Comments (3)
I think the OSSEM CIM pretty much does the same thing as ECS, and then for mapping specific data sources/logs to the overall schema, OSSEM Data Dictionaries are similar to Elastic Beats Modules and their corresponding ingest pipelines, e.g. Zeek module for Filebeat. I do think the OSSEM Detection Data Model and ATTACK Data Sources efforts make this project more distinct and provides value to security practitioners/detection engineers - this is probably the more "granular" aspect that @neu5ron mentioned previously.
Also, may be better in a new issue/question, but any thoughts on pitching/requesting the OSSEM CIM to be the go to schema for Sigma fields used to write detection rules? The Sigma project sort of has a taxonomy, but it's not as developed as OSSEM, and it would be great to be able to simply write all Sigma detection rules using a generic vendor-agnostic schema like OSSEM. In such a case, I would be able to write a single Sigma Converter config file, mapping OSSEM-defined Sigma fields to my chosen backends - in my case, ECS based fields for Elasticsearch/ElastAlert-related backends.
from ossem.
First I want to preface my comments/views are not speaking for @Cyb3rWard0g but I wanted to provide some insight I have seen.
Thoughts on ECS
It is a great idea and a big step for the community. Schema for disparate/different datasets is something regardless of SIEM/database technology that is very important. Not only are they just creating a schema, they are actually writing many of the parsers and things in order to bring it to life for people without having to perform the manual tasks of parsing / ETL modifications.
However, ECS is pretty young and missing a few things at the moment - but seems the things are already on the radar/road-map.
Thoughts on ECS & OSSEM
I don't think there is competition/overlap. The best way I can try to explain is OSSEM is more granular. It's so specific that it gets down to the EventID of a Windows log, but not even just that... It is built based on deep understanding of the specific log and each individual field and value, how it applies from a threat hunting / data analysis perspective, and has multiple input/recommendations from people.
Additionally, even though OSSEM is very granular - it still has the flexibility to support βbroaderβ schemas like ECS. This is because the logs are mapped with the whole OSSEM schema in mind to provide common fields were appropriate. Also, elasticsearch has field alias types, this leaves the possibility for people to use OSSEM yet add compatibility for ECS... or vise versa... people using ECS to add compatibility for OSSEM.
Finally, it's a little known secret π - IPs and Zeek network community ID and a few other things were introduced into HELK as ECS aliases... However, it didn't change any core HELK functionality or more importantly the greatness of OSSEM. I mention this, because I think this shows OSSEM & ECS in "harmony" in a live implementation/project.
from ossem.
I agree with @neu5ron π― !!! What are your thoughts @wesleyraptor on ECS and what do you think when you go over OSSEMs repo? I would like to know what you find important or useful for your research. I also would like to say that OSSEM is not tied to any specific commercial tool so it is flexible enough to provide suggestions that would fit any use cases. I like the integration with ECS per @neu5ron comments above.
from ossem.
Related Issues (20)
- Question: Defining Data Models as Ontologies HOT 2
- Creating a Sub-Repo for Data Dictionaries HOT 1
- Validating content within OSSEM sub-repos HOT 1
- Picking initial entities for reviewing OSEEM Ontology HOT 1
- Sysmon data dictionaries compliant with entities HOT 2
- a few new fields for models and an entity
- Typographical Error HOT 1
- Issue on page /cdm/entities/device.html
- Update OSSEM CDM source, destination or target guideline
- `event_category_type` is duplicated (?)
- Remove column 'field name' from CIM HOT 2
- Windows Security logs, Computer Account Management auditing fields mismatch between events HOT 1
- CDM vs data dictionaries - what's the "source of truth" in cases of mismatch? HOT 2
- Windows Security logs, fields mismatch for Object Access HOT 1
- Issue on page /cdm/entities/destination_nat.html HOT 2
- Entities for scheduled tasks and services? HOT 2
- Extending data dictionaries? HOT 3
- Data dictionaries for the cowrie honeypot HOT 2
- WMI fields mismatch between sysmon events and built in wmi events
- Upated sysmon parser script to fix issue reported on Sentinel Github HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ossem.