From aef969d1e49cc50103a4db14847e9b2903799526 Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Wed, 8 Nov 2023 16:45:10 -0500 Subject: [PATCH 1/8] Add Person profile attributes to user object Signed-off-by: Michael Radka --- objects/user.json | 64 ++++++++++++++++++++++++++++++++++++++---- profiles/person.json | 66 -------------------------------------------- 2 files changed, 58 insertions(+), 72 deletions(-) delete mode 100644 profiles/person.json diff --git a/objects/user.json b/objects/user.json index da9c56ab0..7d26aac96 100644 --- a/objects/user.json +++ b/objects/user.json @@ -4,20 +4,24 @@ "extends": "_entity", "name": "user", "observable": 21, - "profiles": [ - "person" - ], "attributes": { - "$include": [ - "profiles/person.json" - ], "account": { "description": "The user's account or the account associated with the user.", "requirement": "optional" }, + "cost_center": { + "requirement": "optional" + }, + "created_time": { + "description": "The timestamp when the user was created.", + "requirement": "optional" + }, "credential_uid": { "requirement": "optional" }, + "deleted_time": { + "requirement": "optional" + }, "domain": { "description": "The domain where the user is defined. For example: the LDAP or Active Directory domain.", "requirement": "optional" @@ -25,22 +29,70 @@ "email_addr": { "requirement": "optional" }, + "email_addrs": { + "requirement": "optional" + }, + "employee_uid": { + "requirement": "optional" + }, "full_name": { "requirement": "optional" }, + "given_name": { + "requirement": "optional" + }, "groups": { "description": "The administrative groups to which the user belongs.", "requirement": "optional" }, + "hire_time": { + "requirement": "optional" + }, + "job_title": { + "requirement": "optional" + }, + "labels": { + "description": "The labels associated with the user. For example in AD this could be the userType, employeeType. For example: Member, Employee.", + "requirement": "optional" + }, + "last_login_time": { + "requirement": "optional" + }, + "ldap_cn": { + "requirement": "optional" + }, + "ldap_dn": { + "requirement": "optional" + }, + "leave_time": { + "requirement": "optional" + }, + "location": { + "description": "The geographical location associated with a user. This is typically the user's usual work location.", + "requirement": "optional" + }, + "manager": { + "requirement": "optional" + }, + "modified_time": { + "description": "The timestamp when the user entry was last modified.", + "requirement": "optional" + }, "name": { "description": "The username. For example, janedoe1.", "requirement": "recommended", "type": "username_t" }, + "office_location": { + "requirement": "optional" + }, "org": { "description": "Organization and org unit related to the user.", "requirement": "optional" }, + "surname": { + "requirement": "optional" + }, "type": { "description": "The type of the user. For example, System, AWS IAM User, etc.", "requirement": "optional" diff --git a/profiles/person.json b/profiles/person.json deleted file mode 100644 index e2d922ea1..000000000 --- a/profiles/person.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "caption": "Person", - "description": "The additonal attributes that describe a person or user beyond those required for a user.", - "meta": "profile", - "name": "person", - "attributes": { - "cost_center": { - "requirement": "optional" - }, - "created_time": { - "description": "The timestamp when the user was created.", - "requirement": "optional" - }, - "deleted_time": { - "requirement": "optional" - }, - "email_addresses": { - "requirement": "optional" - }, - "employee_uid": { - "requirement": "optional" - }, - "given_name": { - "requirement": "optional" - }, - "hire_time": { - "requirement": "optional" - }, - "job_title": { - "requirement": "optional" - }, - "labels": { - "description": "The labels associated with the user. For example in AD this could be the userType, employeeType. For example: Member, Employee.", - "requirement": "optional" - }, - "last_login_time": { - "requirement": "optional" - }, - "ldap_cn": { - "requirement": "optional" - }, - "ldap_dn": { - "requirement": "optional" - }, - "leave_time": { - "requirement": "optional" - }, - "location": { - "description": "The geographical location associated with a user. This is typically the user's usual work location.", - "requirement": "optional" - }, - "manager": { - "requirement": "optional" - }, - "modified_time": { - "description": "The timestamp when the user entry was last modified.", - "requirement": "optional" - }, - "office_location": { - "requirement": "optional" - }, - "surname": { - "requirement": "optional" - } - } -} From 16f340395356c090d61477d6759fe5b121abeb15 Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Wed, 8 Nov 2023 16:45:58 -0500 Subject: [PATCH 2/8] Replace example with an existing profile Signed-off-by: Michael Radka --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 2da27b00d..97966eebe 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -105,7 +105,7 @@ An example `vulnerability.json` object file, ``` "attributes": { "$include": [ - "profiles/person.json" + "profiles/host.json" ], ... } From 38a4ebc97018fcfe18fe04d4c826c2e9a44c79b9 Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Wed, 8 Nov 2023 16:47:36 -0500 Subject: [PATCH 3/8] Remove nonexistant person profile from description Signed-off-by: Michael Radka --- events/discovery/user_inventory.