You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A challenge when implementing commands using the query action is that even simple queries in EDR systems often contain criteria and even logical operators deciding what is returned.
Both of these functions would be covered by a "Query device" action, but one of them would require an enormous amount of arguments (CBC crieteria supports 10 fields as well as Lucene queries) in order to have all its features supported. How do we get around this?
Some suggestions:
Add an argument that supports solution agnostic criteria/queries
A challenge when implementing commands using the query action is that even simple queries in EDR systems often contain criteria and even logical operators deciding what is returned.
An example of this is the Devices API of Carbon Black Cloud:
https://developer.carbonblack.com/reference/carbon-black-cloud/platform/latest/devices-api/
request body example:
{ "criteria": { "deployment_type": ["WORKLOAD"], "target_priority": ["MEDIUM"], "last_contact_time": { "start": "2021-01-27T12:43:26.243Z", "end": "2021-01-28T12:43:26.243Z" }, "query": "<Apache Lucene query>" }, }On the other hand, Microsoft Defender for Endpoint simply has a "get machine by ID" API:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-machine-by-id?view=o365-worldwide
Both of these functions would be covered by a "Query device" action, but one of them would require an enormous amount of arguments (CBC crieteria supports 10 fields as well as Lucene queries) in order to have all its features supported. How do we get around this?
Some suggestions:
https://github.com/opencybersecurityalliance/stix-shifter/blob/develop/OVERVIEW.md
https://kestrel.readthedocs.io/en/latest/language.html
The text was updated successfully, but these errors were encountered: