Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deeper OCSF Integration: Digital Events #309

Closed
2 tasks
netfl0 opened this issue Oct 15, 2024 · 4 comments · Fixed by #326
Closed
2 tasks

Deeper OCSF Integration: Digital Events #309

netfl0 opened this issue Oct 15, 2024 · 4 comments · Fixed by #326
Assignees
@netfl0
Milestone
1.0.0

Comments

@netfl0
Copy link
Contributor

netfl0 commented Oct 15, 2024
edited
Loading

The goal is to create the necessary ontology classes to cover and model OCSF "Events". OCSF refers to some events as activity. We're also working with other stakeholders to disambiguate the ontological specifications versus cybersecurity engineering nomenclature.

We currently have a placeholder d3f:DigitalEvent taxonomy. This will be redesigned as part of this work.

Our approach will separate the execution chain from the abstract event in question. Whether someone can observe an event is independent from its realization. There are number of challenges:

Since we are dealing with abstract events, from a modeling perspective, the event under consideration will be biased towards an observers perspective. E.g.:

Consider a d3f:WriteFile system call invocation. A "Write File System Call Invocation Event" has occurred, but a more abstract effect is that a "File Creation Event" has also occurred. Each of these events may be observed in numerous ways, with numerous "sensing", "hooking", "monitoring", or "inferential" technologies. Futhermore, there is a relation between the system call event and the file creation event, we intend to model that as succinctly as possible.

There is a risk in both over- and under-modeling this situation. We welcome discussion on this as we develop a first-cut attempt for the next D3FEND release.

TODOs

  • Determine how to link to OCSF Event "Type ID"
  • Synchronize w/ EDR Telemetry taxonomy. Determine link structure for EDRT references. @tsale
@netfl0 netfl0 added this to the 1.0.0 milestone Oct 15, 2024
@netfl0 netfl0 self-assigned this Oct 15, 2024
@netfl0 netfl0 mentioned this issue Oct 22, 2024
Closed
netfl0 added a commit that referenced this issue Oct 31, 2024
@netfl0
WIP for collaboration purposes, refs #309
13e92d7
@netfl0
Copy link
Contributor Author

netfl0 commented Oct 31, 2024

This is a very early WIP and it needs a lot more work.

A key goal for this is to semantically unify Win, Linux, BSD, etc events, but also allow for OS specific classes. The same way we did for OS API Functions.

@tsale, I was not clear if some of your events were windows specific Scheduled Task for examples at least sounds windows biased(which is not necessarily a problem), but do you intend this to also cover things like crond jobs on linux.

I have the same question regarding OCSF @pagbabian-splunk , for example the Scheduled Job seems vendor agnostic but just wanted to check.

@netfl0
Copy link
Contributor Author

netfl0 commented Nov 13, 2024

@aamedina plz give this a whack and crisp it up!

@aamedina
Copy link
Collaborator

@netfl0 what version of OCSF are we targeting for D3FEND 1.0? 1.3.0?

@netfl0
Copy link
Contributor Author

netfl0 commented Nov 14, 2024

@netfl0 what version of OCSF are we targeting for D3FEND 1.0? 1.3.0?

Always their leading edge for now.

@aamedina aamedina mentioned this issue Nov 22, 2024
Closed
This was referenced Dec 3, 2024
Closed
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@netfl0 netfl0

Labels
None yet
Projects
None yet
Milestone
1.0.0
2 participants
@netfl0 @aamedina