From a6ccfc0169f7c2b41fefb3123b4890372b00c528 Mon Sep 17 00:00:00 2001
From: t2sw <109705231+t2sw@users.noreply.github.com>
Date: Thu, 26 Oct 2023 12:37:10 -0700
Subject: [PATCH] change select sighting context fields to optional (#428)
* per issue 8427 set httptype method, registrydeletetype registry_value, and registrysettype registry_data to optional
---
doc/structures/bundle.md | 14 ++++++--------
doc/structures/casebook.md | 12 ++++++------
doc/structures/sighting.md | 12 ++++++------
src/ctim/schemas/sighting/context.cljc | 13 +++++++------
4 files changed, 25 insertions(+), 26 deletions(-)
diff --git a/doc/structures/bundle.md b/doc/structures/bundle.md
index 4b9d9762..a4362cab 100644
--- a/doc/structures/bundle.md
+++ b/doc/structures/bundle.md
@@ -7812,12 +7812,11 @@ Time of the observation. If the observation was made over a period of time, than
|[process_id](#propertyprocess_id-integer)|Integer| |✓|
|[process_name](#propertyprocess_name-shortstringstring)|ShortStringString| |✓|
|[registry_key](#propertyregistry_key-shortstringstring)|ShortStringString| |✓|
-|[registry_value](#propertyregistry_value-medstringstring)|MedStringString| |✓|
|[time](#propertytime-observedtimeobject)|*ObservedTime* Object| |✓|
|[type](#propertytype-registrydeletetypeidentifierstring)|RegistryDeleteTypeIdentifierString| |✓|
|[process_guid](#propertyprocess_guid-integer)|Integer| ||
|[process_username](#propertyprocess_username-shortstringstring)|ShortStringString| ||
-
+|[registry_value](#propertyregistry_value-medstringstring)|MedStringString| ||
## Property process_guid ∷ Integer
@@ -7860,7 +7859,7 @@ Time of the observation. If the observation was made over a period of time, than
## Property registry_value ∷ MedStringString
-* This entry is required
+* This entry is optional
* *MedString* String with at most 2048 characters.
@@ -7922,13 +7921,13 @@ Time of the observation. If the observation was made over a period of time, than
| -------- | ---- | ----------- | --------- |
|[process_id](#propertyprocess_id-integer)|Integer| |✓|
|[process_name](#propertyprocess_name-shortstringstring)|ShortStringString| |✓|
-|[registry_data](#propertyregistry_data-longstringstring)|LongStringString| |✓|
|[registry_key](#propertyregistry_key-shortstringstring)|ShortStringString| |✓|
|[registry_value](#propertyregistry_value-medstringstring)|MedStringString| |✓|
|[time](#propertytime-observedtimeobject)|*ObservedTime* Object| |✓|
|[type](#propertytype-registrysettypeidentifierstring)|RegistrySetTypeIdentifierString| |✓|
|[process_guid](#propertyprocess_guid-integer)|Integer| ||
|[process_username](#propertyprocess_username-shortstringstring)|ShortStringString| ||
+|[registry_data](#propertyregistry_data-longstringstring)|LongStringString| ||
|[registry_data_length](#propertyregistry_data_length-integer)|Integer| ||
@@ -7965,7 +7964,7 @@ Time of the observation. If the observation was made over a period of time, than
## Property registry_data ∷ LongStringString
-* This entry is required
+* This entry is optional
* *LongString* String with at most 5000 characters.
@@ -8151,13 +8150,13 @@ Time of the observation. If the observation was made over a period of time, than
| Property | Type | Description | Required? |
| -------- | ---- | ----------- | --------- |
|[host](#propertyhost-shortstringstring)|ShortStringString| |✓|
-|[method](#propertymethod-httpmethodstring)|HTTPMethodString| |✓|
|[process_id](#propertyprocess_id-integer)|Integer| |✓|
|[process_name](#propertyprocess_name-shortstringstring)|ShortStringString| |✓|
|[time](#propertytime-observedtimeobject)|*ObservedTime* Object| |✓|
|[traffic](#propertytraffic-trafficobject)|*Traffic* Object| |✓|
|[type](#propertytype-httptypeidentifierstring)|HTTPTypeIdentifierString| |✓|
|[encrypted](#propertyencrypted-boolean)|Boolean| ||
+|[method](#propertymethod-httpmethodstring)|HTTPMethodString| ||
|[process_guid](#propertyprocess_guid-integer)|Integer| ||
|[process_username](#propertyprocess_username-shortstringstring)|ShortStringString| ||
|[query](#propertyquery-longstringstring)|LongStringString| ||
@@ -8182,8 +8181,7 @@ Time of the observation. If the observation was made over a period of time, than
## Property method ∷ HTTPMethodString
-* This entry is required
-
+* This entry is optional
* Allowed Values:
* CONNECT
diff --git a/doc/structures/casebook.md b/doc/structures/casebook.md
index d8c956f2..6d6ab0f9 100644
--- a/doc/structures/casebook.md
+++ b/doc/structures/casebook.md
@@ -6291,11 +6291,11 @@ Time of the observation. If the observation was made over a period of time, than
|[process_id](#propertyprocess_id-integer)|Integer| |✓|
|[process_name](#propertyprocess_name-shortstringstring)|ShortStringString| |✓|
|[registry_key](#propertyregistry_key-shortstringstring)|ShortStringString| |✓|
-|[registry_value](#propertyregistry_value-medstringstring)|MedStringString| |✓|
|[time](#propertytime-observedtimeobject)|*ObservedTime* Object| |✓|
|[type](#propertytype-registrydeletetypeidentifierstring)|RegistryDeleteTypeIdentifierString| |✓|
|[process_guid](#propertyprocess_guid-integer)|Integer| ||
|[process_username](#propertyprocess_username-shortstringstring)|ShortStringString| ||
+|[registry_value](#propertyregistry_value-medstringstring)|MedStringString| ||
@@ -6339,7 +6339,7 @@ Time of the observation. If the observation was made over a period of time, than
## Property registry_value ∷ MedStringString
-* This entry is required
+* This entry is optional
* *MedString* String with at most 2048 characters.
