From 15e50d76797d5ec2cd5c48a7815cffc5d8a5bde8 Mon Sep 17 00:00:00 2001
From: hadadata59 <85754157+hadadata59@users.noreply.github.com>
Date: Fri, 19 Aug 2022 13:11:43 -0400
Subject: [PATCH 01/14] Create 0033-host-fields.md
---
rfcs/text/0033-host-fields.md | 312 ++++++++++++++++++++++++++++++++++
1 file changed, 312 insertions(+)
create mode 100644 rfcs/text/0033-host-fields.md
diff --git a/rfcs/text/0033-host-fields.md b/rfcs/text/0033-host-fields.md
new file mode 100644
index 0000000000..30dcf6459f
--- /dev/null
+++ b/rfcs/text/0033-host-fields.md
@@ -0,0 +1,312 @@
+# 0000: Host Fields
+
+
+- Stage: **0 (strawperson)**
+- Date: **8-12-2022**
+
+
+
+
+ The host fields describe information about the host that is relevant to an event and extends the ECS host field set in several ways:
+
+- The host field set supports additional host bios fields.
+- The host field set supports additional host cpu fields.
+- The host field set supports additional fields describing a supplemental details that the host can generate.
+
+
+
+## Fields
+Definitions
+
+
+
+Field Name | Special Instructions | Justification/Use Case
+| :--: | :-- | :-- |
+| memory | The numeric value is a base value for memory. The two character unit type represents a multiplication factor to determine actual memory.
Normalize to byte value by multiplying base value by unit type as follows
| Unit | Multiplication Factor |
| B | (2^0) 1 |
| KB | (2^10) 1024 |
| MB | (2^20) 1,048,576 |
| GB | (2^30) 1,073,741,824 |
| TB | (2^40) 1,099,511,627,776 |
| Detects specific baselines of physical configuration for asset management.
+| last_logon.time | N/A | Login time tells the last time a user logged into the system, which may provide insights into events occurring on that system.|
+| created | N/A | Indicates that device is known to domain.|
+| distinguished_name | N/A | The distinguished name indicates ownership of the host. It uniquely identifies the host in an x509 certificate.|
+| modified | N/A | Indicates when information has changed for the host in a directory service.|
+| bios.manufacturer | Normalization: lower case | This is a string representing the system manufacturer of the host. Useful for supply chain issue detection.|
+| bios.release_date | This date will need to be converted to a ECS date format. | The bios release date. Useful for supply chain issue detection.|
+| bios.secure_boot_enabled | If disabled set to false; if enabled set to true. | Used to detect misconfiguration in Secure Boot.|
+| bios.uuid | N/A | A unique identifier assigned to the computer mother board.|
+| bios.version | N/A | Version of the BIOS, this string is created by the BIOS manufacturer. Useful for supply chain issue detection.|
+| cpu.architecture | Normalize these entries to the following format:
:
"x64: x64-based PC"
"x64: x86_64"
"x32: x86-based PC" | Detects out of date CPUs.|
+| cpu.core.count | N/A | Detects specific baselines of physical configuration for asset management.|
+| cpu.count | N/A | Detects specific baselines of physical configuration for asset management.|
+| cpu.logical_processor.count | N/A | Detects specific baselines of physical configuration for asset management.|
+| cpu.manufacturer | Note that a manufacturer is displayed for each CPU, select the first. Multiple manufacturers are not expected. | Useful for supply chain issue detection.|
+| cpu.name | Normalize raw field into lowercase format for easier query | Useful for supply chain issue detection.|
+| cpu.speed | Normalize to GHZ, do not round but use 0.28 etc, where required.| Detects specific baselines of physical configuration for asset management.|
+
+ Definitions
+
+
+
+Field Name | Special Instructions | Justification/Use Case
+| :--: | :-- | :-- |
+| memory | The numeric value is a base value for memory. The two character unit type represents a multiplication factor to determine actual memory.
Normalize to byte value by multiplying base value by unit type as follows
| Unit | Multiplication Factor |
| B | (2^0) 1 |
| KB | (2^10) 1024 |
| MB | (2^20) 1,048,576 |
| GB | (2^30) 1,073,741,824 |
| TB | (2^40) 1,099,511,627,776 |
| Detects specific baselines of physical configuration for asset management.
