search

OTRF / OSSEM-DM

OSSEM Detection Model
MIT License
167 stars 43 forks source link

Added Sysmon for Linux to relationships #36

Closed Cyb3rWard0g closed 3 years ago

Cyb3rWard0g commented 3 years ago

https://github.com/OTRF/OSSEM-DM/tree/main/relationships

Example:

name: Process created File
contributors:
- Jose Rodriguez @Cyb3rPandaH
- Roberto Rodriguez @Cyb3rWard0g
- Olaf Hartong @olafhartong
attack:
  data_source: File
  data_component: file creation
behavior:
  source: process
  relationship: created
  target: file
security_events:
- event_id: 11
  name: FileCreate.
  platform: Windows
  audit_category: FileCreate
  log_channel: Microsoft-Windows-Sysmon/Operational
  log_provider: Microsoft-Windows-Sysmon
- event_id: 11
  name: FileCreate.
  platform: Linux
  audit_category: FileCreate
  log_channel: Linux-Sysmon/Operational
  log_provider: Linux-Sysmon
- event_id: FileCreated
  name: FileCreated
  platform: Windows
  audit_category: null
  log_channel: DeviceFileEvents
  log_provider: Microsoft Defender for Endpoint
references:
notes:
Cyb3rWard0g commented 3 years ago

https://github.com/OTRF/OSSEM-DM/commit/65b5974378525c906dbe103fed6a9dfa355612c2