Detection data model and required data fields

[hxnoyd]

The current detection data model (DDM) does not take into consideration mandatory data fields, for example: I want to develop a detection analytic on "win registry key modification", and I require "registry_key_path", "registry_key_value_name" and "registry_key_value_data" to be present. If my EDR solution lacks to provide one of this fields (i.e. "registry_key_value_data"), both the data dictionary (of the EDR in question) and common information model will provide a "win registry" object that lacks a data field needed by the analytic (i.e. "registry_key_value_data").

Is this by design, something you want to keep out of the DDM?

[Cyb3rWard0g]

Hey @hxnoyd , the DDM is still a work in progress so I agree with you that it needs to be added to it to cover analytics like the ones you are working on. Thank you for the suggestion and feedback. I will add that soon. Thank you.