Skip to content

Commit

Permalink
Feat: [ocsf#1122] - extend User, LDAP Person + cloud like AzureAd sup…
Browse files Browse the repository at this point in the history 
…port added

- wip - status: LDAP person added + AD profile
  • Loading branch information
@PavelJurka
PavelJurka committed Jun 27, 2024
1 parent db3d456 commit 7b67f41
Show file tree
Hide file tree
Showing 4 changed files with 206 additions and 39 deletions.
155 changes: 155 additions & 0 deletions dictionary.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,19 @@
"description": "The permissions that were granted to the in a platform-native format.",
"type": "integer_t"
},
"admin_count": {
"caption": "Admin Count",
"type": "integer_t",
"description": "Indicates that a given object is a member of a Privileged group in Active Directory.",
"enum": {
"0": {
"caption": "Not Member"
},
"1": {
"caption": "Member"
}
}
},
"affected_code": {
"caption": "Affected Code",
"description": "List of Affected Code objects that describe details about code blocks identified as vulnerable.",
Expand Down Expand Up @@ -158,6 +171,17 @@
}
}
},
"allowed_to_act_on_behalf_of_other_identity": {
"caption": "Allowed to Act On Behalf Of Other Identity",
"type": "string_t",
"description": "Is used for access checks to determine if a requestor has permission to act on the behalf of other identities to services running as this account."
},
"allowed_to_delegate_to": {
"caption": "Allowed To Delegate To",
"type": "string_t",
"description": "The list of service principal names (SPNs) corresponding to Windows services that can act on behalf of the computer or user account.",
"is_array": true
},
"analytic": {
"caption": "Analytic",
"description": "The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion.",
Expand Down Expand Up @@ -1047,6 +1071,11 @@
"description": "The network connection identifier.",
"type": "string_t"
},
"consistency_guid": {
"caption": "Consistency Guid",
"type": "string_t",
"description": "Is used to check consistency between the directory and another object, database, or application by comparing GUIDs."
},
"container": {
"caption": "Container",
"description": "The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.",
Expand Down Expand Up @@ -1115,6 +1144,11 @@
"description": "The Common Platform Enumeration (CPE) name as described by (<a target='_blank' href='https://nvd.nist.gov/products/cpe'>NIST</a>) For example: <code>cpe:/a:apple:safari:16.2</code>.",
"type": "string_t"
},
"creator_sid": {
"caption": "Creator SID",
"type": "string_t",
"description": "The security ID of the creator of the object that contains this attribute."
},
"cpu_bits": {
"caption": "CPU Bits",
"description": "The cpu architecture, the number of bits used for addressing in memory. For example: <code>32</code> or <code>64</code>.",
Expand Down Expand Up @@ -1299,6 +1333,11 @@
"description": "The total round-trip delay to the reference clock in milliseconds.",
"type": "integer_t"
},
"is_deleted": {
"caption": "Is Deleted",
"type": "boolean_t",
"description": "Identifies if the object has been marked for deletion and will be removed."
},
"deleted_time": {
"caption": "Deleted Time",
"description": "The timestamp when the user was deleted. In Active Directory (AD), when a user is deleted they are moved to a temporary container and then removed after 30 days. So, this field can be populated even after a user is deleted for the next 30 days.",
Expand Down Expand Up @@ -1504,6 +1543,11 @@
}
}
},
"display_name": {
"caption": "Display Name",
"type": "string_t",
"description": "The display name for an object."
},
"dkim": {
"caption": "DKIM Status",
"description": "The DomainKeys Identified Mail (DKIM) status of the email.",
Expand Down Expand Up @@ -1940,6 +1984,11 @@
"description": "The folder that pertains to the event.",
"type": "file"
},
"forest": {
"caption": "Forest",
"type": "string_t",
"description": "Name of the Active Directory Forest."
},
"from": {
"caption": "From",
"description": "The email header From values, as defined by RFC 5322.",
Expand Down Expand Up @@ -2454,6 +2503,11 @@
"description": "The two letter lower case language codes, as defined by <a target='_blank' href='https://en.wikipedia.org/wiki/ISO_639-1'>ISO 639-1</a>. For example: <code>en</code> (English), <code>de</code> (German), or <code>fr</code> (French).",
"type": "string_t"
},
"last_known_parent": {
"caption": "Last Known Parent",
"type": "string_t",
"description": "The Distinguished Name (DN) of the last known parent of an orphaned object."
},
"last_login_time": {
"caption": "Last Login",
"description": "The last time when the user logged in.",
Expand Down Expand Up @@ -2729,6 +2783,24 @@
"description": "The location of the matched data in the source which resulted in the triggered firewall rule. For example: HEADER.",
"type": "string_t"
},
"member_of": {
"caption": "Member Of",
"type": "string_t",
"description": "Specifies the groups in which the object is a Member. See specific usage.",
"is_array": true
},
"member_of_guid": {
"caption": "Member Of GUID",
"type": "string_t",
"description": "Specifies the group's GUID, in which the object is a member. See specific usage.",
"is_array": true
},
"member_of_transitive": {
"caption": "Member Of Transitive",
"type": "string_t",
"description": "Specifies all the groups in which the object is a member, directly or indirectly. See specific usage.",
"is_array": true
},
"message": {
"caption": "Message",
"description": "The description of the event/finding, as defined by the source.",
Expand Down Expand Up @@ -2823,6 +2895,11 @@
"type": "string_t",
"is_array": true
},
"nt_security_descriptor": {
"caption": "NT Security Descriptor",
"type": "string_t",
"description": "The Windows NT security descriptor for the schema object."
},
"num_detections": {
"caption": "Detections",
