Merge pull request #967 from maxhotta/discovery-eoc

Refactoring Discovery EOC event classes (issue 958)

CHANGELOG.md

@@ -96,6 +96,23 @@ Thankyou! -->
     7. Added `Device Config Sate Change` event class. #914
     8. Added `Scan Activity` event class. #915
     9. Added `File Hosting Activity` event class. #917
+    10. Added `File Query` event class. #967
+    11. Added `Folder Query` event class. #967
+    12. Added `Group Query` event class. #967
+    13. Added `Job Query` event class. #967
+    14. Added `Kernel Object Query` event class. #967
+    15. Added `Module Query` event class. #967
+    16. Added `Network Connection Query` event class. #967
+    17. Added `Networks Query` event class. #967
+    18. Added `Peripheral Device Query` event class. #967
+    19. Added `Prefetch Query` event class. #967
+    20. Added `Process Query` event class. #967
+    21. Added `Registry Key Query` event class. #967
+    22. Added `Registry Value Query` event class. #967
+    23. Added `Service Query` event class. #967
+    24. Added `Session Query` event class. #967
+    25. Added `Startup Application Query` event class. #967
+    26. Added `User Query` event class. #967
 
 * #### Profiles
 	1. Added `Network Proxy` Profile for the `Network Activity` and `Application Activity` classes. #705 

dictionary.json

@@ -3152,6 +3152,43 @@
       "description": "The query info object holds information related to data access within a datastore. To access, manipulate, delete, or retrieve data from a datastore, a database query must be written using a specific syntax.",
       "type": "query_info"
     },
+    "query_result": {
+      "caption": "Query Result",
+      "description": "The result of the query.",
+      "type": "string_t"
+    },
+    "query_result_id": {
+      "caption": "Query Result ID",
+      "description": "The normalized identifier of the query result.",
+      "enum": {
+        "1": {
+          "caption": "Exists",
+          "description": "The target was found."
+        },
+        "2": {
+          "caption": "Partial",
+          "description": "The target was partially found."
+        },
+        "3": {
+          "caption": "Does not exist",
+          "description": "The target was not found."
+        },
+        "4": {
+          "caption": "Error",
+          "description": "The discovery attempt failed."
+        },
+        "5": {
+          "caption": "Unsupported",
+          "description": "Discovery of the target was not supported."
+        },
+        "99": {
+          "caption": "Other",
+          "description": "The query result is not mapped. See the <code>query_result</code> attribute, which contains a data source specific value."
+        }
+      },
+      "type": "integer_t",
+      "sibling": "query_result"
+    },
     "query_string": {
       "caption": "HTTP Query String",
       "description": "The query portion of the URL. For example: the query portion of the URL <code>http://www.example.com/search?q=bad&sort=date</code> is <code>q=bad&sort=date</code>.",

events/discovery/discovery_result.json

@@ -14,26 +14,23 @@
     "activity_id": {
       "enum": {
         "1": {
-          "caption": "Exists",
-          "description": "The target was found."
-        },
-        "2": {
-          "caption": "Partial",
-          "description": "The target was partially found."
-        },
-        "3": {
-          "caption": "Does not exist",
-          "description": "The target was not found."
-        },
-        "4": {
-          "caption": "Error",
-          "description": "The discovery attempt failed."
-        },
-        "5": {
-          "caption": "Unsupported",
-          "description": "Discovery of the target was not supported."
+          "caption": "Query",
+          "description": "The discovered results are via a query request."
         }
       }
+    },
+    "query_info": {
+      "description": "The search details associated with the query request.",
+      "group": "primary",
+      "requirement": "recommended"
+    },
+    "query_result": {
+      "group": "primary",
+      "requirement": "recommended"
+    },
+    "query_result_id": {
+      "group": "primary",
+      "requirement": "required"
     }
   }
 }

