Data Model with Sensors

The Data Model, strongly inspired by CybOX, is an organization of the objects that may be monitored from a host-based or network-based perspective. Each object can be identified by two dimensions: its actions and fields. When paired together, the three-tuple of (object, action, field) act like a coordinate, and describe what properties and state changes of the object can be captured by a sensor.

Compare the data model’s use in analytics that map to ATT&CK.

authentication

	ad_domain	app_name	auth_service	auth_target	decision_reason	fqdn	hostname	method	response_time	target_ad_domain	target_uid	target_user	target_user_role	target_user_type	uid	user	user_agent	user_role	user_type
error
failure
success

driver

	base_address	fqdn	hostname	image_path	md5_hash	module_name	pid	sha1_hash	sha256_hash	signature_valid	signer
load		Sysmon		Sysmon			Sysmon		Sysmon	Sysmon	Sysmon
unload

email

	action_reason	attachment_mime_type	attachment_name	attachment_size	date	dest_address	dest_ip	dest_port	from	message_body	message_links	message_type	return_address	server_relay	smtp_uid	src_address	src_domain	src_ip	src_port	subject	to
block
delete
deliver
quarantine
redirect

file

	company	content	creation_time	extension	file_name	file_path	fqdn	gid	group	hostname	image_path	link_target	md5_hash	mime_type	mode	owner	owner_uid	pid	ppid	previous_creation_time	sha1_hash	sha256_hash	signature_valid	signer	uid	user
acl_modify
create	Autoruns&#10Sysmon		Autoruns&#10Sysmon		Autoruns	Sysmon	Autoruns&#10Sysmon			Autoruns	Sysmon		Autoruns					Sysmon						Sysmon
delete							Sysmon				Sysmon							Sysmon							Sysmon
modify	Autoruns		Autoruns		Autoruns		Autoruns			Autoruns			Autoruns									Autoruns	Autoruns	Autoruns
read
timestomp			Sysmon			Sysmon	Sysmon				Sysmon							Sysmon		Sysmon					Sysmon
write

flow

	application_protocol	content	dest_fqdn	dest_hostname	dest_ip	dest_port	end_time	exe	fqdn	hostname	image_path	in_bytes	network_direction	out_bytes	packet_count	pid	ppid	proto_info	src_fqdn	src_hostname	src_ip	src_port	start_time	tcp_flags	transport_protocol	uid	user
end
message
start				Sysmon	Sysmon	Sysmon		Sysmon	Sysmon	Sysmon	Sysmon					Sysmon				Sysmon	Sysmon	Sysmon	Sysmon		Sysmon	Sysmon	Sysmon

http

	hostname	http_version	request_body_bytes	request_body_content	request_referrer	requester_ip_address	response_body_bytes	response_body_content	response_status_code	url_domain	url_full	url_remainder	url_scheme	user_agent_device	user_agent_full	user_agent_name	user_agent_version
get
post
put
tunnel

module

	base_address	fqdn	hostname	image_path	md5_hash	module_name	module_path	pid	sha1_hash	sha256_hash	signature_valid	signer	tid
load		Sysmon	Sysmon	Sysmon	Sysmon	Sysmon	Sysmon	Sysmon	Sysmon		Sysmon	Sysmon	Sysmon
unload

process

	access_level	call_trace	command_line	current_working_directory	env_vars	exe	fqdn	guid	hostname	image_path	integrity_level	md5_hash	parent_command_line	parent_exe	parent_guid	parent_image_path	pid	ppid	sha1_hash	sha256_hash	sid	signature_valid	signer	target_address	target_guid	target_name	target_pid	uid	user
access	Sysmon	Sysmon					Sysmon	Sysmon		Sysmon							Sysmon				Sysmon				Sysmon	Sysmon	Sysmon
create			Sysmon	Sysmon			Sysmon			Sysmon	Sysmon		Sysmon		Sysmon		Sysmon	Sysmon		Sysmon	Sysmon
terminate

registry

	data	fqdn	hive	hostname	image_path	key	new_content	pid	type	user	value
add	Autoruns&#10Sysmon	Sysmon	Autoruns&#10Sysmon	Autoruns	Sysmon	Autoruns&#10Sysmon		Sysmon	Autoruns	Sysmon	Autoruns
key_edit	Autoruns&#10Sysmon	Sysmon	Autoruns&#10Sysmon	Autoruns	Sysmon	Autoruns&#10Sysmon	Autoruns&#10Sysmon	Sysmon	Autoruns	Sysmon	Autoruns&#10Sysmon
remove	Sysmon	Sysmon	Sysmon		Sysmon	Sysmon		Sysmon		Sysmon
value_edit	Autoruns		Autoruns	Autoruns		Autoruns	Autoruns		Autoruns		Autoruns

service

	command_line	exe	fqdn	hostname	image_path	name	pid	ppid	uid	user
create	Autoruns	Autoruns	Autoruns	Autoruns	Autoruns
delete	Autoruns	Autoruns	Autoruns	Autoruns	Autoruns
pause
start
stop

socket

	family	image_path	local_address	local_path	local_port	pid	protocol	remote_address	remote_port	success
bind	osquery	osquery	osquery		osquery	osquery	osquery	osquery	osquery
close	osquery	osquery	osquery		osquery	osquery	osquery	osquery	osquery
listen	osquery	osquery	osquery		osquery	osquery	osquery	osquery	osquery

thread

	hostname	src_pid	src_tid	stack_base	stack_limit	start_address	start_function	start_module	start_module_name	tgt_pid	tgt_tid	uid	user	user_stack_base	user_stack_limit
create
remote_create	Sysmon	Sysmon	Sysmon			Sysmon	Sysmon	Sysmon	Sysmon	Sysmon	Sysmon	Sysmon	Sysmon
suspend
terminate

user_session

	dest_ip	dest_port	hostname	login_id	login_successful	login_type	src_ip	src_port	uid	user
lock
login
logout
reconnect
unlock