Change naming scheme: Update IDs to be `DN0000`, `LP0000`, `EN0000`

atc-project / atc-data

Actionable data for Security Operations

Apache License 2.0

18 stars 9 forks source link

Change naming scheme: Update IDs to be `DN0000`, `LP0000`, `EN0000` #5

Open yugoslavskiy opened 4 years ago

mrblacyk commented 4 years ago

mmv 'DN_*' 'DN#1'
mmv 'LP_*' 'LP#1'
mmv 'EN_*' 'EN#1'

yugoslavskiy commented 4 years ago

it's not about filenames, it's about naming scheme in general. see: https://github.com/atc-project/atc-react/issues/294

mrblacyk commented 4 years ago

Titles are also renamed, take a look here

https://github.com/atc-project/atc-data/blob/master/data_needed/DN0001_4688_windows_process_creation.yml

mrblacyk commented 4 years ago

Also following any dependencies in a given file. We just realised this with @sn0w0tter later in the process of implementing another issue

https://github.com/atc-project/atc-data/blob/master/data_needed/DN0001_4688_windows_process_creation.yml#L6

yugoslavskiy commented 4 years ago

sorry, I should have added more context to it. we need to split ID from the title, and left the title human-readable, not connected to the filename itself.

title: 4688 Windows Process Creation
id: DN0001
author: '@atc_project'
description: Windows process creation log, not including command line
loggingpolicy:
  - LP0001: Windows Audit Process Creation

I am not 100% sure about LP, if it should be LP0001: Windows Audit Process Creation or just LP0001. This is an open question and I believe we should discuss pros/cons using Descartes square model:

yugoslavskiy commented 4 years ago

well, it also makes sense to put EventID into separate field