Closed cyberinvestigationexpress closed 2 years ago
This issue resolves part of UCO CP-44
We agreed on the OC call this morning to add the requirement that Event change to EventRecord, and correspondingly EventFacet would become EventRecordFacet. While a backwards-incompatible change, we'd wanted to do this for a while, but needed a good name.
Apologies, a retraction - while we like the name, we will provide the class and facet name change as a separate proposal.
Considering that we will be changing Event to EventRecord and EventFacet to EventRecordFacet I would suggest that the two new properties should be aligned to that change and be eventRecordRaw and eventRecordServiceName
@sbarnum - Agreed, for this in-flight proposal.
The Solutions Approval vote for today incorporates the name change.
Background
The EventFacet requires several additional properties to capture common context in event records on digital devices.
Requirements
Requirement 1
Represent the service that generated the event by adding an observable:eventServiceName property. A single application can have multiple services generating event records.
Requirement 2
Add a observable:eventRaw property to capture the complete raw event record, potentially including data not represented by EventFacet.
The following example represents a Windows Event that the Event log service started, which is typically associated with the operating system starting after a computer is turned on.
Risk / Benefit analysis
Benefits
Risks
The submitter is unaware of risks associated with this change
Competencies demonstrated
Competency 1
Within an application, differentiating the service associated with an event record. The service name can give a strong indication of the type of event or information that is being reported, which can help filter or prioritize.
Competency Question 1.1
What is the service name reported in the event record?
Result 1.1
For Windows Events, the service name Microsoft-Windows-Security-Auditing could be associated with a record, or the TerminalServices-RemoteConnectionManager
Competency 2
The raw event record can contain details that provide context or useful information related to an event, but that are not captured in other properties. In addition, raw event records can be processed by other tools or methods without loss of information.
Competency Question 2.1
What is the raw event record?
Result 2.1
The full event record.
Solution suggestion
Coordination
develop