Queries #26
Description
A challenge when implementing commands using the query action is that even simple queries in EDR systems often contain criteria and even logical operators deciding what is returned.
An example of this is the Devices API of Carbon Black Cloud:
https://developer.carbonblack.com/reference/carbon-black-cloud/platform/latest/devices-api/
request body example:
{
"criteria": {
"deployment_type": ["WORKLOAD"],
"target_priority": ["MEDIUM"],
"last_contact_time": {
"start": "2021-01-27T12:43:26.243Z",
"end": "2021-01-28T12:43:26.243Z"
},
"query": "<Apache Lucene query>"
},
}On the other hand, Microsoft Defender for Endpoint simply has a "get machine by ID" API:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-machine-by-id?view=o365-worldwide
GET /api/machines/{id}
Both of these functions would be covered by a "Query device" action, but one of them would require an enormous amount of arguments (CBC crieteria supports 10 fields as well as Lucene queries) in order to have all its features supported. How do we get around this?
Some suggestions:
- Add an argument that supports solution agnostic criteria/queries
- The Open Cybersecurity Alliance has the Kestrel and STIX-shifter projects, which allow for queries with logical operators and pattern matching. OCA being an OASIS project it would be natural for us to cooperate with them, and add something like a "stix-pattern" or "kestrel" argument.
https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/OVERVIEW.md
https://kestrel.readthedocs.io/en/latest/language.html - A hybrid solution were we strongly suggest implementing STIX-shifter/using Kestrel, while also supporting solution agnostic criteria/queries