Add several new observable types #1326
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MiDoCisco
requested review from
floydtree,
pagbabian-splunk,
Aniak5,
mikeradka,
zschmerber,
jonrau-at-queryai and
davemcatcisco
as code owners
MiDoCisco
force-pushed
the
add-new-observable-types
branch
from
286af7f to
ed83a47
Compare
--------- Signed-off-by: Michal Dobisek <[email protected]>
--------- Signed-off-by: Michal Dobisek <[email protected]>
--------- Signed-off-by: Michal Dobisek <[email protected]>
--------- Signed-off-by: Michal Dobisek <[email protected]>
--------- Signed-off-by: Michal Dobisek <[email protected]>
MiDoCisco
force-pushed
the
add-new-observable-types
branch
from
9ca7d3e to
14abf4d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related Issue: N/A
Description of changes:
We are populating the observables with values which are notable for correlation or display to the users. There are several values, which we think make good observables, but are not marked as such. This PR tries to add them.
These are the details:
email.subject,email.uidandmessage_uidas an Observable types -type_id: 39,type_id: 40and45.process_entity.uidas an Observable type -type_id: 41file_path_tas an Observable type -type_id: 42and marked fields as this typelineagedictionary attributeaffected_package.pathobject attributefile.pathobject attributeimage.pathobject attributekernel.pathobject attributemalware.pathobject attributeprocess_entity.pathobject attributeextensions/windows/reg_key_path_tas an Observable type -type_id: 43and marked fields as this typereg_key.pathobject attributereg_value.pathobject attributereg_value.nameas an Observable type -type_id: 44I have updated CHANGELOG.md with the same granularity of the information it already uses, but it's not a "single-line" description. Should I reduce the detail to make it single line?
Note On Compatibility
There is a failing compatibility validator, as I changed some fields from
string_tto the newfile_path_tandreg_key_path_t- as this seem to be the only way to mark several different fields as same observable. Since both old and new types are strings (the new one just adds semantics) I don't see how this could break type compatibility (e.g. in generated classes). But I am happy to learn about any concerns and also whether there is a better (more compatible) way to mark multiple fields with the same observable type.