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/events/discovery/user_inventory.json b/events/discovery/user_inventory.json index 759e405d9..ba08b1ed6 100644 --- a/events/discovery/user_inventory.json +++ b/events/discovery/user_inventory.json @@ -1,6 +1,6 @@ { "caption": "User Inventory Info", - "description": "User Inventory Info events report user inventory data. For example, this can be used to collect information about users by dumping Active Directory data. This event class is meant to be used in conjunction with the person profile to allow capturing extended information about the user.", + "description": "User Inventory Info events report user inventory data. For example, this can be used to collect information about users by dumping Active Directory data.", "extends": "discovery", "name": "user_inventory", "uid": 3, From e1ab665c4643bfc7eac1d7b004981ce66bd15718 Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Wed, 8 Nov 2023 17:25:27 -0500 Subject: [PATCH 4/8] Add the ldap_person object Signed-off-by: Michael Radka --- dictionary.json | 5 +++ objects/ldap_person.json | 66 ++++++++++++++++++++++++++++++++++++++++ objects/user.json | 60 +----------------------------------- 3 files changed, 72 insertions(+), 59 deletions(-) create mode 100644 objects/ldap_person.json diff --git a/dictionary.json b/dictionary.json index ea21be07f..49bcbe33b 100644 --- a/dictionary.json +++ b/dictionary.json @@ -1887,6 +1887,11 @@ "description": "The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com.", "type": "string_t" }, + "ldap_person": { + "caption": "LDAP Person", + "description": "The additonal LDAP attributes that describe a person.", + "type": "ldap_person" + }, "lease_dur": { "caption": "Lease Duration", "description": "This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events.", diff --git a/objects/ldap_person.json b/objects/ldap_person.json new file mode 100644 index 000000000..49dcbda6c --- /dev/null +++ b/objects/ldap_person.json @@ -0,0 +1,66 @@ +{ + "caption": "LDAP Person", + "description": "The additonal LDAP attributes that describe a person.", + "name": "ldap_person", + "extends": "object", + "attributes": { + "cost_center": { + "requirement": "optional" + }, + "created_time": { + "description": "The timestamp when the user was created.", + "requirement": "optional" + }, + "deleted_time": { + "requirement": "optional" + }, + "email_addresses": { + "requirement": "optional" + }, + "employee_uid": { + "requirement": "optional" + }, + "given_name": { + "requirement": "optional" + }, + "hire_time": { + "requirement": "optional" + }, + "job_title": { + "requirement": "optional" + }, + "labels": { + "description": "The labels associated with the user. For example in AD this could be the userType, employeeType. For example: Member, Employee.", + "requirement": "optional" + }, + "last_login_time": { + "requirement": "optional" + }, + "ldap_cn": { + "requirement": "optional" + }, + "ldap_dn": { + "requirement": "optional" + }, + "leave_time": { + "requirement": "optional" + }, + "location": { + "description": "The geographical location associated with a user. This is typically the user's usual work location.", + "requirement": "optional" + }, + "manager": { + "requirement": "optional" + }, + "modified_time": { + "description": "The timestamp when the user entry was last modified.", + "requirement": "optional" + }, + "office_location": { + "requirement": "optional" + }, + "surname": { + "requirement": "optional" + } + } +} \ No newline at end of file diff --git a/objects/user.json b/objects/user.json index 7d26aac96..8d1a8f0b6 100644 --- a/objects/user.json +++ b/objects/user.json @@ -9,19 +9,9 @@ "description": "The user's account or the account associated with the user.", "requirement": "optional" }, - "cost_center": { - "requirement": "optional" - }, - "created_time": { - "description": "The timestamp when the user was created.", - "requirement": "optional" - }, "credential_uid": { "requirement": "optional" }, - "deleted_time": { - "requirement": "optional" - }, "domain": { "description": "The domain where the user is defined. For example: the LDAP or Active Directory domain.", "requirement": "optional" @@ -29,70 +19,22 @@ "email_addr": { "requirement": "optional" }, - "email_addrs": { - "requirement": "optional" - }, - "employee_uid": { - "requirement": "optional" - }, "full_name": { "requirement": "optional" }, - "given_name": { - "requirement": "optional" - }, "groups": { "description": "The administrative groups to which the user