Source or Destination or Target¶

Several events that the OSSEM CDM project describes have a sense of direction. Usually in a network connection, this sense of direction is represented by source and destination to describe the origin of the connection and where the network packets are sent to. This concept of direction is not only represented in a network connection, but also other events such as creation of a process where an entity interacts with another entity. Therefore, the OSEEM project is also using the concept of target instead of destination when describing an interaction between entities that are not part of a network connection.

Source and Destination Example¶

When the metadata of the event describes a network connection and the same entity type is used:

source.ip -> connected_to -> destination.ip
source.host -> connected_to -> destination.host

Source and Target Example¶

When the metadata of the event does not describe a network connection and the same entity type is used:

source.process -> created -> target.process
source.process -> accessed -> target.process

The use of Aliases¶

When the metadata of the event does not use the same entity type, we can use aliases for both entities and query them without source, destination and target annotations. This also works when the event provides metadata of only one entity which could be the source, destination or target.

Before¶

source.process

source.process -> created -> target.file
source.host -> connected_to -> target.ip

After¶

process

process -> created -> file
host -> connected_to -> ip

Source or Destination or Target

Contents