• Stars
    star
    164
  • Rank 230,032 (Top 5 %)
  • Language
    Python
  • License
    MIT License
  • Created about 4 years ago
  • Updated about 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

OSSEM Detection Model

OSSEM Detection Model (DM)

Open Source Love Open_Threat_Research Community Twitter

This part of the project focuses on defining the required telemetry to gather security context of different behaviors that happen in a network environment. Network behaviors are described using data entities and the interaction or relationships among them. These relationships and its metadata may facilitate the creation of data analytics and validate detection of adversary techniques. We have also extended this concept to the MITRE-ATT&CK framework.

Projects Using the OSSEM Detection Model

Documentation Format and Schema

We document relationships metadata in YAML format (.yml extension) using the following schema:

a) General Metadata

  • Metadata that help to identify and describe the relationship
Field Mandatory Data Type Description Example
relationship_id Yes String ID that uniquely identifies a relationship. It considers three components: string REL + creation year + sequence number (4 digits) that is restarted every year.This field is not required when contributing a relationship yaml file because it is added using a Python script. REL-2022-0175
name Yes String Name of the relationship that describes the activity around data entities. Usually, entities' names have the first character of earch word capitalized. Process created Process
contributors Yes List of Strings People that helped with the creation or update of yaml files. Additional context can be provided such as Twitter handle. Jose Rodriguez @Cyb3rPandaH
references No List of Strings Any web link that could provide more context about the relationship and\or security events mapped to it. https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688
notes No List of Strings Any comment or note that could help to get a better understanding of the relationship YAML file and/or security events mapped to it. For event 4688 - You must enable "Administrative Templates\System\Audit Process Creation\Include command line in process creation events" group policy to include command line in process creation events.

b) ATT&CK Data Sources Mapping (attack)

  • Metadata that describes the mapping of relationships to Data Sources and Data Components from the MITRE-ATT&CK framework.
  • This section of the YAML file is not mandatory, and it should be described using a Dictionary.
Field Mandatory Data Type Description Example
data_source No String ATT&CK data source process
data_component No String ATT&CK data component process creation

c) Network Environment Behavior (behavior)

  • Metadata that describes the interaction among entities. It considers three components: source entity, relationship, and target entity. Entities' names are aligned with the OSSEM Common Data Model project.
  • This sections of the YAML file is mandatory, and it should be described using a Dictionary.
Field Mandatory Data Type Description Example
source Yes String Usually the entity that performs the activity. process
relationship Yes String Action or activity performed or related to source entity created
target Yes String Usually the entity affected by the activity process

d) Security Telemetry Mapping (security_events)

  • Metadata that describes the mapping of security telemetry to relationships.
  • This section of the YAML file is mandatory, and it should be described using a List of Dictionaries, where each dictionary represents a specific event log or source of data.
  • Even though this section is mandatory, some of the fields within this section are not since they only apply for specific telemetry sources.
    • We use fields audit_category, audit_sub_category, and channel when mapping Microsoft Windows Security Auditing events.
    • We use field audit_category in Windows Sysmon events in order to populate the Enable Commands columns of the ATT&CK CSV file
    • We use field filter_in to provide additional context when an event log or telemetry source describes multiple objects or actions using the same schema. A good example of this is Windows Security Auditing event 4656, where the object context varies based on the ObjectType field (Process, Key, Service, etc).
Field Mandatory Data Type Description Example
event_id Yes String ID uniquely identifies and differentiate events from the same source. '4688'
name Yes String Name of the event. Is some cases, it might be similar to its ID. A new process has been created.
platform Yes String Operating system or application where the event can be collected. Windows
audit_cateogry No String Windows related field. It describes the audit policy subcategory an event belongs to. Detailed Tracking
audit_sub_category No String Windows related field. It describes the audit policy subcategory an event belongs to. Process Creation
channel No String Windows related field. It describes a group of events for a target audience. They belong to one of the four types: admin, operational, analytic, and debug. Security
log_source Yes String Describes the source that provides an event or we can collect the event from. In Windows environments, for ETW-based events, this field represent the Provider. Microsoft-Windows-Security-Auditing
filter_in No List of Dictionaries For events that use the same schema and provide different security context based on the activity or the object they are describing. For example: DeviceProcessEvents from Microsoft Defender for Endpoint provides different context based on field ActionType. Another example would be event 4656 from Microsoft Windows Security Auditing because the context is different based on field ObjectType. ActionType: ProcessCreated
event_version No List of Strings This information help us when relating OSSEM-DM with OSSEM-DD. If event metadata contains a version, this means that there is an OSSEM dictionary available. For now, this field is not required when contributing a relationship yaml file. '2'

