From bb42a5a9d8193b11b6a3ecc4981884da121713fc Mon Sep 17 00:00:00 2001 From: obsidianforensics Date: Fri, 2 Feb 2024 00:27:27 +0000 Subject: [PATCH] Add new DFIQ YAML files and update copyright header in existing ones. --- data/approaches/Q1001.10.yaml | 8 ++-- data/approaches/Q1001.11.yaml | 6 +-- data/approaches/Q1001.12.yaml | 8 ++-- data/approaches/Q1018.10.yaml | 49 +++++++++++++++++++++++ data/approaches/Q1018.11.yaml | 46 ++++++++++++++++++++++ data/approaches/Q1018.12.yaml | 73 +++++++++++++++++++++++++++++++++++ data/approaches/Q1019.10.yaml | 47 ++++++++++++++++++++++ data/approaches/Q1020.10.yaml | 8 ++-- data/approaches/Q1024.10.yaml | 50 ++++++++++++++++++++++++ data/approaches/Q1036.10.yaml | 6 +-- data/approaches/Q1036.11.yaml | 6 +-- data/approaches/Q1037.10.yaml | 6 +-- data/approaches/Q1037.11.yaml | 6 +-- data/approaches/Q1037.12.yaml | 6 +-- data/approaches/Q1074.10.yaml | 49 +++++++++++++++++++++++ data/approaches/Q1074.11.yaml | 53 +++++++++++++++++++++++++ data/facets/F1001.yaml | 8 +++- data/facets/F1002.yaml | 2 +- data/facets/F1003.yaml | 2 +- data/facets/F1004.yaml | 2 +- data/facets/F1005.yaml | 2 +- data/facets/F1006.yaml | 2 +- data/facets/F1007.yaml | 2 +- data/facets/F1008.yaml | 2 +- data/facets/F1009.yaml | 2 +- data/facets/F1010.yaml | 2 +- data/facets/F1011.yaml | 2 +- data/facets/F1012.yaml | 2 +- data/facets/F1013.yaml | 2 +- data/facets/F1014.yaml | 2 +- data/facets/F1015.yaml | 2 +- data/facets/F1016.yaml | 2 +- data/facets/F1017.yaml | 2 +- data/facets/F1018.yaml | 2 +- data/facets/F1019.yaml | 2 +- data/facets/F1020.yaml | 2 +- data/facets/F1021.yaml | 2 +- data/facets/F1022.yaml | 2 +- data/facets/F1023.yaml | 2 +- data/facets/F1024.yaml | 2 +- data/facets/F1025.yaml | 2 +- data/facets/F1026.yaml | 2 +- data/facets/F1027.yaml | 2 +- data/facets/F1028.yaml | 2 +- data/facets/F1029.yaml | 26 +++++++++++++ data/facets/F1030.yaml | 26 +++++++++++++ data/questions/Q1001.yaml | 6 +-- data/questions/Q1002.yaml | 2 +- data/questions/Q1003.yaml | 2 +- data/questions/Q1004.yaml | 2 +- data/questions/Q1005.yaml | 2 +- data/questions/Q1006.yaml | 2 +- data/questions/Q1007.yaml | 2 +- data/questions/Q1008.yaml | 2 +- data/questions/Q1009.yaml | 2 +- data/questions/Q1010.yaml | 2 +- data/questions/Q1011.yaml | 2 +- data/questions/Q1012.yaml | 2 +- data/questions/Q1013.yaml | 2 +- data/questions/Q1014.yaml | 2 +- data/questions/Q1015.yaml | 2 +- data/questions/Q1016.yaml | 2 +- data/questions/Q1017.yaml | 2 +- data/questions/Q1018.yaml | 2 +- data/questions/Q1019.yaml | 2 +- data/questions/Q1020.yaml | 3 +- data/questions/Q1021.yaml | 2 +- data/questions/Q1022.yaml | 2 +- data/questions/Q1023.yaml | 2 +- data/questions/Q1024.yaml | 2 +- data/questions/Q1025.yaml | 2 +- data/questions/Q1026.yaml | 2 +- data/questions/Q1027.yaml | 2 +- data/questions/Q1028.yaml | 2 +- data/questions/Q1029.yaml | 2 +- data/questions/Q1030.yaml | 2 +- data/questions/Q1031.yaml | 2 +- data/questions/Q1032.yaml | 2 +- data/questions/Q1033.yaml | 2 +- data/questions/Q1034.yaml | 2 +- data/questions/Q1035.yaml | 2 +- data/questions/Q1036.yaml | 2 +- data/questions/Q1037.yaml | 2 +- data/questions/Q1038.yaml | 2 +- data/questions/Q1039.yaml | 2 +- data/questions/Q1040.yaml | 2 +- data/questions/Q1041.yaml | 2 +- data/questions/Q1042.yaml | 2 +- data/questions/Q1043.yaml | 2 +- data/questions/Q1044.yaml | 2 +- data/questions/Q1045.yaml | 2 +- data/questions/Q1046.yaml | 2 +- data/questions/Q1047.yaml | 2 +- data/questions/Q1048.yaml | 2 +- data/questions/Q1049.yaml | 2 +- data/questions/Q1050.yaml | 2 +- data/questions/Q1051.yaml | 2 +- data/questions/Q1052.yaml | 2 +- data/questions/Q1053.yaml | 2 +- data/questions/Q1054.yaml | 2 +- data/questions/Q1055.yaml | 2 +- data/questions/Q1056.yaml | 2 +- data/questions/Q1057.yaml | 2 +- data/questions/Q1058.yaml | 2 +- data/questions/Q1059.yaml | 2 +- data/questions/Q1060.yaml | 2 +- data/questions/Q1061.yaml | 2 +- data/questions/Q1062.yaml | 2 +- data/questions/Q1063.yaml | 2 +- data/questions/Q1064.yaml | 2 +- data/questions/Q1065.yaml | 2 +- data/questions/Q1066.yaml | 2 +- data/questions/Q1067.yaml | 2 +- data/questions/Q1068.yaml | 2 +- data/questions/Q1069.yaml | 2 +- data/questions/Q1070.yaml | 2 +- data/questions/Q1071.yaml | 2 +- data/questions/Q1072.yaml | 2 +- data/questions/Q1073.yaml | 2 +- data/questions/Q1074.yaml | 2 +- data/questions/Q1075.yaml | 2 +- data/questions/Q1076.yaml | 2 +- data/questions/Q1077.yaml | 2 +- data/questions/Q1078.yaml | 2 +- data/questions/Q1079.yaml | 2 +- data/questions/Q1080.yaml | 2 +- data/questions/Q1081.yaml | 2 +- data/questions/Q1082.yaml | 2 +- data/questions/Q1083.yaml | 2 +- data/questions/Q1084.yaml | 3 +- data/questions/Q1085.yaml | 23 +++++++++++ data/questions/Q1086.yaml | 23 +++++++++++ data/questions/Q1087.yaml | 23 +++++++++++ data/questions/Q1088.yaml | 24 ++++++++++++ data/questions/Q1089.yaml | 23 +++++++++++ data/questions/Q1090.yaml | 23 +++++++++++ data/scenarios/S1001.yaml | 3 +- data/scenarios/S1002.yaml | 2 +- data/scenarios/S1003.yaml | 2 +- data/scenarios/S1005.yaml | 2 +- data/scenarios/S1007.yaml | 2 +- data/scenarios/S1008.yaml | 2 +- 142 files changed, 714 insertions(+), 153 deletions(-) create mode 100644 data/approaches/Q1018.10.yaml create mode 100644 data/approaches/Q1018.11.yaml create mode 100644 data/approaches/Q1018.12.yaml create mode 100644 data/approaches/Q1019.10.yaml create mode 100644 data/approaches/Q1024.10.yaml create mode 100644 data/approaches/Q1074.10.yaml create mode 100644 data/approaches/Q1074.11.yaml create mode 100644 data/facets/F1029.yaml create mode 100644 data/facets/F1030.yaml create mode 100644 data/questions/Q1085.yaml create mode 100644 data/questions/Q1086.yaml create mode 100644 data/questions/Q1087.yaml create mode 100644 data/questions/Q1088.yaml create mode 100644 data/questions/Q1089.yaml create mode 100644 data/questions/Q1090.yaml diff --git a/data/approaches/Q1001.10.yaml b/data/approaches/Q1001.10.yaml index 9f8204d..ec23736 100644 --- a/data/approaches/Q1001.10.yaml +++ b/data/approaches/Q1001.10.