Data Dictionaries
Introduction
Guidelines
Contributing Guide
Authoring Guide
Notebooks
Correlating Windows Security Auditing
linux dictionaries
sysmon events
Event ID 1: Process creation
Event ID 11: FileCreate
Event ID 16 - Sysmon Config State Changed
Event ID 23: FileDelete (A file delete was detected)
Event ID 3: Network connection
Event ID 4: Sysmon service state changed
Event ID 5: Process terminated
Event ID 9: RawAccessRead
Common Data Model
Introduction
Guidelines
Entity Structure
Table Structure
Data Types
Domain vs Host Name vs FQDN Implementation
Source or Destination or Target
Entities
alert
any
certificate
cloud
destination
destination_nat
device
dns
etl
event
file
geo
group
hash
http
ip
kerberos
logon
mac
meta
module
network
pipe
port
process
registry
rule
source
source_nat
target
threat
tls
url
user
user_agent
Tables
network_session
Detection Model
Introduction
Relationships to Events
MITRE ATT&CK
ATT&CK Techniques to Security Events
ATT&CK DS Event Mappings
.md
.pdf
repository
open issue
suggest edit
Introduction
Introduction
ΒΆ
previous
OSSEM
next
Guidelines
