Create generate_datamodels script

data_model/authentication.yaml

@@ -1,6 +1,6 @@
 ---
 name: Authentication
-description: Authentication events occur whenever a user attempts to login to a system, or a user or process attempts to access a privileged system resource.
+description: An authentication event occurs whenever a user or process attempts to access a privileged system resource. Examples include logging into a system, or elevating privilege.
 actions:
   - name: success
     description: The event corresponding to an authentication service responding positively to an authentication request.
@@ -12,7 +12,7 @@ fields:
   - name: app_name
     description: Name of the application that made the authentication request
     example: ssh, win:local
-  - name:  method
+  - name: method
     description: The authentication method that was used.
     example: SMAL, Kerberos
   - name: auth_service
@@ -66,4 +66,3 @@ fields:
   - name: target_user
     description: Name of the user being authenticated; this only pertains to privilage escalation events where the current user is not necessarily the same as the target user.
     example: HOST1\LOCALUSER2
-

data_model/driver.yaml

@@ -39,4 +39,12 @@ fields:
     example: 1533
   - name: signature_valid
     description: Boolean indicator of whether the driver is signed and whether the signature is current and not revoked
-    example: True
+    example: true
+coverage_map:
+  load:
+    fqdn: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    sha256_hash: ["sysmon_13"]
+    signature_valid: ["sysmon_13"]
+    signer: ["sysmon_13"]

data_model/email.yaml

@@ -1,6 +1,6 @@
 ---
 name: Email
-description: Email events are at the email server level.
+description: Email events are at the mail server level.
 actions:
   - name: deliver
     description: The event corresponding to an email being sent to an end recipient.
@@ -16,7 +16,7 @@ fields:
   - name: action_reason
     description: The rationale given for blocking, redirecting, or quarantining an email.
     example: "Malformed Message"
-  - name:  attachment_name
+  - name: attachment_name
     description: Filename of any email attachment that may exist.
     example: "cuddly-cats.pdf"
   - name: attachment_size
@@ -75,20 +75,3 @@ fields:
   - name: to
     description: the content of the To field in the email header; does not necessarily match up with real recipients.
     example: "adam@example.com"
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-

data_model/file.yaml

@@ -90,7 +90,42 @@ fields:
     example: 0644 (linux) or NTFS ACL
   - name: signature_valid
     description: Boolean indicator of whether the signature is valid; empty if file is not signed.
-    example: True
+    example: true
   - name: uid
     description: The user ID or SID for the acting entity.
     example: S-1-5-18
+coverage_map:
+  create:
+    company: ["autoruns_13.98", "sysmon_13"]
+    creation_time: ["autoruns_13.98", "sysmon_13"]
+    file_name: ["autoruns_13.98"]
+    file_path: ["sysmon_13"]
+    fqdn: ["autoruns_13.98", "sysmon_13"]
+    hostname: ["autoruns_13.98"]
+    image_path: ["sysmon_13"]
+    md5_hash: ["autoruns_13.98"]
+    pid: ["sysmon_13"]
+    signer: ["sysmon_13"]
+  delete:
+    fqdn: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    uid: ["sysmon_13"]
+  modify:
+    company: ["autoruns_13.98"]
+    creation_time: ["autoruns_13.98"]
+    file_name: ["autoruns_13.98"]
+    fqdn: ["autoruns_13.98"]
+    hostname: ["autoruns_13.98"]
+    md5_hash: ["autoruns_13.98"]
+    sha256_hash: ["autoruns_13.98"]
+    signature_valid: ["autoruns_13.98"]
+    signer: ["autoruns_13.98"]
+  timestomp:
+    creation_time: ["sysmon_13"]
+    file_path: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    previous_creation_time: ["sysmon_13"]
+    uid: ["sysmon_13"]

data_model/flow.yaml

@@ -89,4 +89,22 @@ fields:
     example: TCP
   - name: uid
     description: User ID or SID of the flow-handling entity.
-    example: S-1-5-18
+    example: S-1-5-18
+coverage_map:
+  start:
+    dest_hostname: ["sysmon_13"]
+    dest_ip: ["sysmon_13"]
+    dest_port: ["sysmon_13"]
+    exe: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    hostname: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    src_fdqn: ["sysmon_13"]
+    src_hostname: ["sysmon_13"]
+    src_ip: ["sysmon_13"]
+    src_port: ["sysmon_13"]
+    start_time: ["sysmon_13"]
+    transport_protocol: ["sysmon_13"]
+    uid: ["sysmon_13"]
+    user: ["sysmon_13"]

