.md .pdf

repository open issue suggest edit

Contents

OSSEM

The Open Source Security Events Metadata (OSSEM) is a community-led project that focuses primarily on the documentation and standardization of security event logs from diverse data sources and operating systems. Security events are documented in a dictionary format and can be used as a reference while mapping data sources to data analytics used to validate the detection of adversarial techniques. In addition, the project provides a common data model (CDM) that can be used for data engineers during data normalization procedures to allow security analysts to query and analyze data across diverse data sources. Finally, the project also provides documentation about the structure and relationships identified in specific data sources to facilitate the development of data analytics.

Goals

• Define and share a common data model in order to improve the data standardization and transformation of security event logs

• Define and share data structures and relationships identified in security events logs

• Provide detailed information in a dictionary format about several security event logs to the community

• Learn more about security event logs (Windows, Linux, MacOS, Azure, AWS, etc)

• Have fun and think more about the data structure in your SIEM when it comes down to detection!!

Project Structure

There are three main folders:

• Common Data Model (CDM):

  • Facilitates the normalization of data sets by providing a standard way to parse security event logs.

  • It is organized by specific schema entities identified in several data sources.

  • The definitions of each schema entity and its respective attributes (field names) are mostly general descriptions that could help and expedite event logs parsing procedures.

  • Besides data schema entities, it provides the concept of schema tables to aggregate common entities that can be used to parse several data sources with similar context. For example, the HTTP,Port and User Agent entities can be used to normalize data providing context about the network traffic metadata captured in a network environment.

• Data Dictionaries (DD):

  • Contains specific information about several security event logs organized by operating system and their respective data providers

  • Each dictionary describes a single event log and its corresponding event field names

  • It provides the foundational concepts to create a data wiki in an organization.

• Detection Data Model (DDM):

  • Focuses on defining the required data in form of data objects and relationships among each other needed to facilitate the creation of data analytics and validate the detection of adversary techniques

  • Developed initially to extend the definitions of ATT&CK Data Sources.

    • MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data

    • MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate Your Data Analytics!

  • Initial work in this project has been migrated to ATT&CK and improved by @Cyb3rPandah

    • Defining ATT&CK Data Sources, Part I: Enhancing the Current State

    • We are currently extending the model to map security events to the relationships identified in ATT&CK.

Author

• Roberto Rodriguez @Cyb3rWard0g

Current Committers

• Jose Luis Rodriguez @Cyb3rPandaH

• Nate Guagenti @neu5ron

• Ricardo Dias @hxnoyd

Projects Using OSSEM

• HELK

• Azure Sentinel Normalization

Resources

• Ready to hunt? First, Show me your data!

• What’s new in Windows 10, versions 1507 and 1511

• Download Security Audit Events for Windows (Spreadsheet)

• Advanced Security Audit Policy Settings

• Monitoring Active Directory for Signs of Compromise

• Audit Policy Recommendations

• Use Windows Event Forwarding to help with intrusion detection

• Minimum recommended minimum audit policy

• Windows ITPro Docs - Threat Protection

next

Introduction