+| last_logon.time | N/A | Login time tells the last time a user logged into the system, which may provide insights into events occurring on that system.|
+| created | N/A | Indicates that device is known to domain.|
+| distinguished_name | N/A | The distinguished name indicates ownership of the host. It uniquely identifies the host in an x509 certificate.|
+| modified | N/A | Indicates when information has changed for the host in a directory service.|
+| bios.manufacturer | Normalization: lower case | This is a string representing the system manufacturer of the host. Useful for supply chain issue detection.|
+| bios.release_date | This date will need to be converted to a ECS date format. | The bios release date. Useful for supply chain issue detection.|
+| bios.secure_boot_enabled | If disabled set to false; if enabled set to true. | Used to detect misconfiguration in Secure Boot.|
+| bios.uuid | N/A | A unique identifier assigned to the computer mother board.|
+| bios.version | N/A | Version of the BIOS, this string is created by the BIOS manufacturer. Useful for supply chain issue detection.|
+| cpu.architecture | Normalize these entries to the following format:
:
"x64: x64-based PC"
"x64: x86_64"
"x32: x86-based PC" | Detects out of date CPUs.|
+| cpu.core.count | N/A | Detects specific baselines of physical configuration for asset management.|
+| cpu.count | N/A | Detects specific baselines of physical configuration for asset management.|
+| cpu.logical_processor.count | N/A | Detects specific baselines of physical configuration for asset management.|
+| cpu.manufacturer | Note that a manufacturer is displayed for each CPU, select the first. Multiple manufacturers are not expected. | Useful for supply chain issue detection.|
+| cpu.name | Normalize raw field into lowercase format for easier query | Useful for supply chain issue detection.|
+| cpu.speed | Normalize to GHZ, do not round but use 0.28 etc, where required.| Detects specific baselines of physical configuration for asset management.|
+
+
Normalize to byte value by multiplying base value by unit type as follows
| Unit | Multiplication Factor |
| B | (2^0) 1 |
| KB | (2^10) 1024 |
| MB | (2^20) 1,048,576 |
| GB | (2^30) 1,073,741,824 |
| TB | (2^40) 1,099,511,627,776 |
| Detects specific baselines of physical configuration for asset management.
+| cpe | N/A | Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.
IT management tools can collect information about installed products, identifying these products using their CPE names, and then use this standardized information to help make fully or partially automated decisions regarding the assets. For example, identifying the presence of XYZ Visualizer Enterprise Suite could trigger a vulnerability management tool to check the system for known vulnerabilities in the software, and also trigger a configuration management tool to verify that the software is configured securely in accordance with the organization's policies.
| last_logon.time | N/A | Login time tells the last time a user logged into the system, which may provide insights into events occurring on that system.|
| created | N/A | Indicates that device is known to domain.|
| distinguished_name | N/A | The distinguished name indicates ownership of the host. It uniquely identifies the host in an x509 certificate.|
@@ -61,113 +61,102 @@ Field Name | Special Instructions | Justification/Use Case
description: >
Software identified by its common platform enumeration (CPE) value.
- - name: last_logon.time
+ - name: name
level: custom
- type: date
+ type: keyword
+ example: skype
description: >
- The time of the last user logon to the host. The timestamp type represents date and time information using ISO 8601 format and is always in UTC time.
+ The name of the software.
- - name: created
+ - name: modules.name
level: custom
- type: date
+ type: keyword
+ example: Anti-spyware protection
description: >
- Date and time of when the device was registered in the domain.
+ Module name.
- - name: distinguished_name
+ - name: version
level: custom
type: keyword
- example: CN=foo, CN=computers, DC=acme, DC=company, DC=edu
- normalized: array
+ example: 27/1.0.0.2021090243
description: >
- Distinguished name of the host.
+ The software version.
- - name: modified
+ - name: add_on.name
level: custom
- type: date
+ type: keyword
+ example: Wiki
description: >
- Date the host's details were last modified.
+ The name of the software add-on/extension that generated the event.
- - name: bios.manufacturer
+ - name: add_on.type
level: custom
type: keyword
- example: dell inc.
+ example: Bot
description: >
- This is a string representing the system manufacturer of the host.
+ The type of the software add-on/extension that generated the event.
- - name: bios.release_date
+ - name: add_on.url.full
level: custom
- type: date
+ type: keyword
+ example: https://example.com/download/my_add_on
description: >
- The bios release date.
