-
Notifications
You must be signed in to change notification settings - Fork 142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: [1122]-ldap and user extension + AD profile #1136
base: main
Are you sure you want to change the base?
feat: [1122]-ldap and user extension + AD profile #1136
Conversation
These are a few that have pretty long names. With OCSF we try our best to keep attribute names as concise as possible. Can we look a bit deeper into ways to shorten these attribute names? While I understand there is an intent to keep these consistent with AD, OCSF and AD still have separate conventions and I am hesitant to deviate from OCSF by introducing large attribute names unless absolutely needed.
|
bc354a3
to
f0c170a
Compare
Expands the `user` object to add relevant data that comes from various Identity Providers or Directories while keep relevance with LDAP and MITRE D3FEND. - Add Observable `type_id` 31-35 for User UID, Group Name, Group UID, Account Name, Account UID - Add `phone_number` to `user` and to `ldap_person` - this attribute can be assigned to both or one or the other depending on the upstream system. For instance Entra ID or Okta - ~~Add `state_id` and `state` to `user` to represent the various states of a user record in a directory or IDP such as their provisioning status, (de)activation. This is 1:1 with Okta with an extra `Deleted` enum added for Google Workspace~~ Removed as #1136 already has a solution - Add `has_mfa` Boolean to Dictionary and `user` object as a quick way to tell if a `user` has MFA/2FA enabled/assigned to them --------- Signed-off-by: Jonathan Rau <[email protected]> Co-authored-by: Rajas <[email protected]>
"description": "The number of times the user tried to log on to the account using an incorrect password." | ||
}, | ||
"bad_password_time": { | ||
"caption": "Bad Password Time", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Naming again. Not sure if these are native AD names. I would prefer 'failed_loginsor
num_failed_logins. Also
last_failed_loginor
last_failed_login_time`.
"caption": "Consistency Guid", | ||
"type": "string_t", | ||
"description": "Is used to check consistency between the directory and another object, database, or application by comparing GUIDs." | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one seems very specific, maybe to AD only? Should be type uuid_t
.
"creator_sid": { | ||
"caption": "Creator SID", | ||
"type": "string_t", | ||
"description": "The security ID of the creator of the object that contains this attribute." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Windows specific - sid
. Do we use strings or uids for sids? Can we use creator.uid
already in dictionary? We can use this Windows name in the desc.
"description": "roxy address of a user. For example [SMTP: [email protected], smtp: [email protected]]", | ||
"type": "string_t", | ||
"is_array": true | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this always be an email address? If so, we can use the email_t
type. Also, a typo in the description of proxy.
"caption": "Is Recycled", | ||
"type": "boolean_t", | ||
"description": "Identifies if the object has been added to the Recycle bin in Active Directory." | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a generic name with a specific to AD description.
"caption": "Resultant PSO", | ||
"type": "string_t", | ||
"description": "The effective password policy applied on this object." | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be a Policy data type? Is this specific to AD? What is a PSO?
"caption": "SAM Account Type", | ||
"type": "long_t", | ||
"description": "This attribute contains information about every account type object." | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Windows specific sam_
prefixes. (Just keeping notes of these).
"type": "string_t", | ||
"description": "The unique identifiers of a service instance in Active Directory.", | ||
"is_array": true | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We usually sort these attributes even if they are related (e.g. is_
stays together) but not absolute.
"caption": "Last Known Parent", | ||
"type": "string_t", | ||
"description": "The Distinguished Name (DN) of the last known parent of an orphaned object." | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
May need ldap_
because it is a DN
or an object. A convention around objects like AD could be retrofitted to LDAP too (we would need to deprecate).
"caption": "On Premises Distinguished Name", | ||
"description": "The distinguished name of the user in the on-premises Active Directory.", | ||
"type": "string_t" | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a difference between AD and Azure Entra ID?