events/discovery/file_info.json → events/discovery/file_query.json

@@ -1,8 +1,8 @@
 {
-  "caption": "File Info",
-  "description": "File Info events report information about files that are present on the system.",
+  "caption": "File Query",
+  "description": "File Query events report information about files that are present on the system.",
   "extends": "discovery_result",
-  "name": "file_info",
+  "name": "file_query",
   "uid": 7,
   "attributes": {
     "file": {

events/discovery/folder_info.json → events/discovery/folder_query.json

@@ -1,8 +1,8 @@
 {
-  "caption": "Folder Info",
-  "description": "Folder Info events report information about folders that are present on the system.",
+  "caption": "Folder Query",
+  "description": "Folder Query events report information about folders that are present on the system.",
   "extends": "discovery_result",
-  "name": "folder_info",
+  "name": "folder_query",
   "uid": 8,
   "attributes": {
     "folder": {

events/discovery/group_info.json → events/discovery/group_query.json

@@ -1,8 +1,8 @@
 {
-  "caption": "Admin Group Info",
-  "description": "Group Info events report information about administrative groups.",
+  "caption": "Admin Group Query",
+  "description": "Admin Group Query events report information about administrative groups.",
   "extends": "discovery_result",
-  "name": "admin_group_info",
+  "name": "admin_group_query",
   "uid": 9,
   "attributes": {
     "group": {

events/discovery/job_info.json → events/discovery/job_query.json

@@ -1,8 +1,8 @@
 {
-  "caption": "Job Info",
-  "description": "Job Info events report information about scheduled jobs.",
+  "caption": "Job Query",
+  "description": "Job Query events report information about scheduled jobs.",
   "extends": "discovery_result",
-  "name": "job_info",
+  "name": "job_query",
   "uid": 10,
   "attributes": {
     "job": {

events/discovery/kernel_object_info.json → events/discovery/kernel_object_query.json

@@ -1,8 +1,8 @@
 {
-  "description": "Kernel Object Info events report information about discovered kernel resources.",
+  "caption": "Kernel Object Query",
+  "description": "Kernel Object Query events report information about discovered kernel resources.",
   "extends": "discovery_result",
-  "caption": "Kernel Object Info",
-  "name": "kernel_object_info",
+  "name": "kernel_object_query",
   "uid": 6,
   "attributes": {
     "kernel": {

events/discovery/module_info.json → events/discovery/module_query.json

@@ -1,8 +1,8 @@
 {
-  "caption": "Module Info",
-  "description": "Module Info events report information about loaded modules.",
+  "caption": "Module Query",
+  "description": "Module Query events report information about loaded modules.",
   "extends": "discovery_result",
-  "name": "module_info",
+  "name": "module_query",
   "uid": 11,
   "attributes": {
     "module": {

events/discovery/network_connection_info.json → events/discovery/network_connection_query.json

@@ -1,8 +1,8 @@
 {
-  "caption": "Network Connection Info",
-  "description": "Network Connection Info events report information about active network connections.",
+  "caption": "Network Connection Query",
+  "description": "Network Connection Query events report information about active network connections.",
   "extends": "discovery_result",
-  "name": "network_connection_info",
+  "name": "network_connection_query",
   "uid": 12,
   "attributes": {
     "connection_info": {
@@ -17,11 +17,12 @@
     "state": {
       "description": "The state of the socket, normalized to the caption of the state_id value. In the case of 'Other', it is defined by the event source.",
       "requirement": "recommended",
-      "group": "primary"
+      "group":"primary"
     },
     "state_id": {
       "description": "The state of the socket.",
       "requirement": "required",
+      "group": "primary",
       "enum": {
         "0": {
           "caption": "Unknown",
@@ -71,8 +72,7 @@
           "caption": "CLOSING",
           "description": "The socket connection has been closed by the local application and the remote peer simultaneously, and the remote peer has not yet acknowledged the close attempt of the local application."
         }
-      },
-      "group": "primary"
+      }
     }
   }
 }

