From 2b3aa1c1623889e1789e328c81bf9ab0c5f9c96d Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Mon, 18 Sep 2023 16:02:59 -0700 Subject: [PATCH 1/2] Added support for the Logger object, including the loggers attribute, transmit_time, and added to the Metadata object for cases where events travel across multiple hops. Signed-off-by: Paul Agbabian --- objects/logger.json | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 objects/logger.json diff --git a/objects/logger.json b/objects/logger.json new file mode 100644 index 000000000..c0c84c060 --- /dev/null +++ b/objects/logger.json @@ -0,0 +1,45 @@ +{ + "caption": "Logger", + "description": "The Logger object represents the device and product where events are stored with times for receipt and transmission. This may be at the source device where the event occurred, a remote scanning device, intermediate hops, or the ultimate destination.", + "name": "logger", + "extends": "_entity", + "attributes": { + "device": { + "description": "The device where the events are logged.", + "requirement": "recommended" + }, + "log_level": { + "requirement": "optional" + }, + "log_name": { + "requirement": "recommended" + }, + "log_provider": { + "requirement": "recommended" + }, + "log_version": { + "requirement": "optional" + }, + "logged_time": {}, + "name": { + "description": "The name of the logging product instance.", + "requirement": "recommended" + }, + "product": { + "description": "The product logging the event. This may be the event source product, a management server product, a scanning product, a SIEM, etc.", + "requirement": "recommended" + }, + "transmit_time": { + "description": "The time when the event was transmitted from the logging device to it's next destination", + "requirement": "optional" + }, + "uid": { + "description": "The unique identifier of the logging product instance.", + "requirement": "recommended" + }, + "version": { + "description": "The version of the logging product.", + "requirement": "optional" + } + } +} \ No newline at end of file From c5f9e863eb9c5515af7f036a2f0fb39e5af6ac0c Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Mon, 18 Sep 2023 16:05:13 -0700 Subject: [PATCH 2/2] Added the loggers array attribute to dictionary, along with transmit_time. Added the loggers attribute to Metadata. Signed-off-by: Paul Agbabian --- dictionary.json | 11 +++++++++++ objects/metadata.json | 1 + 2 files changed, 12 insertions(+) diff --git a/dictionary.json b/dictionary.json index 0b9452051..4f27107cd 100644 --- a/dictionary.json +++ b/dictionary.json @@ -1935,6 +1935,12 @@ "description": "

The time when the logging system collected and logged the event.

This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.", "type": "timestamp_t" }, + "loggers": { + "caption": "Loggers", + "description": "An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.", + "is_array": "true", + "type": "logger" + }, "logon_process": { "caption": "Logon Process", "description": "The trusted process that validated the authentication credentials.", @@ -3209,6 +3215,11 @@ "description": "The unique identifier of the transaction.", "type": "string_t" }, + "transmit_time": { + "caption": "Transmission Time", + "description": "The event transmission time from one device to another. See specific usage", + "type": "timestamp_t" + }, "tree_uid": { "caption": "Tree UID", "description": "The tree id is a unique SMB identifier which represents an open connection to a share.", diff --git a/objects/metadata.json b/objects/metadata.json index 201d825d1..fb044e960 100644 --- a/objects/metadata.json +++ b/objects/metadata.json @@ -28,6 +28,7 @@ "modified_time": { "description": "The time when the event was last modified or enriched." }, + "loggers": {}, "original_time": { "requirement": "recommended" },