@@ -6401,13 +6401,13 @@ Time of the observation. If the observation was made over a period of time, than
| -------- | ---- | ----------- | --------- |
|[process_id](#propertyprocess_id-integer)|Integer| |✓|
|[process_name](#propertyprocess_name-shortstringstring)|ShortStringString| |✓|
-|[registry_data](#propertyregistry_data-longstringstring)|LongStringString| |✓|
|[registry_key](#propertyregistry_key-shortstringstring)|ShortStringString| |✓|
|[registry_value](#propertyregistry_value-medstringstring)|MedStringString| |✓|
|[time](#propertytime-observedtimeobject)|*ObservedTime* Object| |✓|
|[type](#propertytype-registrysettypeidentifierstring)|RegistrySetTypeIdentifierString| |✓|
|[process_guid](#propertyprocess_guid-integer)|Integer| ||
|[process_username](#propertyprocess_username-shortstringstring)|ShortStringString| ||
+|[registry_data](#propertyregistry_data-longstringstring)|LongStringString| ||
|[registry_data_length](#propertyregistry_data_length-integer)|Integer| ||
@@ -6444,7 +6444,7 @@ Time of the observation. If the observation was made over a period of time, than
## Property registry_data ∷ LongStringString
-* This entry is required
+* This entry is optional
* *LongString* String with at most 5000 characters.
@@ -6630,13 +6630,13 @@ Time of the observation. If the observation was made over a period of time, than
| Property | Type | Description | Required? |
| -------- | ---- | ----------- | --------- |
|[host](#propertyhost-shortstringstring)|ShortStringString| |✓|
-|[method](#propertymethod-httpmethodstring)|HTTPMethodString| |✓|
|[process_id](#propertyprocess_id-integer)|Integer| |✓|
|[process_name](#propertyprocess_name-shortstringstring)|ShortStringString| |✓|
|[time](#propertytime-observedtimeobject)|*ObservedTime* Object| |✓|
|[traffic](#propertytraffic-trafficobject)|*Traffic* Object| |✓|
|[type](#propertytype-httptypeidentifierstring)|HTTPTypeIdentifierString| |✓|
|[encrypted](#propertyencrypted-boolean)|Boolean| ||
+|[method](#propertymethod-httpmethodstring)|HTTPMethodString| ||
|[process_guid](#propertyprocess_guid-integer)|Integer| ||
|[process_username](#propertyprocess_username-shortstringstring)|ShortStringString| ||
|[query](#propertyquery-longstringstring)|LongStringString| ||
@@ -6661,7 +6661,7 @@ Time of the observation. If the observation was made over a period of time, than
## Property method ∷ HTTPMethodString
-* This entry is required
+* This entry is optional
* Allowed Values:
diff --git a/doc/structures/sighting.md b/doc/structures/sighting.md
index b645216b..1633b832 100644
--- a/doc/structures/sighting.md
+++ b/doc/structures/sighting.md
@@ -1715,11 +1715,11 @@ Time of the observation. If the observation was made over a period of time, than
|[process_id](#propertyprocess_id-integer)|Integer| |✓|
|[process_name](#propertyprocess_name-shortstringstring)|ShortStringString| |✓|
|[registry_key](#propertyregistry_key-shortstringstring)|ShortStringString| |✓|
-|[registry_value](#propertyregistry_value-medstringstring)|MedStringString| |✓|
|[time](#propertytime-observedtimeobject)|*ObservedTime* Object| |✓|
|[type](#propertytype-registrydeletetypeidentifierstring)|RegistryDeleteTypeIdentifierString| |✓|
|[process_guid](#propertyprocess_guid-integer)|Integer| ||
|[process_username](#propertyprocess_username-shortstringstring)|ShortStringString| ||
+|[registry_value](#propertyregistry_value-medstringstring)|MedStringString| ||
@@ -1763,7 +1763,7 @@ Time of the observation. If the observation was made over a period of time, than
## Property registry_value ∷ MedStringString
-* This entry is required
+* This entry is optional
* *MedString* String with at most 2048 characters.