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -38,7 +38,7 @@ description: - "[Web Browsers on ForensicArtifacts](https://github.com/ForensicArtifacts/artifacts/blob/main/data/webbrowser.yaml)" view: data: - - type: artifact + - type: ForensicArtifact value: BrowserHistory - type: description value: Collect local browser history artifacts. These are often in the @@ -56,7 +56,7 @@ view: - Browsers installed in non-standard paths - Downloads made during Incognito sessions processors: - - name: plaso + - name: Plaso options: - type: parsers value: webhist @@ -71,7 +71,7 @@ view: - description: *filter-desc type: pandas value: query('data_type in ("chrome:history:file_downloaded", "safari:downloads:entry")') - - name: hindsight + - name: Hindsight options: - type: format value: jsonl diff --git a/data/approaches/Q1001.11.yaml b/data/approaches/Q1001.11.yaml index d19b981..d8d13db 100644 --- a/data/approaches/Q1001.11.yaml +++ b/data/approaches/Q1001.11.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -43,7 +43,7 @@ description: view: data: - - type: artifact + - type: ForensicArtifact value: SantaLogs - type: description value: Santa logs stored on the local disk; they may also be centralized off-system, @@ -58,7 +58,7 @@ view: - Downloads that occurred on macOS with Santa, but during a time period for which there are no Santa logs (out of retention or Santa was disabled). processors: - - name: plaso + - name: Plaso options: - type: parsers value: santa diff --git a/data/approaches/Q1001.12.yaml b/data/approaches/Q1001.12.yaml index fa24433..9cb93ef 100644 --- a/data/approaches/Q1001.12.yaml +++ b/data/approaches/Q1001.12.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -47,7 +47,7 @@ description: - "[Change Journals](https://learn.microsoft.com/en-gb/windows/win32/fileio/change-journals)" view: data: - - type: artifact + - type: ForensicArtifact value: NTFSUSNJournal - type: description value: The NTFS $UsnJnrl file system metadata file. This ForensicArtifact definition @@ -63,7 +63,7 @@ view: - Downloads that would be covered, but happened long enough ago that the USN Journal records that would show it have been deleted. processors: - - name: plaso + - name: Plaso options: - type: parsers value: usnjrnl @@ -77,5 +77,5 @@ view: - description: Select and search for the `file_reference` value for an event of interest from the previous query. There should be one with the same timestamp as your previous event and its `filename` value is the download's final name. - type: opensearch-query-variable + type: opensearch-query value: data_type:"fs:ntfs:usn_change" {file_reference value} "USN_REASON_RENAME_NEW_NAME" diff --git a/data/approaches/Q1018.10.yaml b/data/approaches/Q1018.10.yaml new file mode 100644 index 0000000..826280a --- /dev/null +++ b/data/approaches/Q1018.10.yaml @@ -0,0 +1,49 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +display_name: Use Crowdstrike "Bulk Domains" to link source processes to DNS queries +type: approach +id: Q1018.10 +dfiq_version: 1.0.0 +tags: + - CrowdStrike + - DNS +description: + summary: CrowdStrike records the source process ID (ContextProcessId) for DNSRequest event. + details: > + Crowdstrike is a detection platform, not a logging platform, so not all DNS requests are logged. + Content Filter needs to be enabled to capture DNS request queries. + references: + - https://www.crowdstrike.com/blog/hunt-threat-activity-falcon-host-endpoint-protection/bulk-domain-search-results/ +view: + data: + - type: CrowdStrike + value: DnsRequest + notes: + covered: + - Mac, Linux, and Windows hosts with a CrowdStrike Falcon agent + not_covered: + - Hosts with the Falcon agent, but where the Content Filter is not enabled + processors: + - name: Crowdstrike Investigate (UI) + analysis: + - name: Manual + steps: + - description: UI steps in Investigate Bulk domains + type: GUI + value: > + In the second table, `Process that looked up specified Domain(s)` the columns + `PID`, `Process ID`, and `File Name` give the source process information for the + DNS query. diff --git a/data/approaches/Q1018.11.yaml b/data/approaches/Q1018.11.yaml new file mode 100644 index 0000000..10cf173 --- /dev/null +++ b/data/approaches/Q1018.11.yaml @@ -0,0 +1,46 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +display_name: Use Crowdstrike event search to link source processes to DNS queries +type: approach +id: Q1018.11 +dfiq_version: 1.0.0 +tags: + - CrowdStrike + - DNS +description: + summary: CrowdStrike records the source process ID (ContextProcessId) for DNSRequest event. + details: > + Crowdstrike is a detection platform, not a logging platform, so not all DNS requests are logged. + Content Filter needs to be enabled to capture DNS request queries. + references: + - https://www.crowdstrike.com/blog/hunt-threat-activity-falcon-host-endpoint-protection/bulk-domain-search-results/ +view: + data: + - type: CrowdStrike + value: DnsRequest + notes: + covered: + - Mac, Linux, and Windows hosts with a CrowdStrike Falcon agent + not_covered: + - Hosts with the Falcon agent, but where the Content Filter is not enabled + processors: + - name: Splunk + analysis: + - name: Splunk-Query + steps: + - description: Query joining DNS Request events and executions gives the source for each DNS query + type: splunk-query + value: ComputerName="{hostname}" event_simpleName=ProcessRollup* | rename TargetProcessId_decimal as ContextProcessId_decimal | join ContextProcessId_decimal [search ComputerName="{hostname}" event_simpleName=DnsRequest | fields ContextProcessId_decimal, DomainName] | table _time, DomainName, ImageFileName diff --git a/data/approaches/Q1018.12.yaml b/data/approaches/Q1018.12.yaml new file mode 100644 index 0000000..515bc0d --- /dev/null +++ b/data/approaches/Q1018.12.yaml @@ -0,0 +1,73 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +display_name: Use Sysmon (Event ID 22) to link source processes to DNS queries +type: approach +id: Q1018.12 +dfiq_version: 1.0.0 +tags: + - Sysmon + - DNS + - Windows +description: + summary: Sysmon Event ID 22 DnsQuery stores source process ID + details: > + DNS Query, event ID 22, records a DNS query being issued by a specific host and the originating process. + references: + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90022 +view: + data: + - type: ForensicArtifact + value: WindowsXMLEventLogSysmon + notes: + covered: + - Windows + not_covered: + - Windows hosts without Sysmon