data_model/http.yaml

@@ -14,7 +14,7 @@ fields:
   - name: hostname
     description: hostname on which the request was seen.
     example: HOST1
-  - name:  request_body_bytes
+  - name: request_body_bytes
     description: Integer value corresponding to the total number of bytes in the request.
     example: 180
   - name: http_version
@@ -60,21 +60,3 @@ fields:
   - name: user_agent_version
     description: User Agent Version. Note that some User Agent strings may not label versions in the same way.
     example: 4.0
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-

data_model/module.yaml

@@ -1,6 +1,6 @@
 ---
-name: Library
-description: Libraries correspond to executable (and potentially non-executable) content, and are loaded as a contiguous region of memory into the address space of a process. Each process will have the main image loaded as a shared library or module (DLLs in Windows) and their dependencies.
+name: Module
+description: Modules correspond to executable (and potentially non-executable) content, and are loaded as a contiguous region of memory into the address space of a process. Each process will have the main image loaded as a module and shared libraries (DLLs in Windows) and their dependencies.
 actions:
   - name: load
     description: A module load event occurs when a PE image (dll or exe) is loaded into a process.
@@ -45,4 +45,17 @@ fields:
     example: 50
   - name: signature_valid
     description: Boolean indicator of whether the signature is current and not revoked
-    example: True
+    example: true
+coverage_map:
+  load:
+    fqdn: ["sysmon_13"]
+    hostname: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    md5_hash: ["sysmon_13"]
+    module_name: ["sysmon_13"]
+    module_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    sha1_hash: ["sysmon_13"]
+    signature_valid: ["sysmon_13"]
+    signer: ["sysmon_13"]
+    tid: ["sysmon_13"]

data_model/process.yaml

@@ -79,7 +79,7 @@ fields:
     example: "{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}"
   - name: signature_valid
     description: Boolean indicator of whether signature is current and not revoked.
-    example: True
+    example: true
   - name: target_guid
     description: Global Unique Identifier for the target process (only for process access events).
   - name: target_pid
@@ -93,3 +93,27 @@ fields:
   - name: uid
     description: User ID under which original process is running.
     example: 509
+coverage_map:
+  access:
+    access_level: ["sysmon_13"]
+    call_trace: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    guid: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    sid: ["sysmon_13"]
+    target_guid: ["sysmon_13"]
+    target_pid: ["sysmon_13"]
+    target_name: ["sysmon_13"]
+  create:
+    command_line: ["sysmon_13"]
+    current_working_directory: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    integrity_level: ["sysmon_13"]
+    parent_command_line: ["sysmon_13"]
+    parent_guid: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    ppid: ["sysmon_13"]
+    sha256_hash: ["sysmon_13"]
+    sid: ["sysmon_13"]

data_model/registry.yaml

@@ -44,3 +44,43 @@ fields:
   - name: new_content
     description: The data within the new value, or the new name of a key, after an edit event.
     example: \%SystemRoot%\system32\svchost.exe, HKLM\SYSTEM\CurrentControlSet\services\RpcSs
+coverage_map:
+  add:
+    data: ["autoruns_13.98", "sysmon_13"]
+    fqdn: ["sysmon_13"]
+    hostname: ["autoruns_13.98"]
+    hive: ["autoruns_13.98", "sysmon_13"]
+    key: ["autoruns_13.98", "sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    type: ["autoruns_13.98"]
+    user: ["sysmon_13"]
+    value: ["autoruns_13.98"]
+  key_edit:
+    data: ["autoruns_13.98", "sysmon_13"]
+    fqdn: ["sysmon_13"]
+    hostname: ["autoruns_13.98"]
+    hive: ["autoruns_13.98", "sysmon_13"]
+    key: ["autoruns_13.98", "sysmon_13"]
+    image_path: ["sysmon_13"]
+    new_content: ["autoruns_13.98", "sysmon_13"]
+    pid: ["sysmon_13"]
+    type: ["autoruns_13.98"]
+    user: ["sysmon_13"]
+    value: ["autoruns_13.98", "sysmon_13"]
+  remove:
+    data: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    hive: ["sysmon_13"]
+    key: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    user: ["sysmon_13"]
+  value_edit:
+    data: ["autoruns_13.98"]
+    hostname: ["autoruns_13.98"]
+    hive: ["autoruns_13.98"]
+    key: ["autoruns_13.98"]
+    new_content: ["autoruns_13.98"]
+    type: ["autoruns_13.98"]
+    value: ["autoruns_13.98"]

