Cyb3rWard0g
commented
5 years ago Hey @insanitybit , sorry for the late response. I would love to know how we can help. Also, what do you mean with "Stabilizes soon". You mean not Alpha anymore? If you believe something needs to be updated, please submit a PR, and I can provide some feedback too. The short term goal was to document a few data sources and document relationships among events of the same or different data sources (i.e. Windows Sysmon and Security). The next step is to validate the CIM, and also test a few applications on the top of OSSEM such as Graphing, then prototype all that with HELK.
insanitybit
Hey, I saw that feedback was asked for regarding contributing. I'm the author of a tool, Grapl: https://github.com/insanitybit/grapl
I've decided to adopt a schema that is heavily based on the CIM description here (it's in a branch currently), with only minor changes to support a bit more of a 'graph' feel. As two examples,
So it's mostly just a subset.
I chose this over CAR for a few reasons - I found the naming to be more general, and I liked that things such as digital signatures were attached to files, and not processes.
I thought this feedback might be of interest to you. Thanks for putting this project together.
I will say though, I hope that this stabilizes soon. If it takes a long time I will probably end up not bother to make any breaking updates and it would be a shame to diverge.