OSSEM
OSSEM copied to clipboard
OTRF
Open Source Security Events Metadata (OSSEM)
I am not sure if this is a mistake, or how it should be interpreted, but `event_category_type` can be found twice in the event attributes: | Name | Type |...
There should be a unique device id field, DVC_UUID or something along those lines. AWS servers would be "Instance ID" for example.
Just tracking and so I don’t forget: - network payload/pcap - email entity - geo. include longitude, latitude, location, rack unit, etc - organization. name and uid
Hey Nate (@Spydernaz) , any entity or concept that you are currently working on that we can use as our initial example to review OSSEM ontology?
There is an extension mechanism for entities, in order not to duplicate field definitions. It would be good to have such a mechanism for data dictionaries as well. For example,...
There are no entities defined in the CDM for scheduled tasks or services as far as I can see. While scheduled tasks is a Windows name, they are generic concepts,...
Hi Team, Why some fields are missing in the yml files? For example, consider "destination_nat" entity. Here you can find multiple fields: https://ossemproject.com/cdm/entities/destination_nat.html However, in the yml file, I just...
Hello, the In some Windows Security logs concerning Object Access, the field (e.g. 4656) AccessList is [translated](https://github.com/OTRF/OSSEM/blob/master/source/data_dictionaries/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4656_v1.yml#L70) into `user_privilege_list` while for [others](https://github.com/OTRF/OSSEM/blob/master/source/data_dictionaries/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4691.yml#L46) it is `object_access_list`. Which one is right? PS:...
In the Data Dictionary of Windows Security Event 4741, the [field](https://github.com/OTRF/OSSEM/blob/master/source/data_dictionaries/windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4741.yml#L190) `UserParameters` is translated into `target_host_user_paremeters` (with a typo), and UserAccountControl into `target_host_user_account_control`. For Event 4742, the corresponding fields are...