data_model/service.yaml

@@ -42,4 +42,17 @@ fields:
     example: 1860
   - name: uid
     description: The ID of SID of the user who acted on the service
-    example: S-1-5-18
+    example: S-1-5-18
+coverage_map:
+  create:
+    command_line: ["autoruns_13.98"]
+    exe: ["autoruns_13.98"]
+    fqdn: ["autoruns_13.98"]
+    hostname: ["autoruns_13.98"]
+    image_path: ["autoruns_13.98"]
+  delete:
+    command_line: ["autoruns_13.98"]
+    exe: ["autoruns_13.98"]
+    fqdn: ["autoruns_13.98"]
+    hostname: ["autoruns_13.98"]
+    image_path: ["autoruns_13.98"]

data_model/socket.yaml

@@ -12,12 +12,12 @@ fields:
   - name: pid
     description: ID of the process that acted on the socket
     example: 3930
-  - name:  image_path
+  - name: image_path
     description: Path to the executable that initiated the socket event.
     example: C:/user/adam/malware.exe
   - name: success
     description: Boolean indicator of whether the socket event was successful (e.g. the socket was created as requested)
-    example: True
+    example: true
   - name: family
     description: The type of socket in question
     example: AF_UNIX, AF_INET, AF_INET6
@@ -39,20 +39,31 @@ fields:
   - name: local_path
     description: In the case that a socket is used for local interprocess communication, the socket binds to a local filepath, and will usually be visible in the filesystem. This is the case with AF_UNIX type sockets.
     example: "/tmp/foo"
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+coverage_map:
+  bind:
+    family: ["osquery_4.6.0"]
+    image_path: ["osquery_4.6.0"]
+    local_address: ["osquery_4.6.0"]
+    local_port: ["osquery_4.6.0"]
+    pid: ["osquery_4.6.0"]
+    protocol: ["osquery_4.6.0"]
+    remote_address: ["osquery_4.6.0"]
+    remote_port: ["osquery_4.6.0"]
+  listen:
+    family: ["osquery_4.6.0"]
+    image_path: ["osquery_4.6.0"]
+    local_address: ["osquery_4.6.0"]
+    local_port: ["osquery_4.6.0"]
+    pid: ["osquery_4.6.0"]
+    protocol: ["osquery_4.6.0"]
+    remote_address: ["osquery_4.6.0"]
+    remote_port: ["osquery_4.6.0"]
+  close:
+    family: ["osquery_4.6.0"]
+    image_path: ["osquery_4.6.0"]
+    local_address: ["osquery_4.6.0"]
+    local_port: ["osquery_4.6.0"]
+    pid: ["osquery_4.6.0"]
+    protocol: ["osquery_4.6.0"]
+    remote_address: ["osquery_4.6.0"]
+    remote_port: ["osquery_4.6.0"]

data_model/thread.yaml

@@ -56,3 +56,16 @@ fields:
   - name: uid
     description: The ID of SID of the user who directly or indirectly acted on the thread
     example: S-1-5-18
+coverage_map:
+  remote_create:
+    hostname: ["sysmon_13"]
+    src_pid: ["sysmon_13"]
+    src_tid: ["sysmon_13"]
+    start_address: ["sysmon_13"]
+    start_function: ["sysmon_13"]
+    start_module: ["sysmon_13"]
+    start_module_name: ["sysmon_13"]
+    tgt_pid: ["sysmon_13"]
+    tgt_tid: ["sysmon_13"]
+    uid: ["sysmon_13"]
+    user: ["sysmon_13"]

data_model/user_session.yaml

@@ -1,5 +1,5 @@
 ---
-name: User Sesssion
+name: User Session
 description: User sessions are the user activities undertaken on the computer in the course of conducting standard user actions.
 actions:
   - name: lock
@@ -42,5 +42,4 @@ fields:
     example: S-1-5-18
   - name: login_successful
     description: Boolean indicator of whether a login attempt was successful
-    example: False
-
+    example: false