installed + processors: + - name: Splunk + analysis: + - name: Splunk-Query + steps: + - description: Query for Sysmon Event ID 22 and extracting the parent process ID and path. + type: splunk-query + value: source="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=22 | table _time, host, process_id, process_path + - name: Plaso + analysis: + - name: OpenSearch + steps: + - description: Query for Sysmon Event ID 22 events + type: opensearch-query + value: data_type:"windows:evtx:record" source_name:"Microsoft-Windows-Sysmon" event_identifier:22 + - description: Determine the source process in relevant event(s) + type: manual + value: > + Plaso (as of v20230717) doesn't parse the `xml_string` into attributes. Examine the + `xml_string`; the value after `` is the process that made the + DNS query. + - name: Python Notebook + steps: + - description: Query for Sysmon Event ID 22 events + type: pandas + value: df.query('data_type == "windows:evtx:record" and source_name == "Microsoft-Windows-Sysmon" and event_identifier == 22') + - description: Extract `Image` attribute + type: pandas + value: df['process'] = df['xml_string'].str.extract(r'(.*?)') + - description: Extract `QueryName` attribute + type: pandas + value: df['query'] = df['xml_string'].str.extract(r'(.*?)') + - description: Filter down to DNS query of interest + type: pandas + value: df[df.query.str.contains('')] diff --git a/data/approaches/Q1019.10.yaml b/data/approaches/Q1019.10.yaml new file mode 100644 index 0000000..f2bf48c --- /dev/null +++ b/data/approaches/Q1019.10.yaml @@ -0,0 +1,47 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +display_name: Collect process executions in Crowdstrike event search +type: approach +id: Q1019.10 +dfiq_version: 1.0.0 +tags: + - CrowdStrike + - Process Execution +description: + summary: CrowdStrike records process executions in ProcessRollup event. + details: > + CrowdStrike is a detection platform, not a logging platform, so not all ProcessRollup events might be logged. + references: + - https://www.crowdstrike.com/blog/understanding-indicators-attack-ioas-power-event-stream-processing-crowdstrike-falcon/ +view: + data: + - type: CrowdStrike + value: ProcessRollup + notes: + covered: + - Mac, Linux and Windows systems with the Falcon Agent + - Chrome, Firefox, Safari, and Edge web browsers + not_covered: + - Other browsers (including Chromium) + - One of those four browsers, but have had their process name changed + processors: + - name: Splunk + analysis: + - name: Splunk-Query + steps: + - description: Query filtering the known browsers in execution event logs. + type: splunk-query + value: ComputerName="{hostname}" event_simpleName=ProcessRollup* ImageFileName IN ("*chrome*", "*firefox*", "*safari*", "*edge*") | table _time, CommandLine, ImageFileName diff --git a/data/approaches/Q1020.10.yaml b/data/approaches/Q1020.10.yaml index f9d76e5..efd65f5 100644 --- a/data/approaches/Q1020.10.yaml +++ b/data/approaches/Q1020.10.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -40,7 +40,7 @@ description: - "[Web Browsers on ForensicArtifacts](https://github.com/ForensicArtifacts/artifacts/blob/main/data/webbrowser.yaml)" view: data: - - type: artifact + - type: ForensicArtifact value: BrowserHistory - type: description value: Collect local browser history artifacts. These are often in the @@ -59,7 +59,7 @@ view: - Browsers installed in non-standard paths - Visits made in Incognito/Private sessions processors: - - name: plaso + - name: Plaso options: - type: parsers value: webhist @@ -74,7 +74,7 @@ view: - description: *filter-desc type: pandas value: query('data_type in ("chrome:history:page_visited", "firefox:places:page_visited", "safari:history:visit_sqlite")') - - name: hindsight + - name: Hindsight options: - type: format value: jsonl diff --git a/data/approaches/Q1024.10.yaml b/data/approaches/Q1024.10.yaml new file mode 100644 index 0000000..496f030 --- /dev/null +++ b/data/approaches/Q1024.10.yaml @@ -0,0 +1,50 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +display_name: Search CrowdStrike logs for Incognito Chrome processes +type: approach +id: Q1024.10 +dfiq_version: 1.0.0 +tags: + - CrowdStrike + - Process Execution + - Web Browser +description: + summary: CrowdStrike records the source process ID (ContextProcessId) for ProcessRollup events. + details: > + Crowdstrike is a detection platform, not a logging platform, so not all executions are logged. + We cannot always connect a running browser process with observed DNS requests. When we do see + DNS requests coming from a browser process, yet we don't see browsing history, there are + several possible explanations, including browser extensions or private browsing. + references: + - https://www.crowdstrike.com/blog/tech-center/hunt-threat-activity-falcon-endpoint-protection/ +view: + data: + - type: CrowdStrike + value: ProcessRollup + notes: + covered: + - Chrome on Mac, Linux, and Windows hosts with a CrowdStrike Falcon agent + not_covered: + - Chrome instances with a renamed process + - Other Chromium-based browsers + processors: + - name: Splunk + analysis: + - name: Splunk-Query + steps: + - description: Query searching for browser processes executed in private mode + type: splunk-query + value: ComputerName="{hostname}" event_simpleName=ProcessRollup* CommandLine IN ("*chrome*") CommandLine IN (*disable-databases*) | table _time, DomainName, CommandLine diff --git a/data/approaches/Q1036.10.yaml b/data/approaches/Q1036.10.yaml index e0ff62c..974ae4a 100644 --- a/data/approaches/Q1036.10.yaml +++ b/data/approaches/Q1036.10.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,7 +31,7 @@ description: - "[PsExec on MITRE ATT&CK](https://attack.mitre.org/software/S0029/)" view: data: - - type: artifact + - type: ForensicArtifact value: WindowsPrefetchFiles - type: description value: Files used by the Windows Prefetch service. @@ -46,7 +46,7 @@ view: - Instances when the PsExec executable has been renamed. - Non-Windows systems, as the Prefetch service is Windows-only. processors: - - name: plaso + - name: Plaso options: - type: parsers value: prefetch diff --git a/data/approaches/Q1036.11.yaml b/data/approaches/Q1036.11.yaml index 2b663d0..5edb89f 100644 --- a/data/approaches/Q1036.11.yaml +++ b/data/approaches/Q1036.11.