+ Software installed on the host identified common platform enumeration (CPE) value.
- - name: bios.secure_boot_enabled
+ - name: family
level: custom
- type: boolean
+ type: keyword
+ example: TVD
description: >
- Indicator that Secure Boot is enabled on the computer.
+ A vendor provided categorization of the software.
- - name: bios.uuid
+ - name: vendor
level: custom
type: keyword
- example: 4C4C4544-0056-5010-805A-CAC04F475132
+ example: google
description: >
- A unique identifier assigned to the computer mother board.
+ The vendor or provider of the software.
- - name: bios.version
+ - name: type
level: custom
type: keyword
- example: 1.6.13
+ example: exe
description: >
- Version of the BIOS. This string is created by the BIOS manufacturer.
+ Software type.
- - name: cpu.architecture
+ - name: state
level: custom
type: keyword
- example: "x64: x86_64"
+ example: running
description: >
- The CPU architecture and raw string of the CPU provided by the OS.
+ Current state of the software.
- - name: cpu.core.count
+ - name: patch.kb
level: custom
- type: integer
- example: 10
- description: >
- Number of physical cores per CPU on host machine.
-
- - name: cpu.count
- level: custom
- type: integer
- example: 2
+ type: keyword
+ example: KB4538461
description: >
- Number of CPUs on host machine.
+ Software patch ID.
- - name: cpu.logical_processor.count
+ - name: install.time
level: custom
- type: integer
- example: 40
+ type: date
description: >
- Number of logical processors per CPU on host machine (physical cores multiplied by threads per core).
+ Time the software was installed.
- - name: cpu.manufacturer
+ - name: locale
level: custom
type: keyword
- example: Intel
+ example: Hungarian
description: >
- Manufacturer of CPU.
+ The human language used in the application intended for the user to read.
- - name: cpu.name
+ - name: patch.name
level: custom
type: keyword
- example: intel(r) core(tm) i3-2370m cpu
- description: >
- The full name of the cpu model.
-
- - name: cpu.speed
- level: custom
- type: float
- example: 2.21
+ example: Microsoft.MicrosoftEdge.Stable.97.0.1072.55_neutral_8wekyb3d8bbwe
description: >
- Float type defining the speed of the CPU in GHZ with null and blank values stored as -1.0 and -2.0 respectively.
+ The software patch package's full name.
- ### `memory`
- Detects specific baselines of physical configuration for asset management.
+ ### `cpe`
+ Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.
+
+IT management tools can collect information about installed products, identifying these products using their CPE names, and then use this standardized information to help make fully or partially automated decisions regarding the assets. For example, identifying the presence of XYZ Visualizer Enterprise Suite could trigger a vulnerability management tool to check the system for known vulnerabilities in the software, and also trigger a configuration management tool to verify that the software is configured securely in accordance with the organization's policies.
- ### `last_logon.time`
- Login time tells the last time a user logged into the system, which may provide insights into events occurring on that system.
+ ### `name`
+ Name of software often useful to cross reference other data sources.
- ### `created`
- Indicates that device is known to domain.
+ ### `modules.name`
+ A module usually represents an application, a language stack, or any other logical collection of packages. Module name should represent the name of the software it ships.
- ### `distinguished_name`
- The distinguished name indicates ownership of the host. It uniquely identifies the host in an x509 certificate.
+ ### `version`, `install.time`
+ Having the latest software version can prevent security issues and improve compatibility and program features. Software updates are necessary to keep computers, mobile devices and tablets running smoothly -- and they may lower security vulnerabilities.
- ### `modified`
- Indicates when information has changed for the host in a directory service.
+ ### `add_on.name`, `add_on.type`, `add_on.url.full`
+ Add-ons are usually third-party software and can affect the performance of your browser or applications and some can even be actively malicious. Keeping track of potentially hazardous add-ons that are impacting performance or acting malicious can allow for quick resolutions in order to minimize security concerns.
- ### `bios.manufacturer`
- This is a string representing the system manufacturer of the host. Useful for supply chain issue detection.
+ The type field provides a means of understanding and correlation of events to types.
- ### `bios.release_date`
- The bios release date. Useful for supply chain issue detection.
+ The url field provides a means of understanding and correlation of events to the location where the add_on can be download from.