Contribution Example

Here is YAML example that you can use as a reference when contributing relationships:

name: Process created Process
contributors:
- Jose Rodriguez @Cyb3rPandaH
attack:
  data_source: process
  data_component: process creation
behavior:
  source: process
  relationship: created
  target: process
security_events:
- event_id: '4688'
  name: A new process has been created.
  platform: windows
  audit_category: Detailed Tracking
  audit_sub_category: Process Creation
  channel: Security
  log_source: Microsoft-Windows-Security-Auditing
  event_version:
  - '2'
- event_id: DeviceProcessEvents
  name: DeviceProcessEvents
  platform: windows
  log_source: Microsoft Defender for Endpoint
  filter_in:
  - ActionType: ProcessCreated
  event_version:
  - '1'
- event_id: '1'
  name: Process Creation.
  platform: windows
  audit_category: ProcessCreate
  channel: Microsoft-Windows-Sysmon/Operational
  log_source: Microsoft-Windows-Sysmon
  event_version:
  - '4.32'
references:
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-1-process-creation
notes:
- For event 4688 - You must enable "Administrative Templates\System\Audit Process Creation\Include command line in process creation events" group policy to include command line in process creation events.

Available documents

File Description
OSSEM Event Mappings in YAML Security event logs mapped to OSSEM relationships in YAML format. (Includes ATT&CK data sources metadata)
OSSEM Event Mappings in JSON Security event logs mapped to OSSEM relationships in JSON format. (Includes ATT&CK data sources metadata)
ATT&CK Event Mappings in YAML Security event logs mapped to ATT&CK Data Sources Objects in YAML format.
ATT&CK Event Mappings in CSV Security event logs mapped to ATT&CK Data Sources Objects in CSV format.

References

Presentations:

Related Projects:

ATT&CK:

Other:

More Repositories

1

ThreatHunter-Playbook

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.
Python
3,964
star
2

Security-Datasets

Re-play Security Events
PowerShell
1,582
star
3

OSSEM

Open Source Security Events Metadata (OSSEM)
Python
1,232
star
4

ATTACK-Python-Client

Python Script to access ATT&CK content available in STIX via a public TAXII server
Python
554
star
5

Microsoft-Sentinel2Go

Microsoft Sentinel2Go is an open source project developed to expedite the deployment of a Microsoft Sentinel research lab.
PowerShell
540
star
6

Blacksmith

Building environments to replicate small networks and deploy applications
PowerShell
317
star
7

detection-hackathon-apt29

Place for resources used during the Mordor Detection hackathon event featuring APT29 ATT&CK evals datasets
Jupyter Notebook
130
star
8

SimuLand

Cloud Templates and scripts to deploy mordor environments
Shell
127
star
9

infosec-jupyter-book

The Infosec Community Definitive Guide to Jupyter Notebooks
Dockerfile
107
star
10

infosec-jupyterthon

A community event for security researchers to share their favorite notebooks
Jupyter Notebook
105
star
11

GenAI-Security-Adventures

Jupyter Notebook
93
star
12

Set-AuditRule

Useful access control entries (ACE) on system access control list (SACL) of securable objects to find potential adversarial activity
PowerShell
86
star
13

notebooks-forge

A collection of notebooks built for defensive and offensive operations.
Jupyter Notebook
76
star
14

API-To-Event

A repo to document API functions mapped to security events across diverse platforms
74
star
15

OSSEM-DD

OSSEM Data Dictionaries
Python
56
star
16

OSSEM-CDM

OSSEM Common Data Model
54
star
17

bloodhound-notebook

BloodHound Cypher Queries Ported to a Jupyter Notebook
Python
53
star
18

openhunt

Python
33
star
19

bloodhound-notebooks

Notebooks created to attack and secure Active Directory environments
Jupyter Notebook
27
star
20

SANS-BlueTeamSummit-2022

Repo to track SANS BlueTeam Summit Presentation
Jupyter Notebook
23
star
21

2021-OceanLotus-workshop

HCL
18
star
22

BHEU22-ADFS

Writing Your Own Ticket to the Cloud Like APT: A Deep-dive to AD FS Attacks, Detections, and Mitigations
12
star
23

MEAN

Microsoft Entra ID Administration LLM-based Autonomous Agent
Jupyter Notebook
8
star
24

docker-c2

Docker files used to deploy known Command & Control (C2) Frameworks
5
star
25

workshop-ekoparty-bluespace-2020

Materiales para enseñar lo básico de Jupyter Notebooks y análisis de data con Pandas
Dockerfile
3
star
26

OpenSec-Library

2
star
27

Blog-Website

Official OTR Blog Website
2
star
28

Infosec-DMZ

1
star
29

OSSEM-DD-MASK

An extension of the OSSEM-DD repository.
1
star
30

Community-Presentations

Slides
1
star