"description": "The number of detections.",
Expand Down Expand Up @@ -3039,6 +3116,11 @@
"description": "The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting.",
"type": "process"
},
"parent_dn": {
"caption": "Parent Distinguished Name",
"type": "string_t",
"description": "The distinguished name (DN) of the parent object of the current object."
},
"password_last_set_time": {
"caption": "Password Last Set Time",
"type": "timestamp_t",
Expand Down Expand Up @@ -3221,6 +3303,11 @@
"type": "security_state",
"is_array": true
},
"primary_group_id": {
"caption": "Primary Group ID",
"type": "integer_t",
"description": "The relative identifier (RID) for the primary group of the user."
},
"priority": {
"caption": "Priority",
"description": "The priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source.",
Expand Down Expand Up @@ -3473,6 +3560,11 @@
"description": "The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record.",
"type": "string_t"
},
"is_recycled": {
"caption": "Is Recycled",
"type": "boolean_t",
"description": "Identifies if the object has been added to the Recycle bin in Active Directory."
},
"references": {
"caption": "References",
"description": "A list of reference URLs supporting the finding/detection.",
Expand Down Expand Up @@ -3590,6 +3682,11 @@
"description": "The Domain Name System (DNS) response time.",
"type": "timestamp_t"
},
"resultant_pso": {
"caption": "Resultant PSO",
"type": "string_t",
"description": "The effective password policy applied on this object."
},
"risk_details": {
"caption": "Risk Details",
"description": "Describes the risk associated with the finding.",
Expand Down Expand Up @@ -3655,6 +3752,16 @@
"description": "The backend running the container, such as containerd or cri-o.",
"type": "string_t"
},
"sam_account_name": {
"caption": "SAM Account Name",
"type": "string_t",
"description": "The Active Directory user logon name used to support clients and servers from a previous version of Windows ( Pre-Windows 2000)."
},
"sam_account_type": {
"caption": "SAM Account Type",
"type": "long_t",
"description": "This attribute contains information about every account type object."
},
"samesite": {
"caption": "SameSite",
"description": "The cookie attribute that lets servers specify whether/when cookies are sent with cross-site requests. Values are: Strict, Lax or None",
Expand Down Expand Up @@ -3858,6 +3965,17 @@
"description": "The service that pertains to the event.",
"type": "service"
},
"is_service_account": {
"caption": "Service Account",
"type": "boolean_t",
"description": "Indicates whether the user account is a used as a Service Account."
},
"service_principal_name": {
"caption": "Service Principal Name",
"type": "string_t",
"description": "The unique identifiers of a service instance in Active Directory.",
"is_array": true
},
"session": {
"caption": "Session",
"description": "The authenticated user or service session.",
Expand Down Expand Up @@ -3943,6 +4061,12 @@
}
}
},
"sid_history": {
"caption": "SID History",
"type": "string_t",
"description": "Contains previous SIDs used for the object if the object was moved from another domain.",
"is_array": true
},
"signature": {
"caption": "Digital Signature",
"description": "The digital signature of the file.",
Expand Down Expand Up @@ -4279,6 +4403,12 @@
"type": "email_t",
"is_array": true
},
"token_groups": {
"caption": "Token Groups",
"type": "string_t",
"description": "The list of SIDs due to a transitive group membership expansion operation on a given user or computer.",
"is_array": true
},
"total": {
"caption": "Total",
"description": "The total number of items. See specific usage.",
Expand Down Expand Up @@ -4393,17 +4523,42 @@
"description": "The user that pertains to the event or object.",
"type": "user"
},
"user_account_control": {
"caption": "User Account Control",
"type": "integer_t",
"description": "Flags that control the behavior of the user account."
},
"user_agent": {
"observable": 16,
"caption": "HTTP User-Agent",
"description": "The request header that identifies the operating system and web browser.",
"type": "string_t"
},
"user_principal_name": {
"caption": "User Principal Name",
"type": "string_t",
"description": "The name of a system user. Like Active Directory an email address format."
},
"user_result": {
"caption": "User Result",
"description": "The result of the user account change. It should contain the new values of the changed attributes.",
"type": "user"
},
"user_password_expiry_computed_time": {
"caption": "User Password Expiry Time",
"type": "timestamp_t",
"description": "The expiry time for the user's current password."
},
"usn_changed": {
"caption": "USN Changed",
"type": "long_t",
"description": "The update sequence number (USN) assigned by the local directory for the latest change."
},
"usn_created": {
"caption": "USN Created",
"type": "long_t",
"description": "The update sequence number (USN) assigned at object creation."
},
"users": {
"caption": "Users",
"description": "The users that pertain to the event or object.",
Expand Down
9 changes: 9 additions & 0 deletions objects/ldap_person.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,13 @@
"description": "The additional LDAP attributes that describe a person.",
"name": "ldap_person",
"extends": "object",
"profiles": [
"active_directory"
],
"attributes": {
"$include": [
"profiles/active_directory.json"
],
"allowed_to_act_on_behalf_of_other_identity": {
"requirement": "optional"
},
Expand All @@ -13,6 +19,9 @@
"cost_center": {
"requirement": "optional"
},
"creator_sid": {
"requirement": "optional"
},
"created_time": {
"description": "The timestamp when the user was created.",
"requirement": "optional"
Expand Down
39 changes: 0 additions & 39 deletions objects/ldap_person_AD.json
View file

This file was deleted.

Loading

0 comments on commit 7b67f41

Please sign in to comment.