- ### `bios.secure_boot_enabled`
- Used to detect misconfiguration in Secure Boot.
+ ### `family`
+ Software product families have gained much important from the increased usage of software in consumer products. “A software product family is commonly defined to consist of a common architecture, a set of reusable assets used in systematically producing individual products, and the set of products thus produced”. One software product family normally has a very large number of products. The definition indicates that software components are reused on a common architecture because the products belonging to one family have a lot of common features and build upon a common architecture.
- ### `bios.uuid`
- A unique identifier assigned to the computer mother board.
+ ### `vendor`
+ Software vendors can develop a wide range of consumer and business applications for a variety of devices, from computers and tablets, to mobile phones, to automobiles, manufacturing equipment, and more. The applications developed by software vendors can be deployed on premise or, increasingly, are cloud based and can be accessed via the Internet.
- ### `bios.version`
- Version of the BIOS, this string is created by the BIOS manufacturer. Useful for supply chain issue detection.
+ ### `type`
+ Software packages are complete pieces of software that can work on their own, without additions or other necessary parts. Computer software packages control the physical parts of the machine so that these parts know how to work together. Other names for software are apps, programs, applications, program modules, procedures, scripts and source code. Computer software is adapted to the properties of the hardware. What works on one type of computer will not necessarily work on another. Some types of software are installed when a computer is built and are necessary for the computer to function. Other software packages can be purchased separately or downloaded from the Internet and added to the computer at any time.
- ### `cpu.architecture`
- Detects out of date CPUs.
+ ### `state`
+ Software state is information your program manipulates to accomplish some task. It is data or information that gets changed or manipulated throughout the runtime of a program. The "state" of a program at a given time refers to a snapshot of all the data the program is currently looking at or analyzing to get to the next step in it's execution.
- ### `cpu.core.count`, `cpu.count`, `cpu.logical_processor.count`
- Detects specific baselines of physical configuration for asset management.
+ ### `patch.kb`
+ Proper patch management can greatly improve an enterprise’s security by addressing the vulnerabilities in its software and operating systems. Keeping track of the patch ID allows for the administrator to ascertain any issues resulting from a specific patch update.
- ### `cpu.manufacturer`, `cpu.name`
- Useful for supply chain issue detection.
+ ### `locale`
+ Knowing the software.locale makes it easier to translate and understand any instructions associated with the application.
- ### `cpu.speed`
- Detects specific baselines of physical configuration for asset management.
+ ### `patch.name`
+ Good patch documentation including the software patch package's full name is important for letting the administrator easily identify and distinguish patches from each other.
## Source data
From 7eab59048d95ffc23411167d5cd0186771d5027e Mon Sep 17 00:00:00 2001
From: hadadata59 <85754157+hadadata59@users.noreply.github.com>
Date: Fri, 2 Sep 2022 11:53:19 -0400
Subject: [PATCH 07/14] Create 0037-user-fields.md
---
rfcs/text/0037-user-fields.md | 300 ++++++++++++++++++++++++++++++++++
1 file changed, 300 insertions(+)
create mode 100644 rfcs/text/0037-user-fields.md
diff --git a/rfcs/text/0037-user-fields.md b/rfcs/text/0037-user-fields.md
new file mode 100644
index 0000000000..fea97e42ff
--- /dev/null
+++ b/rfcs/text/0037-user-fields.md
@@ -0,0 +1,300 @@
+# 0000: Software Fields
+
+
+- Stage: **0 (strawperson)**
+- Date: **8-12-2022**
+
+
+
+
+ The host fields describe information about the host that is relevant to an event and extends the ECS host field set in several ways:
+
+- The host field set supports additional host bios fields.
+- The host field set supports additional host cpu fields.
+- The host field set supports additional fields describing a supplemental details that the host can generate.
+
+
+
+## Fields
+Definitions
+
+
+
+Field Name | Special Instructions | Justification/Use Case
+| :--: | :-- | :-- |
+| cpe | N/A | Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.
IT management tools can collect information about installed products, identifying these products using their CPE names, and then use this standardized information to help make fully or partially automated decisions regarding the assets. For example, identifying the presence of XYZ Visualizer Enterprise Suite could trigger a vulnerability management tool to check the system for known vulnerabilities in the software, and also trigger a configuration management tool to verify that the software is configured securely in accordance with the organization's policies.
