Cyb3rWard0g
commented
3 years ago Hello @nicolasreich ! We are working on a few updates to OSSEM in general. Sorry for the delay. I have been very busy with a few things at work. Something that we have changed recently is the structure of the project. We have moved every main branch (Data Dictionaries, Common Data Model and Detection Model) to their own GitHub repo, and we are adding them to OSSEM master as a GitHub submodule. We then run a script (https://github.com/OTRF/OSSEM/blob/master/resources/scripts/ossem_converter2.py) to parse all the YAML content from a few branches ( so far DM and CDM) and create the Markdown files automatically. We use those markdown files in a new folder named docs : https://github.com/OTRF/OSSEM/tree/master/docs
The data dictionaries in YAML format here is here: https://github.com/OTRF/OSSEM-DD/tree/main/windows/sysmon/events and I added all your proposed changes in this commit: https://github.com/OTRF/OSSEM-DD/commit/c2b64f69e0f98a3bc9f8ff28ceccf0ac1e826ec4
I appreciate all your questions and help @nicolasreich ! very helpful! I will close this PR and reference it in the commit. thank you!
I've done a first pass on Sysmon data dictionaries, in order to make them compliant with entities. There are still some issues, listed below:
service_state,sysmon_schema_version), and 16.registry_keyorregistry_path.registry_path, so I went withregistry_path_modifiedfollowing the convention ofregistry_value_name_modifiedLet me know if there are other issues.