CDM vs data dictionaries - what's the "source of truth" in cases of mismatch?

OTRF / OSSEM

Open Source Security Events Metadata (OSSEM)

MIT License

1.22k stars 212 forks source link

CDM vs data dictionaries - what's the "source of truth" in cases of mismatch? #91

Closed nicolasreich closed 3 years ago

nicolasreich commented 3 years ago

Hello,

In some cases, there are mismatches between the CDM and Data Dictionaries, which is normal for such a young project. When such a case arises, what should be considered correct?

For example of such a mismatch, the full path of the executable file of a process is called process_file_path in the CDM, but process_path in most of the data dictionaries where it appears.

Cheers

Cyb3rWard0g commented 3 years ago

Hello @nicolasreich ! There were some recent changes to make the project a little bit more modular and CDM will be the schema that should be considered from now on. We are reviewing the endpoint entities and attributes. Windows Security is a provider with over 400 events so we are reviewing several of them atm after those massive changes.We are also updating the format of the dictionaries and removing a few sections. That is coming soon. I appreciate the feedback.

nicolasreich commented 3 years ago

Okay thanks for the clarification, we'll look at the CDM when in doubt, and follow the updates of the project.