Adding the Startup Application Query event class in the discovery category. #1119
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…s used to report startup applications on endpoint devices.
maxhotta
added
discovery
maxhotta
requested review from
floydtree,
pagbabian-splunk,
Aniak5,
mikeradka and
zschmerber
as code owners
Signed-off-by: maxhotta <[email protected]>
davemcatcisco
requested changes
Jun 26, 2024
There was a problem hiding this comment.
I have a number of concerns about this PR:
- If scheduled tasks/jobs are a supported startup application type (and they seem to be because
Scheduledis one of the values instart_type_id) then thefileandcmd_lineattributes should not berequiredandrecommendedrespectively because Windows scheduled tasks don't necessarily have an associated executable file or command line. Also, thetype_idenum should have an entry for a scheduled task/job. - Is there a reason why
run_modeisn'trun_mode_idwith a correspondingrun_modecompanion attribute? start_type_idshould cross-referencestart_typein itssiblingproperty.- Instead of having attributes like
start_type_id,cmd_line,file,run_state_id, etc. thestartup_appobject could (should?) reuse existing object types that describe the same properties of the relevent entities. For example,startup_appcould have awin_serviceattribute that would apply when thetype_idisService. It could have aschedule_jobattribute that would apply when thetype_idisScheduled Job. This would avoid thestartup_appobject having lots of required attributes that don't make sense for certain values oftype_id.
|
@davemcatcisco Per further discussion on your point 4, the consensus was to use a 'just one' constraint on the different types that the startup_app could be, and add objects (as you suggest) to model the startup_app type. I will revise, and post an update with these changes. |
- Add objects that map to items in type_id - Include a just_one clause for these objects - Updated run_mode for consistency
# Conflicts: # CHANGELOG.md
Signed-off-by: maxhotta <[email protected]>
|
Incorporated most items, except for adding the win_service object as one of the options for the target startup application. |
floydtree
requested changes
Jul 23, 2024
|
I've fixed the schema validation issue by 'patching' the startup_app object in windows extensions (per committee discussion). There was an issue in defining the constraints in the patched startup_app object which includes win_service. To address this, I've defined win_service and its corresponding constraint in the core startup_app object. |
davemcatcisco
requested changes
Jul 24, 2024
floydtree
added
v1.4.0
rmouritzen-splunk
requested changes
Aug 15, 2024
rmouritzen-splunk
previously approved these changes
Aug 20, 2024
…ts with a new event added in main)
floydtree
previously approved these changes
Aug 27, 2024
mikeradka
previously approved these changes
Aug 27, 2024
floydtree
approved these changes
Aug 28, 2024
pagbabian-splunk
approved these changes
Sep 3, 2024
davemcatcisco
approved these changes
Sep 4, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The Startup Application Query class captures the results of a discovery on target devices.
This class was refactored from a previous submission, while incorporating feedback from Paul.
Description of changes:
Made the Startup Application object more clear by factoring out unrelated items in the type_id list.
The list now describes only the type of application.
A run_mode attribute was added as an array to capture the other items.
Also added a run_state to capture the state of the application at the time the event was logged.