Merge pull request #22 from abusix/538-enable-users-to-set-ahq-specif…

…ic-xarf-values Added 'InternalProcessing' object to base xarf
abusix · Mar 1, 2021 · dda689d · dda689d
2 parents 609b395 + c5bd414
commit dda689d
Show file tree

Hide file tree

Showing 4 changed files with 202 additions and 1 deletion.
diff --git a/samples/negative/development/invalid_internal_processing_wrong_data_type.json b/samples/negative/development/invalid_internal_processing_wrong_data_type.json
@@ -0,0 +1,44 @@
+{
+  "Version": "development",
+  "ReporterInfo": {
+    "ReporterOrg": "ExampleOrg",
+    "ReporterOrgDomain": "example.com",
+    "ReporterOrgEmail": "[email protected]",
+    "ReporterContactEmail": "[email protected]",
+    "ReporterContactName": "Mr. Example",
+    "ReporterContactPhone": "+ 01 000 1234567"
+  },
+  "Disclosure": true,
+  "InternalProcessing": {
+    "SubscriberInformation": {
+      "ID": 123112,
+      "SubscriberData": {
+        "Active": true
+      }
+    },
+    "EventTags": ["Wordpress", 9, "Untrusted"]
+  },
+  "Report": {
+    "ReportType": "OpenService",
+    "ReportClass": "Vulnerability",
+    "FirstSeen": "2020-03-15T15:17:10Z",
+    "Date": "2020-07-24T14:17:10Z",
+    "ServiceName": "redis",
+    "ServiceVersion": "1.2.4",
+    "SourceIp": "192.0.2.55",
+    "SourcePort": 54321,
+    "TransportProtocol": "tcp",
+    "Samples": [
+      {
+        "ContentType": "text/plain",
+        "Base64Encoded": false,
+        "Description": "Log line",
+        "Payload": "EXAMPLE Nmap done: 1 IP address (1 host up) scanned in 5.58 seconds EXAMPLE"
+      }
+    ],
+    "Custom": {
+      "whatever": "examplevalue",
+      "whatever2": "examplevalue2"
+    }
+  }
+}
diff --git a/samples/positive/development/loginattack_sample_optional_api_info.json b/samples/positive/development/loginattack_sample_optional_api_info.json
@@ -0,0 +1,48 @@
+{
+  "Version": "development",
+  "ReporterInfo": {
+    "ReporterOrg": "ExampleOrg",
+    "ReporterOrgDomain": "example.com",
+    "ReporterOrgEmail": "[email protected]",
+    "ReporterContactEmail": "[email protected]",
+    "ReporterContactName": "Mr. Example",
+    "ReporterContactPhone": "+ 01 000 1234567"
+  },
+  "Disclosure": true,
+  "InternalProcessing": {
+    "SubscriberInformation": {
+      "ID": "32.112.219.3",
+      "SubscriberData": {
+        "PreviousStrikes": "3",
+        "LastStrike": "2018-02-01T07:32:00Z"
+      }
+    },
+    "ContractInformation": {
+      "ID": "32.112.219.3-premium",
+      "ResolverData": {
+        "ExpirationDate": "2019-01-01T00:00:00Z"
+      }
+    },
+    "EventTags": ["SSH", "Untrusted", "BruteForce"]
+  },
+  "Report": {
+    "ReportClass": "Activity",
+    "ReportType": "LoginAttack",
+    "Date": "2018-02-05T14:17:10Z",
+    "SourceIp": "192.0.2.55",
+    "SourcePort": 54321,
+    "DestinationIp": "198.51.100.33",
+    "DestinationPort": 80,
+    "Ongoing": true,
+    "ByteCount": 20000000,
+    "PacketCount": 10000,
+    "Samples": [
+      {
+        "ContentType": "text/plain",
+        "Base64Encoded": false,
+        "Description": "Log entry",
+        "Payload": "User at 192.0.2.55:54321 tried to log in unsuccessfully 123 times."
+      }
+    ]
+  }
+}
diff --git a/samples/positive/development/openservice_sample_optional_api_info.json b/samples/positive/development/openservice_sample_optional_api_info.json
@@ -0,0 +1,52 @@
+{
+  "Version": "development",
+  "ReporterInfo": {
+    "ReporterOrg": "ExampleOrg",
+    "ReporterOrgDomain": "example.com",
+    "ReporterOrgEmail": "[email protected]",
+    "ReporterContactEmail": "[email protected]",
+    "ReporterContactName": "Mr. Example",
+    "ReporterContactPhone": "+ 01 000 1234567"
+  },
+  "Disclosure": true,
+  "InternalProcessing": {