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,7 +31,7 @@ description: - "[PsExec on MITRE ATT&CK](https://attack.mitre.org/software/S0029/)" view: data: - - type: artifact + - type: ForensicArtifact value: WindowsEventLogs - type: description value: Windows Event Log files @@ -43,7 +43,7 @@ view: been deleted, it won't be found by this approach. - Instances when the PsExec executable has been renamed. processors: - - name: plaso + - name: Plaso options: - type: parsers value: winevtx diff --git a/data/approaches/Q1037.10.yaml b/data/approaches/Q1037.10.yaml index 5fad086..89784d1 100644 --- a/data/approaches/Q1037.10.yaml +++ b/data/approaches/Q1037.10.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,7 +31,7 @@ description: - "[PsExec on MITRE ATT&CK](https://attack.mitre.org/software/S0029/)" view: data: - - type: artifact + - type: ForensicArtifact value: WindowsPrefetchFiles - type: description value: Files used by the Windows Prefetch service. @@ -46,7 +46,7 @@ view: - Instances when the PsExeSvc executable has been renamed. - Non-Windows systems, as the Prefetch service is Windows-only. processors: - - name: plaso + - name: Plaso options: - type: parsers value: prefetch diff --git a/data/approaches/Q1037.11.yaml b/data/approaches/Q1037.11.yaml index 65a4b61..c603df5 100644 --- a/data/approaches/Q1037.11.yaml +++ b/data/approaches/Q1037.11.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,7 +31,7 @@ description: - "[PsExec on MITRE ATT&CK](https://attack.mitre.org/software/S0029/)" view: data: - - type: artifact + - type: ForensicArtifact value: WindowsEventLogs - type: description value: Windows Event Log files @@ -43,7 +43,7 @@ view: been deleted, it won't be found by this approach. - Instances when the PsExeSvc executable has been renamed. processors: - - name: plaso + - name: Plaso options: - type: parsers value: winevtx diff --git a/data/approaches/Q1037.12.yaml b/data/approaches/Q1037.12.yaml index a552e5a..9f3aa76 100644 --- a/data/approaches/Q1037.12.yaml +++ b/data/approaches/Q1037.12.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,7 +31,7 @@ description: - "[PsExec on MITRE ATT&CK](https://attack.mitre.org/software/S0029/)" view: data: - - type: artifact + - type: ForensicArtifact value: WindowsEventLogs - type: description value: Windows Event Log files @@ -43,7 +43,7 @@ view: been deleted, it won't be found by this approach. - Instances when the PsExeSvc service has been renamed. processors: - - name: plaso + - name: Plaso options: - type: parsers value: winevtx diff --git a/data/approaches/Q1074.10.yaml b/data/approaches/Q1074.10.yaml new file mode 100644 index 0000000..6af8adc --- /dev/null +++ b/data/approaches/Q1074.10.yaml @@ -0,0 +1,49 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +display_name: Search CrowdStrike logs for indicator removal on host +type: approach +id: Q1074.10 +dfiq_version: 1.0.0 +tags: + - CrowdStrike + - Linux + - Windows + - macOS +description: + summary: CrowdStrike has built-in detections for "indicator removal on host" events. + details: > + Clearance/deletion of system logs would be recorded in CrowdStrike as a part of their + "indicator removal on host" detections. + references: + - https://www.crowdstrike.com/blog/tech-center/hunt-threat-activity-falcon-endpoint-protection/ + - "[Indicator Removal on MITRE ATT&CK](https://attack.mitre.org/techniques/T1070/)" +view: + data: + - type: CrowdStrike + value: PlatformEvents + notes: + covered: + - CrowdStrike's built-in detection for "indicator removal on host" events. + not_covered: + - CrowdStrike may not have all log clear/delete events as part of this detection. + processors: + - name: Splunk + analysis: + - name: Splunk-Query + steps: + - description: Query searching for indicator removal on host events. + type: splunk-query + value: ComputerName="{hostname}" Technique="Indicator Removal on Host" \ No newline at end of file diff --git a/data/approaches/Q1074.11.yaml b/data/approaches/Q1074.11.yaml new file mode 100644 index 0000000..ffeaee2 --- /dev/null +++ b/data/approaches/Q1074.11.yaml @@ -0,0 +1,53 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +display_name: Examine Windows Event Logs for Audit Log cleared +type: approach +id: Q1074.11 +dfiq_version: 1.0.0 +tags: + - Windows + - Event Logs +description: + summary: Parse the Windows Security Event Log and look for "the audit log was cleared" event. + details: > + On Windows systems, log clearance events for Security event log will be logged with event ID + 1102. The logs contain the actor account name, domain name, logon id fields. + references: + - "[1102(S): The audit log was cleared.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102)" + - "[Indicator Removal: Clear Windows Event Logs on MITRE ATT&CK](https://attack.mitre.org/techniques/T1070/001/)" +view: + data: + - type: ForensicArtifact + value: WindowsEventLogs + - type: description + value: Windows Event Log files + notes: + covered: + - Security event log clearance events on Windows systems. + not_covered: + - If the log is deleted or otherwise altered, this event may not be logged. + - Only applies to Windows Security audit logs. + processors: + - name: Plaso + options: + - type: parsers + value: winevtx + analysis: + - name: OpenSearch + steps: + - description: Filter the results to events containing audit log clearance. + type: opensearch-query + value: data_type:"windows:evtx:record" event_identifier:1102 source_name:"Microsoft-Windows-Security-Auditing" diff --git a/data/facets/F1001.yaml b/data/facets/F1001.yaml index 83ba283..8642899 100644 --- a/data/facets/F1001.yaml +++ b/data/facets/F1001.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,7 +17,11 @@ display_name: > Are any ExternalCompany-related files on the actor’s assigned Company assets? type: facet -description: +description: > + An actor may bring unauthorized external intellectual property onto Company + “end user” devices (like laptops or desktops). Depending on the time frame + under consideration, past devices that the actor no longer actively uses may + need to be examined as well. id: F1001 dfiq_version: 1.0.0 tags: diff --git a/data/facets/F1002.yaml b/data/facets/F1002.yaml index 815f078..4e26ab0 100644 --- a/data/facets/F1002.yaml +++ b/data/facets/F1002.