+| name | N/A | Name of software often useful to cross reference other data sources.|
+| modules.name | N/A | A module usually represents an application, a language stack, or any other logical collection of packages. Module name should represent the name of the software it ships.|
+| version | N/A | Having the latest software version can prevent security issues and improve compatibility and program features. Software updates are necessary to keep computers, mobile devices and tablets running smoothly -- and they may lower security vulnerabilities.|
+| add_on.name | N/A | Add-ons are usually third-party software and can affect the performance of your browser or applications and some can even be actively malicious. Keeping track of potentially hazardous add-ons that are impacting performance or acting malicious can allow for quick resolutions in order to minimize security concerns.|
+| add_on.type | Use the AddonType Look up table (https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#addontype) to transform Integer value to Member name. | Add-ons are usually third-party software and can affect the performance of your browser or applications and some can even be actively malicious. Keeping track of potentially hazardous add-ons that are impacting performance or acting malicious can allow for quick resolutions in order to minimize security concerns. The type field provides a means of understanding and correlation of events to types. |
+| add_on.url.full | N/A | Add-ons are usually third-party software and can affect the performance of your browser or applications and some can even be actively malicious. Keeping track of potentially hazardous add-ons that are impacting performance or acting malicious can allow for quick resolutions in order to minimize security concerns. The url field provides a means of understanding and correlation of events to the location where the add_on can be download from.|
+| family | N/A | Software product families have gained much important from the increased usage of software in consumer products. “A software product family is commonly defined to consist of a common architecture, a set of reusable assets used in systematically producing individual products, and the set of products thus produced”. One software product family normally has a very large number of products. The definition indicates that software components are reused on a common architecture because the products belonging to one family have a lot of common features and build upon a common architecture.|
+| vendor | Normalize this field to lowercase. | Software vendors can develop a wide range of consumer and business applications for a variety of devices, from computers and tablets, to mobile phones, to automobiles, manufacturing equipment, and more. The applications developed by software vendors can be deployed on premise or, increasingly, are cloud based and can be accessed via the Internet.|
+| type | Normalization rule: The value must be normalized to lower case. | Software packages are complete pieces of software that can work on their own, without additions or other necessary parts. Computer software packages control the physical parts of the machine so that these parts know how to work together. Other names for software are apps, programs, applications, program modules, procedures, scripts and source code. Computer software is adapted to the properties of the hardware. What works on one type of computer will not necessarily work on another. Some types of software are installed when a computer is built and are necessary for the computer to function. Other software packages can be purchased separately or downloaded from the Internet and added to the computer at any time.|
+| state | N/A | Software state is information your program manipulates to accomplish some task. It is data or information that gets changed or manipulated throughout the runtime of a program. The "state" of a program at a given time refers to a snapshot of all the data the program is currently looking at or analyzing to get to the next step in it's execution.|
+| patch.kb | Normalization rule: The value must be normalized to lower case. | Proper patch management can greatly improve an enterprise’s security by addressing the vulnerabilities in its software and operating systems. Keeping track of the patch ID allows for the administrator to ascertain any issues resulting from a specific patch update.|
+| install.time | N/A | Having the latest software version can prevent security issues and improve compatibility and program features. Software updates are necessary to keep computers, mobile devices and tablets running smoothly -- and they may lower security vulnerabilities.|
+| locale | N/A | Knowing the software.locale makes it easier to translate and understand any instructions associated with the application.|
+| patch.name | N/A | Good patch documentation including the software patch package's full name is important for letting the administrator easily identify and distinguish patches from each other.|
+
+
IT management tools can collect information about installed products, identifying these products using their CPE names, and then use this standardized information to help make fully or partially automated decisions regarding the assets. For example, identifying the presence of XYZ Visualizer Enterprise Suite could trigger a vulnerability management tool to check the system for known vulnerabilities in the software, and also trigger a configuration management tool to verify that the software is configured securely in accordance with the organization's policies.
