Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix parent_process recursion and add grandparent_process #1158

Closed
wants to merge 2 commits into from
Closed

Fix parent_process recursion and add grandparent_process #1158

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f00313e
Break recursion, define parent and grandparents
jonrau-at-queryai Aug 14, 2024
4fa2cba
Observable removal, changelog
jonrau-at-queryai Aug 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ Thankyou! -->
* #### Objects
1. Added `phone_number` to `user` and `ldap_person` objects. #1155
2. Added `has_mfa` to `user` object. #1155
3. Added `parent_process` and `grandparent_process` as standalone objects, distinct from `process`.

### Misc
1. Added `user.uid` as an Observable type - `type_id: 31`. #1155
Expand Down
9 changes: 7 additions & 2 deletions dictionary.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2099,6 +2099,11 @@
"description": "The given or first name of the user.",
"type": "string_t"
},
"grandparent_process": {
"caption": "Grandparent Process",
"description": "The Grandparent Process object signifies the originating process that indirectly initiates a chain of descendant processes. By tracing back through Parent Processes, the Grandparent Process object helps to map out the broader process tree, establishing a clearer picture of process lineage and inheritance.",
"type": "grandparent_process"
},
"group": {
"caption": "Group",
"description": "The group object associated with an entity such as user, policy, or rule.",
Expand Down Expand Up @@ -3196,8 +3201,8 @@
},
"parent_process": {
"caption": "Parent Process",
"description": "The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting.",
"type": "process"
"description": "The Parent Process object represents the process that initiates or spawns a new child process. This object tracks the lineage and origin of child processes, providing visibility into the hierarchical structure of process execution.",
"type": "parent_process"
},
"path": {
"caption": "Path",
Expand Down
75 changes: 75 additions & 0 deletions objects/grandparent_process.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
{
"caption": "Grandparent Process",
"description": "The Grandparent Process object signifies the originating process that indirectly initiates a chain of descendant processes. By tracing back through Parent Processes, the Grandparent Process object helps to map out the broader process tree, establishing a clearer picture of process lineage and inheritance. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Process/'>d3f:Process</a>.",
"extends": "_entity",
"name": "grandparent_process",
"profiles": [
"container"
],
"attributes": {
"$include": [
"profiles/container.json"
],
"cmd_line": {
"requirement": "recommended"
},
"created_time": {
"description": "The time when the grandparent process was created/started.",
"requirement": "recommended"
},
"file": {
"description": "the grandparent process file object.",
"requirement": "recommended"
},
"integrity": {
"requirement": "optional"
},
"integrity_id": {
"requirement": "optional"
},
"lineage": {
"requirement": "optional"
},
"loaded_modules": {
"requirement": "optional"
},
"name": {
"description": "The friendly name of the grandparent process, for example: <code>Notepad++</code>.",
"type": "process_name_t"
},
"pid": {
"requirement": "recommended"
},
"sandbox": {
"requirement": "optional"
},
"session": {
"description": "The user session under which this process is running.",
"requirement": "optional"
},
"terminated_time": {
"description": "The time when the grandparent process was terminated.",
"requirement": "optional"
},
"tid": {
"requirement": "optional"
},
"uid": {
"description": "A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process."
},
"user": {
"description": "The user under which this process is running.",
"requirement": "recommended"
},
"xattributes": {
"description": "An unordered collection of zero or more name/value pairs that represent a process extended attribute.",
"requirement": "optional"
}
},
"constraints": {
"at_least_one": [
"pid",
"uid"
]
}
}
75 changes: 75 additions & 0 deletions objects/parent_process.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
{
"caption": "Parent Process",
"description": "The Parent Process object represents the process that initiates or spawns a new child process. This object tracks the lineage and origin of child processes, providing visibility into the hierarchical structure of process execution. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Process/'>d3f:Process</a>.",
"extends": "_entity",
"name": "parent_process",
"profiles": [
"container"
],
"attributes": {
"$include": [
"profiles/container.json"
],
"cmd_line": {
"requirement": "recommended"
},
"created_time": {
"description": "The time when the parent process was created/started.",
"requirement": "recommended"
},
"file": {
"description": "the parent process file object.",
"requirement": "recommended"
},
"integrity": {
"requirement": "optional"
},
"integrity_id": {
"requirement": "optional"
},
"lineage": {
"requirement": "optional"
},
"loaded_modules": {
"requirement": "optional"
},
"name": {
"description": "The friendly name of the parent process, for example: <code>Notepad++</code>.",
"type": "process_name_t"
},
"pid": {
"requirement": "recommended"
},
"sandbox": {
"requirement": "optional"
},
"session": {
"description": "The user session under which this process is running.",
"requirement": "optional"
},
"terminated_time": {
"description": "The time when the parent process was terminated.",
"requirement": "optional"
},
"tid": {
"requirement": "optional"
},
"uid": {
"description": "A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process."
},
"user": {
"description": "The user under which this process is running.",
"requirement": "recommended"
},
"xattributes": {
"description": "An unordered collection of zero or more name/value pairs that represent a process extended attribute.",
"requirement": "optional"
}
},
"constraints": {
"at_least_one": [
"pid",
"uid"
]
}
}
3 changes: 3 additions & 0 deletions objects/process.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@
"parent_process": {
"requirement": "recommended"
},
"grandparent_process": {
"requirement": "optional"
},
"pid": {
"requirement": "recommended"
},
Expand Down
Loading