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1003.yaml b/data/facets/F1003.yaml index 302a642..0084954 100644 --- a/data/facets/F1003.yaml +++ b/data/facets/F1003.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1004.yaml b/data/facets/F1004.yaml index 704a5db..fa71393 100644 --- a/data/facets/F1004.yaml +++ b/data/facets/F1004.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1005.yaml b/data/facets/F1005.yaml index 465086b..f0126fa 100644 --- a/data/facets/F1005.yaml +++ b/data/facets/F1005.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1006.yaml b/data/facets/F1006.yaml index 9100017..aeda4f7 100644 --- a/data/facets/F1006.yaml +++ b/data/facets/F1006.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1007.yaml b/data/facets/F1007.yaml index b5f5514..fabb395 100644 --- a/data/facets/F1007.yaml +++ b/data/facets/F1007.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1008.yaml b/data/facets/F1008.yaml index 29f9edc..53ec999 100644 --- a/data/facets/F1008.yaml +++ b/data/facets/F1008.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1009.yaml b/data/facets/F1009.yaml index 8a615dc..a45fc48 100644 --- a/data/facets/F1009.yaml +++ b/data/facets/F1009.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1010.yaml b/data/facets/F1010.yaml index df7161f..cfb795d 100644 --- a/data/facets/F1010.yaml +++ b/data/facets/F1010.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1011.yaml b/data/facets/F1011.yaml index 2ad2422..96e6e44 100644 --- a/data/facets/F1011.yaml +++ b/data/facets/F1011.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1012.yaml b/data/facets/F1012.yaml index 4bfd0a1..3fe2556 100644 --- a/data/facets/F1012.yaml +++ b/data/facets/F1012.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1013.yaml b/data/facets/F1013.yaml index 00b9af5..26c59ac 100644 --- a/data/facets/F1013.yaml +++ b/data/facets/F1013.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1014.yaml b/data/facets/F1014.yaml index 66f8bae..756eb3a 100644 --- a/data/facets/F1014.yaml +++ b/data/facets/F1014.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1015.yaml b/data/facets/F1015.yaml index 7ad97e0..61cecb9 100644 --- a/data/facets/F1015.yaml +++ b/data/facets/F1015.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1016.yaml b/data/facets/F1016.yaml index 9948937..e8d040c 100644 --- a/data/facets/F1016.yaml +++ b/data/facets/F1016.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1017.yaml b/data/facets/F1017.yaml index aa29d6b..667409f 100644 --- a/data/facets/F1017.yaml +++ b/data/facets/F1017.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1018.yaml b/data/facets/F1018.yaml index 2b653df..46f3c13 100644 --- a/data/facets/F1018.yaml +++ b/data/facets/F1018.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1019.yaml b/data/facets/F1019.yaml index 92e2645..f1025b0 100644 --- a/data/facets/F1019.yaml +++ b/data/facets/F1019.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1020.yaml b/data/facets/F1020.yaml index 3c02926..9496085 100644 --- a/data/facets/F1020.yaml +++ b/data/facets/F1020.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1021.yaml b/data/facets/F1021.yaml index 66a3af3..a644792 100644 --- a/data/facets/F1021.yaml +++ b/data/facets/F1021.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1022.yaml b/data/facets/F1022.yaml index 0e10788..a019f46 100644 --- a/data/facets/F1022.yaml +++ b/data/facets/F1022.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1023.yaml b/data/facets/F1023.yaml index b346ef6..28e4145 100644 --- a/data/facets/F1023.yaml +++ b/data/facets/F1023.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1024.yaml b/data/facets/F1024.yaml index 7976faf..4064254 100644 --- a/data/facets/F1024.yaml +++ b/data/facets/F1024.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1025.yaml b/data/facets/F1025.yaml index 670a43e..f0c2b09 100644 --- a/data/facets/F1025.yaml +++ b/data/facets/F1025.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1026.yaml b/data/facets/F1026.yaml index 669a27c..8e96eab 100644 --- a/data/facets/F1026.yaml +++ b/data/facets/F1026.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1027.yaml b/data/facets/F1027.yaml index 73bb0b5..4418307 100644 --- a/data/facets/F1027.yaml +++ b/data/facets/F1027.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1028.yaml b/data/facets/F1028.yaml index 5940c39..500b2e2 100644 --- a/data/facets/F1028.yaml +++ b/data/facets/F1028.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/facets/F1029.yaml b/data/facets/F1029.yaml new file mode 100644 index 0000000..6f68035 --- /dev/null +++ b/data/facets/F1029.yaml @@ -0,0 +1,26 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +display_name: Are there any indications of communication with ExternalCompany? +type: facet +description: > + An actor may be exchanging information with an external company, commonly + via websites or email messages. The following Questions are broad, and the + results will need to be filtered for terms related to the external company. +id: F1029 +dfiq_version: 1.0.0 +tags: +parent_ids: + - S1002 diff --git a/data/facets/F1030.yaml b/data/facets/F1030.yaml new file mode 100644 index 0000000..0e01870 --- /dev/null +++ b/data/facets/F1030.yaml @@ -0,0 +1,26 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +display_name: > + Has the actor connected to any ExternalCompany systems? +type: facet +description: > + An actor may be connecting to services or systems associated with + ExternalCompany, possibly through a client, a terminal, or a web browser. +id: F1030 +dfiq_version: 1.0.0 +tags: +parent_ids: + - S1002 diff --git a/data/questions/Q1001.yaml b/data/questions/Q1001.yaml index ccd2593..6224b20 100644 --- a/data/questions/Q1001.yaml +++ b/data/questions/Q1001.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,12 +15,10 @@ --- display_name: What files were downloaded using a web browser? type: question -description: Downloading files via a web browser is a common way to introduce files to a computer. Determining what - files were downloaded can be helpful in variety of scenarios, ranging from malware investigations to insider cases. +description: id: Q1001 dfiq_version: 1.0.0 tags: - - Web Browser parent_ids: - F1008 - F1002 diff --git a/data/questions/Q1002.yaml b/data/questions/Q1002.yaml index 320fbef..207e927 100644 --- a/data/questions/Q1002.yaml +++ b/data/questions/Q1002.