belongs.", "requirement": "optional" }, - "hire_time": { - "requirement": "optional" - }, - "job_title": { - "requirement": "optional" - }, - "labels": { - "description": "The labels associated with the user. For example in AD this could be the userType, employeeType. For example: Member, Employee.", - "requirement": "optional" - }, - "last_login_time": { - "requirement": "optional" - }, - "ldap_cn": { - "requirement": "optional" - }, - "ldap_dn": { - "requirement": "optional" - }, - "leave_time": { - "requirement": "optional" - }, - "location": { - "description": "The geographical location associated with a user. This is typically the user's usual work location.", - "requirement": "optional" - }, - "manager": { - "requirement": "optional" - }, - "modified_time": { - "description": "The timestamp when the user entry was last modified.", - "requirement": "optional" - }, "name": { "description": "The username. For example, janedoe1.", "requirement": "recommended", "type": "username_t" }, - "office_location": { - "requirement": "optional" - }, "org": { "description": "Organization and org unit related to the user.", "requirement": "optional" }, - "surname": { - "requirement": "optional" - }, "type": { "description": "The type of the user. For example, System, AWS IAM User, etc.", "requirement": "optional" @@ -137,4 +79,4 @@ "uid" ] } -} +} \ No newline at end of file From bee98da922d5223c0f757f81da192098b2d3d065 Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Wed, 8 Nov 2023 17:29:18 -0500 Subject: [PATCH 5/8] Add ldap_person to user object Signed-off-by: Michael Radka --- objects/user.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/objects/user.json b/objects/user.json index 8d1a8f0b6..512455f1d 100644 --- a/objects/user.json +++ b/objects/user.json @@ -26,6 +26,10 @@ "description": "The administrative groups to which the user belongs.", "requirement": "optional" }, + "ldap_person": { + "description": "The additonal LDAP attributes that describe a person.", + "requirement": "optional" + }, "name": { "description": "The username. For example, janedoe1.", "requirement": "recommended", From cd804be2c6015f515f0d9150019d27737ae3fe7d Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Wed, 8 Nov 2023 17:34:13 -0500 Subject: [PATCH 6/8] Make email_addrs an array Signed-off-by: Michael Radka --- dictionary.json | 6 +++--- objects/ldap_person.json | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/dictionary.json b/dictionary.json index 49bcbe33b..f946f9531 100644 --- a/dictionary.json +++ b/dictionary.json @@ -1273,11 +1273,11 @@ "description": "The user's primary email address.", "type": "email_t" }, - "email_addresses": { + "email_addrs": { "caption": "Email Addresses", "description": "A list of additional email addresses for the user.", - "type": "email_t", - "is_array": true + "is_array": true, + "type": "email_t" }, "email_auth": { "caption": "Email Authentication", diff --git a/objects/ldap_person.json b/objects/ldap_person.json index 49dcbda6c..397f33d02 100644 --- a/objects/ldap_person.json +++ b/objects/ldap_person.json @@ -14,7 +14,7 @@ "deleted_time": { "requirement": "optional" }, - "email_addresses": { + "email_addrs": { "requirement": "optional" }, "employee_uid": { From 509ba1edc2869bf27983452014f0f8f5e4a2622c Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Thu, 9 Nov 2023 11:45:54 -0500 Subject: [PATCH 7/8] Update class description to be more academic Signed-off-by: Michael Radka --- events/discovery/user_inventory.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/events/discovery/user_inventory.json b/events/discovery/user_inventory.json index ba08b1ed6..48795323c 100644 --- a/events/discovery/user_inventory.json +++ b/events/discovery/user_inventory.json @@ -1,6 +1,6 @@ { "caption": "User Inventory Info", - "description": "User Inventory Info events report user inventory data. For example, this can be used to collect information about users by dumping Active Directory data.", + "description": "For example, this can be utilized to collect user information by extracting Active Directory data.", "extends": "discovery", "name": "user_inventory", "uid": 3, From 2ffdede859d04c763c553445e6b940b25009a823 Mon Sep 17 00:00:00 2001 From: Michael Radka Date: Thu, 9 Nov 2023 11:49:16 -0500 Subject: [PATCH 8/8] Change to gathering Signed-off-by: Michael Radka --- events/discovery/user_inventory.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/events/discovery/user_inventory.json b/events/discovery/user_inventory.json index 48795323c..340e1d8eb 100644 --- a/events/discovery/user_inventory.json +++ b/events/discovery/user_inventory.json @@ -1,6 +1,6 @@ { "caption": "User Inventory Info", - "description": "For example, this can be utilized to collect user information by extracting Active Directory data.", + "description": "For example, this can be utilized to collect user information by gathering Active Directory data.", "extends": "discovery", "name": "user_inventory", "uid": 3,