-| name | N/A | Name of software often useful to cross reference other data sources.|
-| modules.name | N/A | A module usually represents an application, a language stack, or any other logical collection of packages. Module name should represent the name of the software it ships.|
-| version | N/A | Having the latest software version can prevent security issues and improve compatibility and program features. Software updates are necessary to keep computers, mobile devices and tablets running smoothly -- and they may lower security vulnerabilities.|
-| add_on.name | N/A | Add-ons are usually third-party software and can affect the performance of your browser or applications and some can even be actively malicious. Keeping track of potentially hazardous add-ons that are impacting performance or acting malicious can allow for quick resolutions in order to minimize security concerns.|
-| add_on.type | Use the AddonType Look up table (https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#addontype) to transform Integer value to Member name. | Add-ons are usually third-party software and can affect the performance of your browser or applications and some can even be actively malicious. Keeping track of potentially hazardous add-ons that are impacting performance or acting malicious can allow for quick resolutions in order to minimize security concerns. The type field provides a means of understanding and correlation of events to types. |
-| add_on.url.full | N/A | Add-ons are usually third-party software and can affect the performance of your browser or applications and some can even be actively malicious. Keeping track of potentially hazardous add-ons that are impacting performance or acting malicious can allow for quick resolutions in order to minimize security concerns. The url field provides a means of understanding and correlation of events to the location where the add_on can be download from.|
-| family | N/A | Software product families have gained much important from the increased usage of software in consumer products. “A software product family is commonly defined to consist of a common architecture, a set of reusable assets used in systematically producing individual products, and the set of products thus produced”. One software product family normally has a very large number of products. The definition indicates that software components are reused on a common architecture because the products belonging to one family have a lot of common features and build upon a common architecture.|
-| vendor | Normalize this field to lowercase. | Software vendors can develop a wide range of consumer and business applications for a variety of devices, from computers and tablets, to mobile phones, to automobiles, manufacturing equipment, and more. The applications developed by software vendors can be deployed on premise or, increasingly, are cloud based and can be accessed via the Internet.|
-| type | Normalization rule: The value must be normalized to lower case. | Software packages are complete pieces of software that can work on their own, without additions or other necessary parts. Computer software packages control the physical parts of the machine so that these parts know how to work together. Other names for software are apps, programs, applications, program modules, procedures, scripts and source code. Computer software is adapted to the properties of the hardware. What works on one type of computer will not necessarily work on another. Some types of software are installed when a computer is built and are necessary for the computer to function. Other software packages can be purchased separately or downloaded from the Internet and added to the computer at any time.|
-| state | N/A | Software state is information your program manipulates to accomplish some task. It is data or information that gets changed or manipulated throughout the runtime of a program. The "state" of a program at a given time refers to a snapshot of all the data the program is currently looking at or analyzing to get to the next step in it's execution.|
-| patch.kb | Normalization rule: The value must be normalized to lower case. | Proper patch management can greatly improve an enterprise’s security by addressing the vulnerabilities in its software and operating systems. Keeping track of the patch ID allows for the administrator to ascertain any issues resulting from a specific patch update.|
-| install.time | N/A | Having the latest software version can prevent security issues and improve compatibility and program features. Software updates are necessary to keep computers, mobile devices and tablets running smoothly -- and they may lower security vulnerabilities.|
+| created | N/A | Date the user was created.
+| display_name | N/A | This field may contain some representation of a user's account registered formal name.|
+| expires | Convert raw value user.expires_raw to a ISO time value user.expires. | The date when the account expires. Knowing the date the account expires is helpful in setting reminders for users to request extended access or for the admin to keep track of accounts that need to be deleted upon expiration.|
+| home.directory | N/A | A home directory provides a user with his own space in which to store personal files. More importantly, it prevents user files from taking up valuable space in the root directory, which is the top directory — and the one used by system administrators to quickly access important system files.|
+| home.drive | N/A | On windows, the drive letter for the home directory of the account. On Linux/Unix the mount point of the home directory.|
+| is_domain | N/A | A local user will have the account name prefixed with the machine name. A domain user's account name will be prefixed with its originating domain. If the machine name and the account prefix name don't match, or if the account name prefix matches the local machine, it's generally safe to assume its a local account.|