@@ -1825,13 +1825,13 @@ Time of the observation. If the observation was made over a period of time, than
| -------- | ---- | ----------- | --------- |
|[process_id](#propertyprocess_id-integer)|Integer| |✓|
|[process_name](#propertyprocess_name-shortstringstring)|ShortStringString| |✓|
-|[registry_data](#propertyregistry_data-longstringstring)|LongStringString| |✓|
|[registry_key](#propertyregistry_key-shortstringstring)|ShortStringString| |✓|
|[registry_value](#propertyregistry_value-medstringstring)|MedStringString| |✓|
|[time](#propertytime-observedtimeobject)|*ObservedTime* Object| |✓|
|[type](#propertytype-registrysettypeidentifierstring)|RegistrySetTypeIdentifierString| |✓|
|[process_guid](#propertyprocess_guid-integer)|Integer| ||
|[process_username](#propertyprocess_username-shortstringstring)|ShortStringString| ||
+|[registry_data](#propertyregistry_data-longstringstring)|LongStringString| ||
|[registry_data_length](#propertyregistry_data_length-integer)|Integer| ||
@@ -1868,7 +1868,7 @@ Time of the observation. If the observation was made over a period of time, than
## Property registry_data ∷ LongStringString
-* This entry is required
+* This entry is optional
* *LongString* String with at most 5000 characters.
@@ -2054,13 +2054,13 @@ Time of the observation. If the observation was made over a period of time, than
| Property | Type | Description | Required? |
| -------- | ---- | ----------- | --------- |
|[host](#propertyhost-shortstringstring)|ShortStringString| |✓|
-|[method](#propertymethod-httpmethodstring)|HTTPMethodString| |✓|
|[process_id](#propertyprocess_id-integer)|Integer| |✓|
|[process_name](#propertyprocess_name-shortstringstring)|ShortStringString| |✓|
|[time](#propertytime-observedtimeobject)|*ObservedTime* Object| |✓|
|[traffic](#propertytraffic-trafficobject)|*Traffic* Object| |✓|
|[type](#propertytype-httptypeidentifierstring)|HTTPTypeIdentifierString| |✓|
|[encrypted](#propertyencrypted-boolean)|Boolean| ||
+|[method](#propertymethod-httpmethodstring)|HTTPMethodString| ||
|[process_guid](#propertyprocess_guid-integer)|Integer| ||
|[process_username](#propertyprocess_username-shortstringstring)|ShortStringString| ||
|[query](#propertyquery-longstringstring)|LongStringString| ||
@@ -2085,7 +2085,7 @@ Time of the observation. If the observation was made over a period of time, than
## Property method ∷ HTTPMethodString
-* This entry is required
+* This entry is optional
* Allowed Values:
diff --git a/src/ctim/schemas/sighting/context.cljc b/src/ctim/schemas/sighting/context.cljc
index 626cb966..3dbf08a8 100644
--- a/src/ctim/schemas/sighting/context.cljc
+++ b/src/ctim/schemas/sighting/context.cljc
@@ -160,14 +160,14 @@
(f/required-entries
(f/entry :type HTTPTypeIdentifier)
(f/entry :host c/ShortString)
- (f/entry :method HTTPMethod)
(f/entry :traffic Traffic))
(f/optional-entries
(f/entry :url_port f/any-int)
(f/entry :process_guid f/any-int)
(f/entry :process_username c/ShortString)
(f/entry :query c/LongString)
- (f/entry :encrypted f/any-bool))))
+ (f/entry :encrypted f/any-bool)
+ (f/entry :method HTTPMethod))))
(def registry-event-entries
(concat
@@ -192,10 +192,10 @@
registry-event-entries
(f/required-entries
(f/entry :type RegistrySetTypeIdentifier)
- (f/entry :registry_value c/MedString)
- (f/entry :registry_data c/LongString))
+ (f/entry :registry_value c/MedString))
(f/optional-entries
- (f/entry :registry_data_length f/any-int))))
+ (f/entry :registry_data_length f/any-int)
+ (f/entry :registry_data c/LongString))))
(def registry-delete-type-identifier "RegistryDeleteEvent")
(def-eq RegistryDeleteTypeIdentifier registry-delete-type-identifier)
@@ -204,7 +204,8 @@
(concat
registry-event-entries
(f/required-entries
- (f/entry :type RegistryDeleteTypeIdentifier)
+ (f/entry :type RegistryDeleteTypeIdentifier))
+ (f/optional-entries
(f/entry :registry_value c/MedString))))
(def registry-rename-type-identifier "RegistryRenameEvent")