+    "SubscriberInformation": {
+      "ID": "[email protected]",
+      "SubscriberData": {
+        "CustomerEMail": "[email protected]",
+        "CustomerGeo": "South America",
+        "AccountContact": "Mr. Contact Person"
+      }
+    },
+    "ContractInformation": {
+      "ID": "[email protected]",
+      "ResolverData": {
+        "Active": "true"
+      }
+    },
+    "EventTags": ["Wordpress", "Admin", "Untrusted"]
+  },
+  "Report": {
+    "ReportType": "OpenService",
+    "ReportClass": "Vulnerability",
+    "FirstSeen": "2020-03-15T15:17:10Z",
+    "Date": "2020-07-24T14:17:10Z",
+    "ServiceName": "redis",
+    "ServiceVersion": "1.2.4",
+    "SourceIp": "192.0.2.55",
+    "SourcePort": 54321,
+    "TransportProtocol": "tcp",
+    "Samples": [
+      {
+        "ContentType": "text/plain",
+        "Base64Encoded": false,
+        "Description": "Log line",
+        "Payload": "EXAMPLE Nmap done: 1 IP address (1 host up) scanned in 5.58 seconds EXAMPLE"
+      }
+    ],
+    "Custom": {
+      "whatever": "examplevalue",
+      "whatever2": "examplevalue2"
+    }
+  }
+}
diff --git a/schemas/development/xarf_shared.schema.json b/schemas/development/xarf_shared.schema.json
@@ -100,6 +100,9 @@
         },
         "Version": {
           "const": "development"
+        },
+        "InternalProcessing": {
+          "$ref": "#/properties/InternalProcessing"
         }
       },
       "required": ["ReporterInfo", "Disclosure", "Version"]
@@ -139,7 +142,14 @@
           "type": "object",
           "description": "allows for custom key-value fields",
           "additionalProperties": {
-            "anyOf": [{ "type": "string" }, { "type": "integer" }]
+            "anyOf": [
+              {
+                "type": "string"
+              },
+              {
+                "type": "integer"
+              }
+            ]
           }
         }
       },
@@ -449,6 +459,53 @@
           "enum": ["tcp", "udp"]
         }
       }
+    },
+    "InternalProcessing": {
+      "type": "object",
+      "description": "Information about the reportee for internal processing. This should be ignored if the reporter isn't authorized. It's intended to be used for relaying internaly generated xarf-reports to automation software.",
+      "properties": {
+        "SubscriberInformation": {
+          "type": "object",
+          "description": "Information about the reportee/customer.",
+          "properties": {
+            "ID": {
+              "type": "string",
+              "description": "Internal ID of the reportee."
+            },
+            "SubscriberData": {
+              "type": "object",
+              "description": "Data about a customer normaly returned by a resolver in the process of determining the reportee.",
+              "additionalProperties": {
+                "type": "string"
+              }
+            }
+          }
+        },
+        "ContractInformation": {
+          "type": "object",
+          "description": "Information about the reportee's/customer's contract.",
+          "properties": {
+            "ID": {
+              "type": "string",
+              "description": "Internal ID of the reportee's contract."
+            },
+            "ResolverData": {
+              "type": "object",
+              "description": "Data about a customers contract normaly returned by a resolver in the process of determining the reportee.",
+              "additionalProperties": {
+                "type": "string"
+              }
+            }
+          }
+        },
+        "EventTags": {
+          "type": "array",
+          "description": "Custom tags for classification, metrics and other internal uses.",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
     }
   }
 }