+| is_flagged | N/A | The account is flagged for some suspicious activity.|
+| locked_out | Convert raw value user.locked_out_raw to a ISO time value. | The date and time that this account was locked out.|
+| password.cleartext | N/A | A clear text password (or Plaintext, or Plain-text) is a way of writing (and sending) a password in a clear, readable format. Such password is not encrypted and can be easily read by other humans and machines.|
+| password.encrypted | N/A | Password encryption is essential to store user credentials stored in a database securely. Without password encryption, anyone accessing a user database on a company's servers (including hackers) could easily view any stored passwords.|
+| password.last_set | N/A | Knowing the date the password was last changed is useful in regards to making sure corporate password policies are being adhered to.|
+| password.expires | N/A | Knowing the date the password will expire is useful in regards to making sure corporate password policies are being adhered to.|
+| password.expired | N/A | Knowing the date the password will expire is useful in regards to making sure corporate password policies are being adhered to.|
+| sam_account_name | N/A | Having the latest software version can prevent security issues and improve compatibility and program features. Software updates are necessary to keep computers, mobile devices and tablets running smoothly -- and they may lower security vulnerabilities.|
| locale | N/A | Knowing the software.locale makes it easier to translate and understand any instructions associated with the application.|
| patch.name | N/A | Good patch documentation including the software patch package's full name is important for letting the administrator easily identify and distinguish patches from each other.|
From b365059d184ca24d425051b35fcd3beb7ec5f4ba Mon Sep 17 00:00:00 2001
From: hadadata59 <85754157+hadadata59@users.noreply.github.com>
Date: Fri, 14 Oct 2022 14:19:47 -0400
Subject: [PATCH 13/14] Delete 0036-software-fields.md
---
rfcs/text/0036-software-fields.md | 298 ------------------------------
1 file changed, 298 deletions(-)
delete mode 100644 rfcs/text/0036-software-fields.md
diff --git a/rfcs/text/0036-software-fields.md b/rfcs/text/0036-software-fields.md
deleted file mode 100644
index 1a547f1359..0000000000
--- a/rfcs/text/0036-software-fields.md
+++ /dev/null
@@ -1,298 +0,0 @@
-# 0000: Software Fields
-
-
-- Stage: **0 (strawperson)**
-- Date: **8-12-2022**
-
-
-
-
- The software fields describe information about the software that is relevant to an event and creates an ECS software field set. With the addition of a software field set, ECS users will be able to normalize data related to software specific components.
-
-
-
-
-## Fields
-Definitions
-
-
-
-Field Name | Special Instructions | Justification/Use Case
-| :--: | :-- | :-- |
-| cpe | N/A | Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.
IT management tools can collect information about installed products, identifying these products using their CPE names, and then use this standardized information to help make fully or partially automated decisions regarding the assets. For example, identifying the presence of XYZ Visualizer Enterprise Suite could trigger a vulnerability management tool to check the system for known vulnerabilities in the software, and also trigger a configuration management tool to verify that the software is configured securely in accordance with the organization's policies.
-| name | N/A | Name of software often useful to cross reference other data sources.|
-| modules.name | N/A | A module usually represents an application, a language stack, or any other logical collection of packages. Module name should represent the name of the software it ships.|
-| version | N/A | Having the latest software version can prevent security issues and improve compatibility and program features. Software updates are necessary to keep computers, mobile devices and tablets running smoothly -- and they may lower security vulnerabilities.|
-| add_on.name | N/A | Add-ons are usually third-party software and can affect the performance of your browser or applications and some can even be actively malicious. Keeping track of potentially hazardous add-ons that are impacting performance or acting malicious can allow for quick resolutions in order to minimize security concerns.|
-| add_on.type | Use the AddonType Look up table (https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#addontype) to transform Integer value to Member name. | Add-ons are usually third-party software and can affect the performance of your browser or applications and some can even be actively malicious. Keeping track of potentially hazardous add-ons that are impacting performance or acting malicious can allow for quick resolutions in order to minimize security concerns. The type field provides a means of understanding and correlation of events to types. |
-| add_on.url.full | N/A | Add-ons are usually third-party software and can affect the performance of your browser or applications and some can even be actively malicious. Keeping track of potentially hazardous add-ons that are impacting performance or acting malicious can allow for quick resolutions in order to minimize security concerns. The url field provides a means of understanding and correlation of events to the location where the add_on can be download from.|
-| family | N/A | Software product families have gained much important from the increased usage of software in consumer products. “A software product family is commonly defined to consist of a common architecture, a set of reusable assets used in systematically producing individual products, and the set of products thus produced”. One software product family normally has a very large number of products. The definition indicates that software components are reused on a common architecture because the products belonging to one family have a lot of common features and build upon a common architecture.|
