Skip to content

Commit

Permalink
Merge pull request #160 from InfiniteInsight/master
Browse files Browse the repository at this point in the history 
Create missing car/docs/data_model/http.md file
  • Loading branch information
@alexiacrumpton
alexiacrumpton authored Nov 22, 2022
2 parents 21a1861 + c16920e commit d2824f1
Show file tree
Hide file tree
Showing 4 changed files with 49 additions and 4 deletions.
2 changes: 1 addition & 1 deletion docs/data_model/file.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ A resource for storing information available to a computer program.

| | **company** | **content** | **creation_time** | **file_extension** | **file_gid** | **file_group** | **file_name** | **file_path** | **file_uid** | **file_user** | **fqdn** | **hostname** | **image_path** | **link_target** | **md5_hash** | **mime_type** | **mode** | **pid** | **ppid** | **previous_creation_time** | **sha1_hash** | **sha256_hash** | **signature_valid** | **signer** | **uid** | **user** |
| ---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| **create** | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | | | | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98) | | | [Sysmon](../sensors/sysmon_13) | | | | | | [Sysmon](../sensors/sysmon_13) | |
| **create** | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | | | | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98) | | | [Sysmon](../sensors/sysmon_13) | | | | | | [Sysmon](../sensors/sysmon_13) | |
| **delete** | | | | | | | | | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | | | | | | [Sysmon](../sensors/sysmon_13) | |
| **modify** | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98) | | | | [Autoruns](../sensors/autoruns_13.98) | | | | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | | [Autoruns](../sensors/autoruns_13.98) | | | | | | | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | |
| **read** | | | | | | | | | | | | | | | | | | | | | | | | | |
Expand Down
45 changes: 45 additions & 0 deletions docs/data_model/http.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
title: "File"
---

HTTP events represents requests made over the network via the HTTP protocol.

## Actions

|Action|Description|
|---|---|
|get|The event corresponding to an HTTP GET request.
|post|The event corresponding to an HTTP POST request.
|put|The event corresponding to an HTTP PUT request.
|tunnel|The event corresponding to an HTTP TUNNEL request.

## Fields

|Field|Description|Example|
|---|---|---|
|hostname|hostname on which the request was seen.|HOST1
|request_body_bytes|Integer value corresponding to the total number of bytes in the request.|180
|http_version|HTTP version that is specified in the header.|1.1
|request_body_content|Body of the HTTP request; usually specifies the exact content being requested.|varies as content is unique. If referrer is http://cnn.com as in example below, expect the body content to likely be an article from CNN.
|request_referrer|The URL from which the request was referred, if applicable.|http://cnn.com
|requester_ip_address|IP address from which the request was made.|151.101.131.5
|response_body_types|Integer value corresponding to the total number of bytes in the response.|2910
|response_body_content|Content of the response (does not include header).|
|response_status_code|HTTP protocol status code in response header|200
|url_full|URL to which the HTTP request was sent|https://www.mitre.org/about/corporate-overview
|url_domain|Domain portion of the URL.|www.mitre.org
|url_remainder|the path after the root domain|/about/corporate-overview
|url_scheme|type of user that initiated the request.|https
|user_agent_full| User agent string associated with the request|HOST1\LOCALUSER1
|user_agent_name|The user agent through which the request was made.|"Mozilla/5.0 (Linux; Android 7.0; SM-G930VC Build/NRD90M; wv)</br>AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/58.0.3029.83 Mobile Safari/537.36"
|user_agent_device|Device type from which request was made, identified by user_agent substring|SM-G930VC (Samgsung Galaxy S7)
|user_agent_version|User Agent Version. Note that some User Agent strings may not label versions in the same way.|4.0

## Coverage Map

| | **hostname** | **request_body_bytes** | **http_version** | **request_body_content** | **request_referrer** | **requester_ip_address** | **response_body_types** | **response_body_content** | **response_status_codes** | **url_full** | **url_domain** | **url_remainder** | **url_scheme** | **user_agent_full** | **user_agent_device** | **user_agent_version** |
| --- | --- | ---| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
| **get** | | | | | | | | | | | | | | | | |
| **post** | | | | | | | | | | | | | | | | |
| **put** | | | | | | | | | | | | | | | | |
| **tunnel** | | | | | | | | | | | | | | | | |
2 changes: 1 addition & 1 deletion docs/data_model/process.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ A process is a running program on a computer.
|sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|`68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728`|
|sid|The security identifier or UID of the `user` token that the process is running under.|`S-1-5-18`|
|signer|The company that signed the file.|`True`|
|signature_valid|Boolean indicator of whether signature is current and not revoked.|`FooCorp`|
|signature_valid|Boolean indicator of whether signature is current and not revoked.|`True`|
|target_address|Specific address range which is accessed by another process.|`08048000-0804c000`|
|target_guid|Globally Unique Identifier for the target process (only for process access events).|`{A23EAE89-BD56-5903-0000-0010E9D95EFC}`|
|target_pid|ID of the target process (only for process access events).|`1338`|
Expand Down
4 changes: 2 additions & 2 deletions docs/data_model/registry.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,8 @@ The registry is a system-defined database in which applications and system compo

| | **data** | **fqdn** | **hostname** | **hive** | **key** | **image_path** | **new_content** | **pid** | **type** | **user** | **value** |
|---|---|---|---|---|---|---|---|---|---|---|---|
| **add** | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)| [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) |
| **add** | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)| [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) |
|
**key_edit** | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) |
**key_edit** | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) |
| **remove** | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | |
| **value_edit** | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98)| [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98)| | [Autoruns](../sensors/autoruns_13.98) |

0 comments on commit d2824f1

Please sign in to comment.