Data Model

From Cyber Analytics Repository
Jump to: navigation, search
Main article: Help:Data Model

The Data Model, strongly inspired by CybOX, is an organization of the objects that may be monitored from a host-based or network-based perspective. Each object on can be identified by two dimensions: its actions and fields. When paired together, the three-tuple of (object, action, field) act like a coordinate, and describe what properties and state changes of the object can be captured by a sensor.

Compare the data model's use in analytics that map to ATT&CK. Compare the data model's use for different sensors.

ObjectActionField
driverload
unload
base_address
fqdn
hostname
image_path
md5_hash
module_name
sha1_hash
sha256_hash
signer
filecreate
delete
modify
read
timestomp
write
company
creation_time
file_name
file_path
fqdn
hostname
image_path
md5_hash
pid
ppid
previous_creation_time
sha1_hash
sha256_hash
signer
user
flowend
message
start
content
dest_fqdn
dest_hostname
dest_ip
dest_port
end_time
exe
flags
fqdn
hostname
image_path
packet_count
pid
ppid
proto_info
protocol
src_fqdn
src_hostname
src_ip
src_port
start_time
user
moduleload
unload
base_address
fqdn
hostname
image_path
md5_hash
module_name
module_path
pid
sha1_hash
sha256_hash
signer
tid
processcreate
terminate
command_line
exe
fqdn
hostname
image_path
md5_hash
parent_exe
parent_image_path
pid
ppid
sha1_hash
sha256_hash
sid
signer
user
registryadd
edit
remove
data
fqdn
hive
hostname
image_path
key
pid
type
user
value
servicecreate
delete
pause
start
stop
command_line
exe
fqdn
hostname
image_path
name
pid
ppid
user
threadcreate
remote_create
suspend
terminate
hostname
src_pid
src_tid
stack_base
stack_limit
start_address
start_function
start_module
start_module_name
subprocess_tag
tgt_pid
tgt_tid
user
user_stack_base
user_stack_limit
user_sessioninteractive
local
lock
login
logout
rdp
reconnect
remote
unlock
dest_ip
dest_port
hostname
logon_id
src_ip
src_port
user