Open Source Security Events Metadata (OSSEM)

A community-led project focused primarily on the documentation, standardization and modeling of security event logs.

https://ossemproject.com/intro.html

Define and share a common data moel in order to improve the data standardization and transformation of security event logs
Define and share data structures and relationships identified in security events logs
Provide detailed information in a dictionary format about several security event logs to the community
Learn more about security event logs (Windows, Linux, MacOS, Azure, AWS, etc)

Data Dictionaries (DD):
- Contains specific information about several security event logs organized by operating system and their respective data providers.
- Each dictionary describes a single event log and its corresponding field names.
- It provides the foundational concepts to create a data wiki in an organization.
Common Data Model (CDM)
- Facilitates the normalization of data by providing a standard way to parse security event logs.
- The project is organized by schema entities identified in several data sources.
- The definitions of each schema entity and its respective attributes (field names) are mostly general descriptions that could help and expedite event logs parsing procedures.
- The project also provides the concept of schema tables to aggregate common entities and parse similar data sources. For example, HTTP, Port and User Agent entities can be used to normalize network traffic metadata captured in a network environment.
Detection Model (DM):
- Focuses on identifying relationships among security events to facilitate the development of data analytics and help validate the detection of adversary techniques.