search

ucoProject / UCO

This repository is for development of the Unified Cyber Ontology.
Apache License 2.0
78 stars 34 forks source link

Add service name and raw properties to EventFacet #401

Closed cyberinvestigationexpress closed 2 years ago

cyberinvestigationexpress commented 2 years ago

Background

The EventFacet requires several additional properties to capture common context in event records on digital devices.

Requirements

Requirement 1

Represent the service that generated the event by adding an observable:eventServiceName property. A single application can have multiple services generating event records.

Requirement 2

Add a observable:eventRaw property to capture the complete raw event record, potentially including data not represented by EventFacet.

The following example represents a Windows Event that the Event log service started, which is typically associated with the operating system starting after a computer is turned on.

         {
          "@id": "B771CB82-45CF-4E4C-9D3A-CB451FBFB3F4",
          "@type": "uco-observable:ObservableObject",
          "uco-core:hasFacet": [
            {
              "@type": "uco-observable:EventFacet",
              "uco-core:startTime": {
                  "@type": "xsd:dateTime",
                  "@value": "2021-03-16T17:05:04.00Z"
               },
              "uco-drafting:device": "kb:windows-system-4AE1305F-C5A1-4F89-B729-655016277071",
              "uco-observable:eventID": "6005",
              "uco-observable:eventType": "Information",
              "uco-drafting:eventRaw": "The Event log service was started.",
              "uco-drafting:eventServiceName": "EventLog"
            }
          ]
        }

Risk / Benefit analysis

Benefits

Risks

The submitter is unaware of risks associated with this change

Competencies demonstrated

Competency 1

Within an application, differentiating the service associated with an event record. The service name can give a strong indication of the type of event or information that is being reported, which can help filter or prioritize.

Competency Question 1.1

What is the service name reported in the event record?

Result 1.1

For Windows Events, the service name Microsoft-Windows-Security-Auditing could be associated with a record, or the TerminalServices-RemoteConnectionManager

Competency 2

The raw event record can contain details that provide context or useful information related to an event, but that are not captured in other properties. In addition, raw event records can be processed by other tools or methods without loss of information.

Competency Question 2.1

What is the raw event record?

Result 2.1

The full event record.

Solution suggestion

Coordination

cyberinvestigationexpress commented 2 years ago

This issue resolves part of UCO CP-44

ajnelson-nist commented 2 years ago

We agreed on the OC call this morning to add the requirement that Event change to EventRecord, and correspondingly EventFacet would become EventRecordFacet. While a backwards-incompatible change, we'd wanted to do this for a while, but needed a good name.

ajnelson-nist commented 2 years ago

Apologies, a retraction - while we like the name, we will provide the class and facet name change as a separate proposal.

sbarnum commented 2 years ago

Considering that we will be changing Event to EventRecord and EventFacet to EventRecordFacet I would suggest that the two new properties should be aligned to that change and be eventRecordRaw and eventRecordServiceName

ajnelson-nist commented 2 years ago

@sbarnum - Agreed, for this in-flight proposal.

ajnelson-nist commented 2 years ago

The Solutions Approval vote for today incorporates the name change.