles": [
"security_control"
]
}
}
8 changes: 1 addition & 7 deletions events/network/email_file_activity.json
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,6 @@
"since": "1.3.0"
},
"attributes": {
"$include": [
"profiles/security_control.json"
],
"activity_id": {
"requirement": "optional",
"enum": {
Expand All @@ -37,8 +34,5 @@
"group": "primary",
"requirement": "required"
}
},
"profiles": [
"security_control"
]
}
}
8 changes: 1 addition & 7 deletions events/network/email_url_activity.json
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,6 @@
"since": "1.3.0"
},
"attributes": {
"$include": [
"profiles/security_control.json"
],
"activity_id": {
"requirement": "optional",
"enum": {
Expand All @@ -37,8 +34,5 @@
"group": "primary",
"requirement": "required"
}
},
"profiles": [
"security_control"
]
}
}
2 changes: 0 additions & 2 deletions events/network/network.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@
"attributes": {
"$include": [
"profiles/network_proxy.json",
"profiles/security_control.json",
"profiles/load_balancer.json"
],
"app_name": {
Expand Down Expand Up @@ -53,7 +52,6 @@
},
"profiles": [
"network_proxy",
"security_control",
"load_balancer"
]
}
8 changes: 1 addition & 7 deletions events/system/system.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,6 @@
]
},
"attributes": {
"$include": [
"profiles/security_control.json"
],
"actor": {
"group": "primary",
"requirement": "required",
Expand All @@ -26,8 +23,5 @@
"requirement": "required",
"profile": null
}
},
"profiles": [
"security_control"
]
}
}
2 changes: 1 addition & 1 deletion profiles/security_control.json
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@
"description": "The action is not mapped. See the <code>action</code> attribute which contains a data source specific value."
}
},
"requirement": "required"
"requirement": "recommended"
},
"attacks": {
"requirement": "optional"
Expand Down

0 comments on commit 9ea66b4

Please sign in to comment.