diff --git a/docs/data_model/file.md b/docs/data_model/file.md index 68fcacad..c0593471 100755 --- a/docs/data_model/file.md +++ b/docs/data_model/file.md @@ -51,7 +51,7 @@ A resource for storing information available to a computer program. | | **company** | **content** | **creation_time** | **file_extension** | **file_gid** | **file_group** | **file_name** | **file_path** | **file_uid** | **file_user** | **fqdn** | **hostname** | **image_path** | **link_target** | **md5_hash** | **mime_type** | **mode** | **pid** | **ppid** | **previous_creation_time** | **sha1_hash** | **sha256_hash** | **signature_valid** | **signer** | **uid** | **user** | | ---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| **create** | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | | | | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98) | | | [Sysmon](../sensors/sysmon_13) | | | | | | [Sysmon](../sensors/sysmon_13) | | +| **create** | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | | | | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98) | | | [Sysmon](../sensors/sysmon_13) | | | | | | [Sysmon](../sensors/sysmon_13) | | | **delete** | | | | | | | | | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | | | | | | [Sysmon](../sensors/sysmon_13) | | | **modify** | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98) | | | | [Autoruns](../sensors/autoruns_13.98) | | | | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | | [Autoruns](../sensors/autoruns_13.98) | | | | | | | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | | | **read** | | | | | | | | | | | | | | | | | | | | | | | | | | diff --git a/docs/data_model/http.md b/docs/data_model/http.md new file mode 100644 index 00000000..34dc04fd --- /dev/null +++ b/docs/data_model/http.md @@ -0,0 +1,45 @@ +--- +title: "File" +--- + +HTTP events represents requests made over the network via the HTTP protocol. + +## Actions + +|Action|Description| +|---|---| +|get|The event corresponding to an HTTP GET request. +|post|The event corresponding to an HTTP POST request. +|put|The event corresponding to an HTTP PUT request. +|tunnel|The event corresponding to an HTTP TUNNEL request. + +## Fields + +|Field|Description|Example| +|---|---|---| +|hostname|hostname on which the request was seen.|HOST1 +|request_body_bytes|Integer value corresponding to the total number of bytes in the request.|180 +|http_version|HTTP version that is specified in the header.|1.1 +|request_body_content|Body of the HTTP request; usually specifies the exact content being requested.|varies as content is unique. If referrer is http://cnn.com as in example below, expect the body content to likely be an article from CNN. +|request_referrer|The URL from which the request was referred, if applicable.|http://cnn.com +|requester_ip_address|IP address from which the request was made.|151.101.131.5 +|response_body_types|Integer value corresponding to the total number of bytes in the response.|2910 +|response_body_content|Content of the response (does not include header).| +|response_status_code|HTTP protocol status code in response header|200 +|url_full|URL to which the HTTP request was sent|https://www.mitre.org/about/corporate-overview +|url_domain|Domain portion of the URL.|www.mitre.org +|url_remainder|the path after the root domain|/about/corporate-overview +|url_scheme|type of user that initiated the request.|https +|user_agent_full| User agent string associated with the request|HOST1\LOCALUSER1 +|user_agent_name|The user agent through which the request was made.|"Mozilla/5.0 (Linux; Android 7.0; SM-G930VC Build/NRD90M; wv)
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/58.0.3029.83 Mobile Safari/537.36" +|user_agent_device|Device type from which request was made, identified by user_agent substring|SM-G930VC (Samgsung Galaxy S7) +|user_agent_version|User Agent Version. Note that some User Agent strings may not label versions in the same way.|4.0 + +## Coverage Map + +| | **hostname** | **request_body_bytes** | **http_version** | **request_body_content** | **request_referrer** | **requester_ip_address** | **response_body_types** | **response_body_content** | **response_status_codes** | **url_full** | **url_domain** | **url_remainder** | **url_scheme** | **user_agent_full** | **user_agent_device** | **user_agent_version** | +| --- | --- | ---| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | +| **get** | | | | | | | | | | | | | | | | | +| **post** | | | | | | | | | | | | | | | | | +| **put** | | | | | | | | | | | | | | | | | +| **tunnel** | | | | | | | | | | | | | | | | | \ No newline at end of file diff --git a/docs/data_model/process.md b/docs/data_model/process.md index 33ac1152..7ed4995c 100755 --- a/docs/data_model/process.md +++ b/docs/data_model/process.md @@ -38,7 +38,7 @@ A process is a running program on a computer. |sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|`68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728`| |sid|The security identifier or UID of the `user` token that the process is running under.|`S-1-5-18`| |signer|The company that signed the file.|`True`| -|signature_valid|Boolean indicator of whether signature is current and not revoked.|`FooCorp`| +|signature_valid|Boolean indicator of whether signature is current and not revoked.|`True`| |target_address|Specific address range which is accessed by another process.|`08048000-0804c000`| |target_guid|Globally Unique Identifier for the target process (only for process access events).|`{A23EAE89-BD56-5903-0000-0010E9D95EFC}`| |target_pid|ID of the target process (only for process access events).|`1338`| diff --git a/docs/data_model/registry.md b/docs/data_model/registry.md index a5ac02aa..8faa412c 100755 --- a/docs/data_model/registry.md +++ b/docs/data_model/registry.md @@ -33,8 +33,8 @@ The registry is a system-defined database in which applications and system compo | | **data** | **fqdn** | **hostname** | **hive** | **key** | **image_path** | **new_content** | **pid** | **type** | **user** | **value** | |---|---|---|---|---|---|---|---|---|---|---|---| -| **add** | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)| [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | +| **add** | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)| [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | | -**key_edit** | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | +**key_edit** | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)
[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | | **remove** | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | **value_edit** | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98)| [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98)| | [Autoruns](../sensors/autoruns_13.98) |