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1003.yaml b/data/questions/Q1003.yaml index 463190d..73171b2 100644 --- a/data/questions/Q1003.yaml +++ b/data/questions/Q1003.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1004.yaml b/data/questions/Q1004.yaml index 63115ed..65796d5 100644 --- a/data/questions/Q1004.yaml +++ b/data/questions/Q1004.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1005.yaml b/data/questions/Q1005.yaml index 4714e5f..5e78824 100644 --- a/data/questions/Q1005.yaml +++ b/data/questions/Q1005.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1006.yaml b/data/questions/Q1006.yaml index 43d3923..c71f84c 100644 --- a/data/questions/Q1006.yaml +++ b/data/questions/Q1006.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1007.yaml b/data/questions/Q1007.yaml index 3a90fbb..efb97fa 100644 --- a/data/questions/Q1007.yaml +++ b/data/questions/Q1007.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1008.yaml b/data/questions/Q1008.yaml index 5e4c2f7..4cd2e7d 100644 --- a/data/questions/Q1008.yaml +++ b/data/questions/Q1008.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1009.yaml b/data/questions/Q1009.yaml index 261db8e..1d69701 100644 --- a/data/questions/Q1009.yaml +++ b/data/questions/Q1009.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1010.yaml b/data/questions/Q1010.yaml index 88b1182..b3bb158 100644 --- a/data/questions/Q1010.yaml +++ b/data/questions/Q1010.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1011.yaml b/data/questions/Q1011.yaml index fbd9c30..3a993e6 100644 --- a/data/questions/Q1011.yaml +++ b/data/questions/Q1011.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1012.yaml b/data/questions/Q1012.yaml index 2450063..d5b2727 100644 --- a/data/questions/Q1012.yaml +++ b/data/questions/Q1012.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1013.yaml b/data/questions/Q1013.yaml index 107b035..b4312ab 100644 --- a/data/questions/Q1013.yaml +++ b/data/questions/Q1013.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1014.yaml b/data/questions/Q1014.yaml index 7c27acf..bc94015 100644 --- a/data/questions/Q1014.yaml +++ b/data/questions/Q1014.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1015.yaml b/data/questions/Q1015.yaml index 7e0d8f9..0df8b7f 100644 --- a/data/questions/Q1015.yaml +++ b/data/questions/Q1015.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1016.yaml b/data/questions/Q1016.yaml index 3f50119..577775c 100644 --- a/data/questions/Q1016.yaml +++ b/data/questions/Q1016.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1017.yaml b/data/questions/Q1017.yaml index bb3c919..0cee8ec 100644 --- a/data/questions/Q1017.yaml +++ b/data/questions/Q1017.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1018.yaml b/data/questions/Q1018.yaml index a288e05..0c163d7 100644 --- a/data/questions/Q1018.yaml +++ b/data/questions/Q1018.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1019.yaml b/data/questions/Q1019.yaml index d5f1db1..bbffb2c 100644 --- a/data/questions/Q1019.yaml +++ b/data/questions/Q1019.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1020.yaml b/data/questions/Q1020.yaml index 01387ce..7c6c843 100644 --- a/data/questions/Q1020.yaml +++ b/data/questions/Q1020.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,3 +22,4 @@ tags: - Web Browser parent_ids: - F1005 + - F1029 diff --git a/data/questions/Q1021.yaml b/data/questions/Q1021.yaml index 5daa7a9..57005d5 100644 --- a/data/questions/Q1021.yaml +++ b/data/questions/Q1021.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1022.yaml b/data/questions/Q1022.yaml index 019f36d..7ce0cd7 100644 --- a/data/questions/Q1022.yaml +++ b/data/questions/Q1022.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1023.yaml b/data/questions/Q1023.yaml index 98e74fe..e362469 100644 --- a/data/questions/Q1023.yaml +++ b/data/questions/Q1023.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1024.yaml b/data/questions/Q1024.yaml index c3eed73..6b364a4 100644 --- a/data/questions/Q1024.yaml +++ b/data/questions/Q1024.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1025.yaml b/data/questions/Q1025.yaml index 1049d8e..7e8cb05 100644 --- a/data/questions/Q1025.yaml +++ b/data/questions/Q1025.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1026.yaml b/data/questions/Q1026.yaml index 2732a25..f39a17d 100644 --- a/data/questions/Q1026.yaml +++ b/data/questions/Q1026.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1027.yaml b/data/questions/Q1027.yaml index ecc7116..0e30096 100644 --- a/data/questions/Q1027.yaml +++ b/data/questions/Q1027.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1028.yaml b/data/questions/Q1028.yaml index 07bc3f1..c59653b 100644 --- a/data/questions/Q1028.yaml +++ b/data/questions/Q1028.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1029.yaml b/data/questions/Q1029.yaml index 720a180..ae04be9 100644 --- a/data/questions/Q1029.yaml +++ b/data/questions/Q1029.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1030.yaml b/data/questions/Q1030.yaml index b70e134..ef6c5f0 100644 --- a/data/questions/Q1030.yaml +++ b/data/questions/Q1030.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1031.yaml b/data/questions/Q1031.yaml index bdb114a..7e5e87d 100644 --- a/data/questions/Q1031.yaml +++ b/data/questions/Q1031.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1032.yaml b/data/questions/Q1032.yaml index ed6165e..b4bab13 100644 --- a/data/questions/Q1032.yaml +++ b/data/questions/Q1032.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1033.yaml b/data/questions/Q1033.yaml index 1539cd6..8ed0c78 100644 --- a/data/questions/Q1033.yaml +++ b/data/questions/Q1033.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1034.yaml b/data/questions/Q1034.yaml index 34131f1..df4ba8a 100644 --- a/data/questions/Q1034.yaml +++ b/data/questions/Q1034.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1035.yaml b/data/questions/Q1035.yaml index b3fd046..36babc8 100644 --- a/data/questions/Q1035.yaml +++ b/data/questions/Q1035.