-| vendor | Normalize this field to lowercase. | Software vendors can develop a wide range of consumer and business applications for a variety of devices, from computers and tablets, to mobile phones, to automobiles, manufacturing equipment, and more. The applications developed by software vendors can be deployed on premise or, increasingly, are cloud based and can be accessed via the Internet.|
-| type | Normalization rule: The value must be normalized to lower case. | Software packages are complete pieces of software that can work on their own, without additions or other necessary parts. Computer software packages control the physical parts of the machine so that these parts know how to work together. Other names for software are apps, programs, applications, program modules, procedures, scripts and source code. Computer software is adapted to the properties of the hardware. What works on one type of computer will not necessarily work on another. Some types of software are installed when a computer is built and are necessary for the computer to function. Other software packages can be purchased separately or downloaded from the Internet and added to the computer at any time.|
-| state | N/A | Software state is information your program manipulates to accomplish some task. It is data or information that gets changed or manipulated throughout the runtime of a program. The "state" of a program at a given time refers to a snapshot of all the data the program is currently looking at or analyzing to get to the next step in it's execution.|
-| patch.kb | Normalization rule: The value must be normalized to lower case. | Proper patch management can greatly improve an enterprise’s security by addressing the vulnerabilities in its software and operating systems. Keeping track of the patch ID allows for the administrator to ascertain any issues resulting from a specific patch update.|
-| install.time | N/A | Having the latest software version can prevent security issues and improve compatibility and program features. Software updates are necessary to keep computers, mobile devices and tablets running smoothly -- and they may lower security vulnerabilities.|
-| locale | N/A | Knowing the software.locale makes it easier to translate and understand any instructions associated with the application.|
-| patch.name | N/A | Good patch documentation including the software patch package's full name is important for letting the administrator easily identify and distinguish patches from each other.|
-
- Definitions
-
-
-
-Field Name | Special Instructions | Justification/Use Case
-| :--: | :-- | :-- |
-| created | N/A | Date the user was created.
-| display_name | N/A | This field may contain some representation of a user's account registered formal name.|
-| expires | Convert raw value user.expires_raw to a ISO time value user.expires. | The date when the account expires. Knowing the date the account expires is helpful in setting reminders for users to request extended access or for the admin to keep track of accounts that need to be deleted upon expiration.|
-| home.directory | N/A | A home directory provides a user with his own space in which to store personal files. More importantly, it prevents user files from taking up valuable space in the root directory, which is the top directory — and the one used by system administrators to quickly access important system files.|
-| home.drive | N/A | On windows, the drive letter for the home directory of the account. On Linux/Unix the mount point of the home directory.|
-| is_domain | N/A | A local user will have the account name prefixed with the machine name. A domain user's account name will be prefixed with its originating domain. If the machine name and the account prefix name don't match, or if the account name prefix matches the local machine, it's generally safe to assume its a local account.|
-| is_flagged | N/A | The account is flagged for some suspicious activity.|
-| locked_out | Convert raw value user.locked_out_raw to a ISO time value. | The date and time that this account was locked out.|
-| password.cleartext | N/A | A clear text password (or Plaintext, or Plain-text) is a way of writing (and sending) a password in a clear, readable format. Such password is not encrypted and can be easily read by other humans and machines.|
-| password.encrypted | N/A | Password encryption is essential to store user credentials stored in a database securely. Without password encryption, anyone accessing a user database on a company's servers (including hackers) could easily view any stored passwords.|
-| password.last_set | N/A | Knowing the date the password was last changed is useful in regards to making sure corporate password policies are being adhered to.|
-| password.expires | N/A | Knowing the date the password will expire is useful in regards to making sure corporate password policies are being adhered to.|
-| password.expired | N/A | Knowing the date the password will expire is useful in regards to making sure corporate password policies are being adhered to.|
-| sam_account_name | N/A | Having the latest software version can prevent security issues and improve compatibility and program features. Software updates are necessary to keep computers, mobile devices and tablets running smoothly -- and they may lower security vulnerabilities.|
-| locale | N/A | Knowing the software.locale makes it easier to translate and understand any instructions associated with the application.|
-| patch.name | N/A | Good patch documentation including the software patch package's full name is important for letting the administrator easily identify and distinguish patches from each other.|
-
-