-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathschema.yml
195 lines (190 loc) · 6.41 KB
/
schema.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
provider:
accountId:
format: string
description: The cloud account or organization id used to identify different entities in a multi-tenant environment.
guid:
format: string
description: Identifier for the provider.
name:
format: string
description: The cloud account name or alias used to identify different entities in a multi-tenant environment.
product:
format: string
description: Source product service name from the vendor to indicate the origin (e.g. Azure Defender, Oracle Cloud Guard, etc.)
type:
format: string
description: IaaS, SaaS or PaaS
event:
accountId:
format: string
description: The cloud account or organization id used to identify different entities in a multi-tenant environment.
actor:
format: string
description:
additionalProperties:
format: string
description: Key-Value pairs or property bag for additional missing but critical event properties. Includes labels.
geolocation:
city:
format: string
description: Geolocation includes country, state, city, zip and latitude, longitude information
country:
format: string
description: Geolocation includes country, state, city, zip and latitude, longitude information
ipv4:
format: string
description: Geolocation includes country, state, city, zip and latitude, longitude information
ipv6:
format: string
description: Geolocation includes country, state, city, zip and latitude, longitude information
latitude:
format: string
description: Geolocation includes country, state, city, zip and latitude, longitude information
longitude:
format: string
description: Geolocation includes country, state, city, zip and latitude, longitude information
postalcode:
format: string
description: Geolocation includes country, state, city, zip and latitude, longitude information
state:
format: string
description: Geolocation includes country, state, city, zip and latitude, longitude information
guid:
format: string
description: Identifier
longDescription:
format: string
description: Detailed description of event
name:
format: string
description: Name of event
recommendation:
format: string
description:
relatedEvent:
format: string
description:
severity:
format: string
description: Event severity set by the provider
shortDescription:
format: string
description: Brief description of event
state:
format: string
description: Event state whether active or resolved
time:
format: string
description: Time - The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
timeEnd:
format: string
description: Time at which the event ended. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
timeStart:
format: string
description: Time at which the event ocurred. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
timeUpdated:
format: string
description: Time - The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
timezone:
format: string
description: Timezone.
type:
format: string
description: Enumeration of Event type - for e.g., Threat, WAF, etc. for security namespace (NEED A STAND LIST)
url:
format: string
description: Direct URL link to the event for details
resource:
accountId:
format: string
description: The cloud account or organization id used to identify different entities in a multi-tenant environment.
additionalProperties:
format: string
description:
criticality:
format: string
description: If the resource is critcial or not
group:
format: string
description: Group this resource belongs to
guid:
format: string
description: Resource identifier
name:
format: string
description: Resource name
region:
format: string
description: Resource geolocation includes country, state, city, zip and latitude, longitude information –> update this to make this region for the resource only
type:
format: string
description: Resource type
url:
format: string
description: Resource URL / URI
zone:
format: string
description: Resource zone
service:
additionalProperties:
format: string
description: Key-Value pairs or property bag for additional missing but critical event properties
guid:
format: string
description: Service being monitored - identifier
name:
format: string
description: Service name
region:
format: string
description: Service geolocation includes country, state, city, zip and latitude, longitude information
type:
format: string
description: Service type
url:
format: string
description:
zone:
format: string
description: Service zone
threatactor:
additionalProperties:
format: string
description: Key-Value pairs or property bag for additional missing but critical event properties
guid:
format: string
description: Threat actor identifier
name:
format: string
description: Threat actor name
type:
format: string
description: Threat actor type
decorator:
behavior:
format: string
description: Behavior of entity associated with the event
compliance:
format: string
description: Compliance status of enrichment source
custom1:
format: string
description: Additional custom information pertaining to the event
custom2:
format: string
description: Additional custom information pertaining to the event
dataClassification:
format: string
description: Event classification
references:
format: string
description: The source of enrichment information
risk:
format: string
description: Risk of the event
threat:
format: string
description: Threat information pertaining to the event
vulnerability:
format: string
description: Vulnerability information pertaining to the event