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1036.yaml b/data/questions/Q1036.yaml index 0bee321..9398ff6 100644 --- a/data/questions/Q1036.yaml +++ b/data/questions/Q1036.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1037.yaml b/data/questions/Q1037.yaml index e04edeb..b8e220f 100644 --- a/data/questions/Q1037.yaml +++ b/data/questions/Q1037.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1038.yaml b/data/questions/Q1038.yaml index 4eb7838..8779bc7 100644 --- a/data/questions/Q1038.yaml +++ b/data/questions/Q1038.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1039.yaml b/data/questions/Q1039.yaml index c8cf0b9..c5d936e 100644 --- a/data/questions/Q1039.yaml +++ b/data/questions/Q1039.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1040.yaml b/data/questions/Q1040.yaml index 4dbd7e6..0ad75ed 100644 --- a/data/questions/Q1040.yaml +++ b/data/questions/Q1040.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1041.yaml b/data/questions/Q1041.yaml index 7fab2b8..b72950a 100644 --- a/data/questions/Q1041.yaml +++ b/data/questions/Q1041.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1042.yaml b/data/questions/Q1042.yaml index fef43f3..c1d1539 100644 --- a/data/questions/Q1042.yaml +++ b/data/questions/Q1042.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1043.yaml b/data/questions/Q1043.yaml index cc7da08..3159d5c 100644 --- a/data/questions/Q1043.yaml +++ b/data/questions/Q1043.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1044.yaml b/data/questions/Q1044.yaml index 2ae2d16..a273f8a 100644 --- a/data/questions/Q1044.yaml +++ b/data/questions/Q1044.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1045.yaml b/data/questions/Q1045.yaml index bec1e0b..540fcde 100644 --- a/data/questions/Q1045.yaml +++ b/data/questions/Q1045.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1046.yaml b/data/questions/Q1046.yaml index 858ee43..1194d3e 100644 --- a/data/questions/Q1046.yaml +++ b/data/questions/Q1046.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1047.yaml b/data/questions/Q1047.yaml index 0aaf6be..a78ef05 100644 --- a/data/questions/Q1047.yaml +++ b/data/questions/Q1047.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1048.yaml b/data/questions/Q1048.yaml index c60b412..7ef65dc 100644 --- a/data/questions/Q1048.yaml +++ b/data/questions/Q1048.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1049.yaml b/data/questions/Q1049.yaml index 6efa634..4dedb76 100644 --- a/data/questions/Q1049.yaml +++ b/data/questions/Q1049.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1050.yaml b/data/questions/Q1050.yaml index 98465c9..8c1f220 100644 --- a/data/questions/Q1050.yaml +++ b/data/questions/Q1050.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1051.yaml b/data/questions/Q1051.yaml index 5c7b198..16b8527 100644 --- a/data/questions/Q1051.yaml +++ b/data/questions/Q1051.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1052.yaml b/data/questions/Q1052.yaml index 952bf7a..6d42154 100644 --- a/data/questions/Q1052.yaml +++ b/data/questions/Q1052.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1053.yaml b/data/questions/Q1053.yaml index 390fa47..1700b22 100644 --- a/data/questions/Q1053.yaml +++ b/data/questions/Q1053.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1054.yaml b/data/questions/Q1054.yaml index 38bed65..d52477e 100644 --- a/data/questions/Q1054.yaml +++ b/data/questions/Q1054.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1055.yaml b/data/questions/Q1055.yaml index 272025c..d65b1dd 100644 --- a/data/questions/Q1055.yaml +++ b/data/questions/Q1055.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1056.yaml b/data/questions/Q1056.yaml index aefce0f..27f7082 100644 --- a/data/questions/Q1056.yaml +++ b/data/questions/Q1056.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1057.yaml b/data/questions/Q1057.yaml index 392a43a..b427b23 100644 --- a/data/questions/Q1057.yaml +++ b/data/questions/Q1057.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1058.yaml b/data/questions/Q1058.yaml index a0cb97d..702da45 100644 --- a/data/questions/Q1058.yaml +++ b/data/questions/Q1058.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1059.yaml b/data/questions/Q1059.yaml index a79b70b..a9c66c4 100644 --- a/data/questions/Q1059.yaml +++ b/data/questions/Q1059.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1060.yaml b/data/questions/Q1060.yaml index e185baa..8e319ac 100644 --- a/data/questions/Q1060.yaml +++ b/data/questions/Q1060.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1061.yaml b/data/questions/Q1061.yaml index d4818f4..a97b43a 100644 --- a/data/questions/Q1061.yaml +++ b/data/questions/Q1061.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1062.yaml b/data/questions/Q1062.yaml index 06c1cdf..478d6c7 100644 --- a/data/questions/Q1062.yaml +++ b/data/questions/Q1062.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1063.yaml b/data/questions/Q1063.yaml index 9f6a0a1..09c5c1c 100644 --- a/data/questions/Q1063.yaml +++ b/data/questions/Q1063.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1064.yaml b/data/questions/Q1064.yaml index 5e00a9a..f8cafbb 100644 --- a/data/questions/Q1064.yaml +++ b/data/questions/Q1064.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1065.yaml b/data/questions/Q1065.yaml index 78304ad..18acac0 100644 --- a/data/questions/Q1065.yaml +++ b/data/questions/Q1065.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1066.yaml b/data/questions/Q1066.yaml index ef411bc..6bae1af 100644 --- a/data/questions/Q1066.yaml +++ b/data/questions/Q1066.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1067.yaml b/data/questions/Q1067.yaml index 9d12f5f..c996058 100644 --- a/data/questions/Q1067.yaml +++ b/data/questions/Q1067.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1068.yaml b/data/questions/Q1068.yaml index cb74a0a..ef0241c 100644 --- a/data/questions/Q1068.yaml +++ b/data/questions/Q1068.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1069.yaml b/data/questions/Q1069.yaml index fa92364..2ba64b5 100644 --- a/data/questions/Q1069.yaml +++ b/data/questions/Q1069.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1070.yaml b/data/questions/Q1070.yaml index f1bc755..d0c09ec 100644 --- a/data/questions/Q1070.yaml +++ b/data/questions/Q1070.