We may need to break this PR down into a few smaller PRs - it is quite large with many new attributes, but is also very important to get right. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I echo @pagbabian-splunk's comment, these additions are much needed for the framework, but we need to break the PR down in smaller chunks. Perhaps you can target additions/enhancements to just one object at a time in a single PR.
Other things to consider -
- If you have sample events that you want to normalize, it will help us quite a bit to review.
- Consider re-using existing attributes before adding new ones. (Refer to Paul's inline comments)
- Consider all the specific data-types as you add new attributes, instead of defaulting to
string_t
- Consider object creation to avoid redundancy in naming and re-usability of attributes. (e.g
on_premises_*
vs onon_premises { * }
) - Consider if you can create an object to group AD specific attributes together (thinking about re-usability and portability across the framework)
@pagbabian-splunk @mikeradka @zschmerber Feel free to add, if I missed anything.
"type": "string_t", | ||
"description": "Specifies all the groups in which the object is a member, directly or indirectly. See specific usage.", | ||
"is_array": true | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, can the caption be made clearer?
Expands the `user` object to add relevant data that comes from various Identity Providers or Directories while keep relevance with LDAP and MITRE D3FEND. - Add Observable `type_id` 31-35 for User UID, Group Name, Group UID, Account Name, Account UID - Add `phone_number` to `user` and to `ldap_person` - this attribute can be assigned to both or one or the other depending on the upstream system. For instance Entra ID or Okta - ~~Add `state_id` and `state` to `user` to represent the various states of a user record in a directory or IDP such as their provisioning status, (de)activation. This is 1:1 with Okta with an extra `Deleted` enum added for Google Workspace~~ Removed as ocsf#1136 already has a solution - Add `has_mfa` Boolean to Dictionary and `user` object as a quick way to tell if a `user` has MFA/2FA enabled/assigned to them --------- Signed-off-by: Jonathan Rau <[email protected]> Co-authored-by: Rajas <[email protected]>
Expands the `user` object to add relevant data that comes from various Identity Providers or Directories while keep relevance with LDAP and MITRE D3FEND. - Add Observable `type_id` 31-35 for User UID, Group Name, Group UID, Account Name, Account UID - Add `phone_number` to `user` and to `ldap_person` - this attribute can be assigned to both or one or the other depending on the upstream system. For instance Entra ID or Okta - ~~Add `state_id` and `state` to `user` to represent the various states of a user record in a directory or IDP such as their provisioning status, (de)activation. This is 1:1 with Okta with an extra `Deleted` enum added for Google Workspace~~ Removed as ocsf#1136 already has a solution - Add `has_mfa` Boolean to Dictionary and `user` object as a quick way to tell if a `user` has MFA/2FA enabled/assigned to them --------- Signed-off-by: Jonathan Rau <[email protected]> Co-authored-by: Rajas <[email protected]>
Expands the `user` object to add relevant data that comes from various Identity Providers or Directories while keep relevance with LDAP and MITRE D3FEND. - Add Observable `type_id` 31-35 for User UID, Group Name, Group UID, Account Name, Account UID - Add `phone_number` to `user` and to `ldap_person` - this attribute can be assigned to both or one or the other depending on the upstream system. For instance Entra ID or Okta - ~~Add `state_id` and `state` to `user` to represent the various states of a user record in a directory or IDP such as their provisioning status, (de)activation. This is 1:1 with Okta with an extra `Deleted` enum added for Google Workspace~~ Removed as ocsf#1136 already has a solution - Add `has_mfa` Boolean to Dictionary and `user` object as a quick way to tell if a `user` has MFA/2FA enabled/assigned to them --------- Signed-off-by: Jonathan Rau <[email protected]> Co-authored-by: Rajas <[email protected]>
669339a
to
3a9f241
Compare
9b1b73c
to
3f131d4
Compare
Related Issue: .
#1122
Description of changes:
This issue is about adding a few useful fields to LDAP user, User object and adding a way how to map Azure ID to it.