OTRF / OSSEM

Open Source Security Events Metadata (OSSEM)
MIT License
1.24k stars 215 forks source link

Detection data model and required data fields #37

Open hxnoyd opened 5 years ago

hxnoyd commented 5 years ago

The current detection data model (DDM) does not take into consideration mandatory data fields, for example: I want to develop a detection analytic on "win registry key modification", and I require "registry_key_path", "registry_key_value_name" and "registry_key_value_data" to be present. If my EDR solution lacks to provide one of this fields (i.e. "registry_key_value_data"), both the data dictionary (of the EDR in question) and common information model will provide a "win registry" object that lacks a data field needed by the analytic (i.e. "registry_key_value_data").

Is this by design, something you want to keep out of the DDM?

Cyb3rWard0g commented 5 years ago

Hey @hxnoyd , the DDM is still a work in progress so I agree with you that it needs to be added to it to cover analytics like the ones you are working on. Thank you for the suggestion and feedback. I will add that soon. Thank you.