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1071.yaml b/data/questions/Q1071.yaml index 1b13332..b6fa689 100644 --- a/data/questions/Q1071.yaml +++ b/data/questions/Q1071.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1072.yaml b/data/questions/Q1072.yaml index 7a74971..2a357b9 100644 --- a/data/questions/Q1072.yaml +++ b/data/questions/Q1072.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1073.yaml b/data/questions/Q1073.yaml index bd56eb0..314d5a1 100644 --- a/data/questions/Q1073.yaml +++ b/data/questions/Q1073.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1074.yaml b/data/questions/Q1074.yaml index 401a66c..6375095 100644 --- a/data/questions/Q1074.yaml +++ b/data/questions/Q1074.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1075.yaml b/data/questions/Q1075.yaml index d4c809e..fdfc479 100644 --- a/data/questions/Q1075.yaml +++ b/data/questions/Q1075.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1076.yaml b/data/questions/Q1076.yaml index be16b66..c0a4193 100644 --- a/data/questions/Q1076.yaml +++ b/data/questions/Q1076.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1077.yaml b/data/questions/Q1077.yaml index b764d9f..5cda2dc 100644 --- a/data/questions/Q1077.yaml +++ b/data/questions/Q1077.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1078.yaml b/data/questions/Q1078.yaml index 4eeee19..de09f9f 100644 --- a/data/questions/Q1078.yaml +++ b/data/questions/Q1078.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1079.yaml b/data/questions/Q1079.yaml index 7c3a46d..cf62515 100644 --- a/data/questions/Q1079.yaml +++ b/data/questions/Q1079.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1080.yaml b/data/questions/Q1080.yaml index 5aca375..4c9e5f3 100644 --- a/data/questions/Q1080.yaml +++ b/data/questions/Q1080.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1081.yaml b/data/questions/Q1081.yaml index 95df0f0..d12e5c2 100644 --- a/data/questions/Q1081.yaml +++ b/data/questions/Q1081.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1082.yaml b/data/questions/Q1082.yaml index 97fa368..792f2eb 100644 --- a/data/questions/Q1082.yaml +++ b/data/questions/Q1082.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1083.yaml b/data/questions/Q1083.yaml index 9685544..fea2eea 100644 --- a/data/questions/Q1083.yaml +++ b/data/questions/Q1083.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/questions/Q1084.yaml b/data/questions/Q1084.yaml index 85e7eac..4328225 100644 --- a/data/questions/Q1084.yaml +++ b/data/questions/Q1084.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,3 +25,4 @@ dfiq_version: 1.0.0 tags: parent_ids: - F1011 + - F1029 diff --git a/data/questions/Q1085.yaml b/data/questions/Q1085.yaml new file mode 100644 index 0000000..6ed983e --- /dev/null +++ b/data/questions/Q1085.yaml @@ -0,0 +1,23 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +display_name: What DNS requests have been made from a system? +type: question +description: +id: Q1085 +dfiq_version: 1.0.0 +tags: +parent_ids: + - F1029 diff --git a/data/questions/Q1086.yaml b/data/questions/Q1086.yaml new file mode 100644 index 0000000..0faffa5 --- /dev/null +++ b/data/questions/Q1086.yaml @@ -0,0 +1,23 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +display_name: What web-based email messages were viewed in a web browser? +type: question +description: +id: Q1086 +dfiq_version: 1.0.0 +tags: +parent_ids: + - F1029 diff --git a/data/questions/Q1087.yaml b/data/questions/Q1087.yaml new file mode 100644 index 0000000..955d422 --- /dev/null +++ b/data/questions/Q1087.yaml @@ -0,0 +1,23 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +display_name: Did the user access any common PaaS/SaaS services? +type: question +description: +id: Q1087 +dfiq_version: 1.0.0 +tags: +parent_ids: + - F1030 diff --git a/data/questions/Q1088.yaml b/data/questions/Q1088.yaml new file mode 100644 index 0000000..fa4452f --- /dev/null +++ b/data/questions/Q1088.yaml @@ -0,0 +1,24 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +display_name: > + Did the user connect to any non-Company systems using the command line? +type: question +description: +id: Q1088 +dfiq_version: 1.0.0 +tags: +parent_ids: + - F1030 diff --git a/data/questions/Q1089.yaml b/data/questions/Q1089.yaml new file mode 100644 index 0000000..47e7ed5 --- /dev/null +++ b/data/questions/Q1089.yaml @@ -0,0 +1,23 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +display_name: Did the user download any Citrix configuration (.ica) files? +type: question +description: +id: Q1089 +dfiq_version: 1.0.0 +tags: +parent_ids: + - F1030 diff --git a/data/questions/Q1090.yaml b/data/questions/Q1090.yaml new file mode 100644 index 0000000..ef87f46 --- /dev/null +++ b/data/questions/Q1090.yaml @@ -0,0 +1,23 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +display_name: Did the user interact with any git repositories? +type: question +description: +id: Q1090 +dfiq_version: 1.0.0 +tags: +parent_ids: + - F1030 diff --git a/data/scenarios/S1001.yaml b/data/scenarios/S1001.yaml index d16696a..7236fb0 100644 --- a/data/scenarios/S1001.yaml +++ b/data/scenarios/S1001.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,4 +22,3 @@ description: > id: S1001 dfiq_version: 1.0.0 tags: - - Insider diff --git a/data/scenarios/S1002.yaml b/data/scenarios/S1002.yaml index 700966d..5eba5b9 100644 --- a/data/scenarios/S1002.yaml +++ b/data/scenarios/S1002.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/scenarios/S1003.yaml b/data/scenarios/S1003.yaml index 704d9dc..796e59c 100644 --- a/data/scenarios/S1003.yaml +++ b/data/scenarios/S1003.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/scenarios/S1005.yaml b/data/scenarios/S1005.yaml index de014fd..619c1e8 100644 --- a/data/scenarios/S1005.yaml +++ b/data/scenarios/S1005.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/scenarios/S1007.yaml b/data/scenarios/S1007.yaml index c9c5553..930d559 100644 --- a/data/scenarios/S1007.yaml +++ b/data/scenarios/S1007.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/data/scenarios/S1008.yaml b/data/scenarios/S1008.yaml index e44118b..5512045 100644 --- a/data/scenarios/S1008.yaml +++ b/data/scenarios/S1008.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License.