events/discovery/networks_info.json → events/discovery/networks_query.json

@@ -1,8 +1,8 @@
 {
-  "caption": "Networks Info",
-  "description": "Networks Info events report information about network adapters.",
+  "caption": "Networks Query",
+  "description": "Networks Query events report information about network adapters.",
   "extends": "discovery_result",
-  "name": "networks_info",
+  "name": "networks_query",
   "uid": 13,
   "attributes": {
     "network_interfaces": {

events/discovery/peripheral_device_query.json

@@ -0,0 +1,13 @@
+{
+  "caption": "Peripheral Device Query",
+  "description": "Peripheral Device Query events report information about peripheral devices.",
+  "extends": "discovery_result",
+  "name": "peripheral_device_query",
+  "uid": 14,
+  "attributes": {
+    "peripheral_device": {
+      "group": "primary",
+      "requirement": "required"
+    }
+  }
+}

events/discovery/process_info.json → events/discovery/process_query.json

@@ -1,8 +1,8 @@
 {
-  "caption": "Process Info",
-  "description": "Process Info events report information about running processes.",
+  "caption": "Process Query",
+  "description": "Process Query events report information about running processes.",
   "extends": "discovery_result",
-  "name": "process_info",
+  "name": "process_query",
   "uid": 15,
   "attributes": {
     "process": {

events/discovery/service_info.json → events/discovery/service_query.json

@@ -1,8 +1,8 @@
 {
-  "caption": "Service Info",
-  "description": "Service Info events report information about running services.",
+  "caption": "Service Query",
+  "description": "Service Query events report information about running services.",
   "extends": "discovery_result",
-  "name": "service_info",
+  "name": "service_query",
   "uid": 16,
   "attributes": {
     "service": {

events/discovery/session_query.json

@@ -0,0 +1,13 @@
+{
+  "caption": "User Session Query",
+  "description": "User Session Query events report information about existing user sessions.",
+  "extends": "discovery_result",
+  "name": "session_query",
+  "uid": 17,
+  "attributes": {
+    "session": {
+      "requirement": "required",
+      "group": "primary"
+    }
+  }
+}

events/discovery/user_query.json

@@ -0,0 +1,13 @@
+{
+  "caption": "User Query",
+  "description": "User Query events report user data that have been discovered, queried, polled or searched. This event differs from User Inventory as it describes the result of a targeted search by filtering a subset of user attributes.",
+  "extends": "discovery_result",
+  "name": "user_query",
+  "uid": 18,
+  "attributes": {
+    "user": {
+      "group": "primary",
+      "requirement": "required"
+    }
+  }
+}

extensions/macos/events/startup_app_query.json

@@ -0,0 +1,13 @@
+{
+  "caption": "Startup Application Query",
+  "description": "Startup Application Query events report information about startup applications.",
+  "extends": "discovery_result",
+  "name": "startup_app_query",
+  "uid": 19,
+  "attributes": {
+    "startup_app": {
+      "group": "primary",
+      "requirement": "required"
+    }
+  }
+}

extensions/windows/events/prefetch_info.json → extensions/windows/events/prefetch_query.json

@@ -1,8 +1,8 @@
 {
-  "caption": "Prefetch Info",
-  "description": "Prefetch Info events report information about Windows prefetch files.",
+  "caption": "Prefetch Query",
+  "description": "Prefetch Query events report information about Windows prefetch files.",
   "extends": "discovery_result",
-  "name": "prefetch_info",
+  "name": "prefetch_query",
   "uid": 19,
   "attributes": {
     "last_run_time": {

extensions/windows/events/registry_key_info.json → extensions/windows/events/registry_key_query.json

@@ -1,8 +1,8 @@
 {
-  "caption": "Registry Key Info",
-  "description": "Registry Key Info events report information about discovered Windows registry keys.",
+  "caption": "Registry Key Query",
+  "description": "Registry Key Query events report information about discovered Windows registry keys.",
   "extends": "discovery_result",
-  "name": "registry_key_info",
+  "name": "registry_key_query",
   "uid": 4,
   "attributes": {
     "reg_key": {