Open Source Security Events Metadata (OSSEM)

A community-led project focused primarily on the documentation, standardization and modeling of security event logs.

https://ossemproject.com/intro.html

Goals

• Define and share a common data moel in order to improve the data standardization and transformation of security event logs
• Define and share data structures and relationships identified in security events logs
• Provide detailed information in a dictionary format about several security event logs to the community
• Learn more about security event logs (Windows, Linux, MacOS, Azure, AWS, etc)

Project Structure

• Data Dictionaries (DD):
  • Contains specific information about several security event logs organized by operating system and their respective data providers.
  • Each dictionary describes a single event log and its corresponding field names.
  • It provides the foundational concepts to create a data wiki in an organization.
• Common Data Model (CDM)
  • Facilitates the normalization of data by providing a standard way to parse security event logs.
  • The project is organized by schema entities identified in several data sources.
  • The definitions of each schema entity and its respective attributes (field names) are mostly general descriptions that could help and expedite event logs parsing procedures.
  • The project also provides the concept of schema tables to aggregate common entities and parse similar data sources. For example, HTTP, Port and User Agent entities can be used to normalize network traffic metadata captured in a network environment.
• Detection Model (DM):
  • Focuses on identifying relationships among security events to facilitate the development of data analytics and help validate the detection of adversary techniques.

Sponsors

Author

• Roberto Rodriguez @Cyb3rWard0g

Current Committers

• Jose Luis Rodriguez @Cyb3rPandaH
• Nate Guagenti @neu5ron
• Ricardo Dias @hxnoyd

Projects Using OSSEM

• HELK
• Azure Sentinel Normalization

Resources

• Ready to hunt? First, Show me your data!
• What's new in Windows 10, versions 1507 and 1511
• Download Security Audit Events for Windows (Spreadsheet)
• Advanced Security Audit Policy Settings
• Monitoring Active Directory for Signs of Compromise
• Audit Policy Recommendations
• Use Windows Event Forwarding to help with intrusion detection
• Minimum recommended minimum audit policy
• Windows ITPro Docs - Threat Protection
• MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data
• MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate Your Data Analytics!
• Defining ATT&CK Data Sources, Part I: Enhancing the Current State
• Defining ATT&CK Data Sources, Part II: Operationalizing the Methodology