Add event 'version' field to the data dictionary schema

[hxnoyd]

Problem With ETW on-boarding, we now have multiple data dictionaries with the same 'event code' but different versions. The version is available in the filename, and in the tags array of the event.

Those consuming data dictionaries YML, will find that it is complex to distinguish between events with the same 'event code', specially when filtering for specific versions of a data dictionary. Parsing an array to retrieve the data dictionary version is cumbersome, since it introduces additional complexity.

Example Because OSSEM data dictionaries are atomic file entities, the workaround to avoid file name conflicts as to append the version number to the data dictionary file name with '_v#', for example: event-4624_v1.yml.

If no version information is available, the filename only contains the event code, for example event-4624.yml

Proposal

• Add a 'version' field to the data dictionary YAML schema, and update all data dictionary entries accordingly.
• Default value is 0 when no version information is available.
• Keep the version information available in the filename, if applicable.

[Cyb3rWard0g]

That works @hxnoyd ! Thank you very much for the suggestion. it makes sense and it should be added agreed. I was wondering if you have that update in some of the scripts that you use to manipulate the YAML files.

[hxnoyd]

@Cyb3rWard0g no problem with the scripting part, that's an easy change. I was just concerned if we were OK with having a "version" field in the schema that, in most cases, will be 0 (i.e. when no version is available).

[Cyb3rWard0g]

Idea:

• Adding a new field for each dictionary (It creates a column in the MD file)

[Cyb3rWard0g]

Can we do :

User can do this programmatically event 4688.yml

name: 4688
version: 3

OSSEM provides event 4688_v3.yml

name: 4688
version: 3

event 4688_v2.yml

name: 4688
version: 2

[Cyb3rWard0g]

It should be good to reference: https://github.com/jdu2600/Windows10EtwEvents