diff --git a/doc/structures/bundle.md b/doc/structures/bundle.md index 53f97941..d7eb4259 100644 --- a/doc/structures/bundle.md +++ b/doc/structures/bundle.md @@ -9664,6 +9664,7 @@ Time of the observation. If the observation was made over a period of time, than * Deleted * Deleted_By * Deleted_From + * Derived_From_Same * Downloaded * Downloaded_By * Downloaded_From @@ -9849,6 +9850,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -9930,6 +9932,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -10026,6 +10029,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -10234,6 +10238,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -10399,6 +10404,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -10990,6 +10996,7 @@ If not present, the valid time position of the indicator does not have an upper * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -11487,6 +11494,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -12091,6 +12099,7 @@ If not present, the valid time position of the indicator does not have an upper * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key diff --git a/doc/structures/casebook.md b/doc/structures/casebook.md index 20bd3b68..cbc5b1ab 100644 --- a/doc/structures/casebook.md +++ b/doc/structures/casebook.md @@ -8082,6 +8082,7 @@ Time of the observation. If the observation was made over a period of time, than * Deleted * Deleted_By * Deleted_From + * Derived_From_Same * Downloaded * Downloaded_By * Downloaded_From @@ -8267,6 +8268,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -8348,6 +8350,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -8444,6 +8447,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -8652,6 +8656,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -8817,6 +8822,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -10320,6 +10326,7 @@ If not present, the valid time position of the indicator does not have an upper * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -12794,6 +12801,7 @@ Observable types that can be acted upon. * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -14466,6 +14474,7 @@ For each asset, we allow for the assertion of time bound properties.This gives u * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key diff --git a/doc/structures/judgement.md b/doc/structures/judgement.md index fbc5ba2c..b50c1580 100644 --- a/doc/structures/judgement.md +++ b/doc/structures/judgement.md @@ -391,8 +391,8 @@ A URL reference to an external resource. * process_hash * process_name * process_path - * process_username * process_uid + * process_username * processor_id * registry_key * registry_name diff --git a/doc/structures/sighting.md b/doc/structures/sighting.md index 8ac0498a..a7d231e6 100644 --- a/doc/structures/sighting.md +++ b/doc/structures/sighting.md @@ -1136,6 +1136,7 @@ Time of the observation. If the observation was made over a period of time, than * Deleted * Deleted_By * Deleted_From + * Derived_From_Same * Downloaded * Downloaded_By * Downloaded_From diff --git a/src/ctim/schemas/common.cljc b/src/ctim/schemas/common.cljc index c3e5ab10..2a1b7345 100644 --- a/src/ctim/schemas/common.cljc +++ b/src/ctim/schemas/common.cljc @@ -496,6 +496,7 @@ "Deleted" "Specifies that this object deleted the related object." "Deleted_By" "Specifies that this object was deleted by the related object." "Deleted_From" "Specifies that this object was deleted from the related object." + "Derived_From_Same" "Specifies that this observable is a property of, or otherwise derived from, the same underlying object as the related observable. An Example is hashes for the same file." "Downloaded" "Specifies that this object downloaded the related object." "Downloaded_By" "Specifies that this object was downloaded by the related object." "Downloaded_From" "Specifies that this object was downloaded from the related object."