netfl0
commented
23 hours ago This is a very early WIP and it needs a lot more work.
A key goal for this is to semantically unify Win, Linux, BSD, etc events, but also allow for OS specific classes. The same way we did for OS API Functions.
@tsale, I was not clear if some of your events were windows specific Scheduled Task for examples at least sounds windows biased(which is not necessarily a problem), but do you intend this to also cover things like crond jobs on linux.
I have the same question regarding OCSF @pagbabian-splunk , for example the Scheduled Job seems vendor agnostic but just wanted to check.
The goal is to create the necessary ontology classes to cover and model OCSF "Events". OCSF refers to some events as activity. We're also working with other stakeholders to disambiguate the ontological specifications versus cybersecurity engineering nomenclature.
We currently have a placeholder d3f:DigitalEvent taxonomy. This will be redesigned as part of this work.
Our approach will separate the execution chain from the abstract event in question. Whether someone can observe an event is independent from its realization. There are number of challenges:
Since we are dealing with abstract events, from a modeling perspective, the event under consideration will be biased towards an observers perspective. E.g.:
Consider a d3f:WriteFile system call invocation. A "Write File System Call Invocation Event" has occurred, but a more abstract effect is that a "File Creation Event" has also occurred. Each of these events may be observed in numerous ways, with numerous "sensing", "hooking", "monitoring", or "inferential" technologies. Futhermore, there is a relation between the system call event and the file creation event, we intend to model that as succinctly as possible.
There is a risk in both over- and under-modeling this situation. We welcome discussion on this as we develop a first-cut attempt for the next D3FEND release.
TODOs