Merge pull request #170 from Amndeep7/generate_datamodel

Create generate_datamodels script
mitre-attack · Feb 27, 2023 · 50bae40 · 50bae40
2 parents 5684c73 + 6a882ac
commit 50bae40
Show file tree

Hide file tree

Showing 38 changed files with 3,220 additions and 476 deletions.
diff --git a/.github/workflows/regenerate-docs.yml b/.github/workflows/regenerate-docs.yml
@@ -16,6 +16,9 @@ jobs:
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.head_ref }}
+      - name: Clean /docs/data_model
+        shell: bash
+        run: rm -rfv ./docs/data_model
       - name: Clean /docs/analytics
         shell: bash
         run: rm -rfv ./docs/analytics
@@ -29,6 +32,9 @@ jobs:
           cache: 'pip'
       - name: Install script dependencies
         run: pip install -r ./scripts/requirements.txt
+      - name: Regenerate datamodels
+        working-directory: ./scripts
+        run: python generate_datamodels.py
       - name: Regenerate analytics
         working-directory: ./scripts
         run: python generate_analytics.py

diff --git a/data_model/authentication.yaml b/data_model/authentication.yaml
@@ -1,6 +1,6 @@
 ---
 name: Authentication
-description: Authentication events occur whenever a user attempts to login to a system, or a user or process attempts to access a privileged system resource.
+description: An authentication event occurs whenever a user or process attempts to access a privileged system resource. Examples include logging into a system, or elevating privilege.
 actions:
   - name: success
     description: The event corresponding to an authentication service responding positively to an authentication request.

diff --git a/data_model/driver.yaml b/data_model/driver.yaml
@@ -40,3 +40,11 @@ fields:
   - name: signature_valid
     description: Boolean indicator of whether the driver is signed and whether the signature is current and not revoked
     example: true
+coverage_map:
+  load:
+    fqdn: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    sha256_hash: ["sysmon_13"]
+    signature_valid: ["sysmon_13"]
+    signer: ["sysmon_13"]
diff --git a/data_model/email.yaml b/data_model/email.yaml
@@ -1,6 +1,6 @@
 ---
 name: Email
-description: Email events are at the email server level.
+description: Email events are at the mail server level.
 actions:
   - name: deliver
     description: The event corresponding to an email being sent to an end recipient.

diff --git a/data_model/file.yaml b/data_model/file.yaml
@@ -94,3 +94,38 @@ fields:
   - name: uid
     description: The user ID or SID for the acting entity.
     example: S-1-5-18
+coverage_map:
+  create:
+    company: ["autoruns_13.98", "sysmon_13"]
+    creation_time: ["autoruns_13.98", "sysmon_13"]
+    file_name: ["autoruns_13.98"]
+    file_path: ["sysmon_13"]
+    fqdn: ["autoruns_13.98", "sysmon_13"]
+    hostname: ["autoruns_13.98"]
+    image_path: ["sysmon_13"]
+    md5_hash: ["autoruns_13.98"]
+    pid: ["sysmon_13"]
+    signer: ["sysmon_13"]
+  delete:
+    fqdn: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    uid: ["sysmon_13"]
+  modify:
+    company: ["autoruns_13.98"]
+    creation_time: ["autoruns_13.98"]
+    file_name: ["autoruns_13.98"]
+    fqdn: ["autoruns_13.98"]
+    hostname: ["autoruns_13.98"]
+    md5_hash: ["autoruns_13.98"]
+    sha256_hash: ["autoruns_13.98"]
+    signature_valid: ["autoruns_13.98"]
+    signer: ["autoruns_13.98"]
+  timestomp:
+    creation_time: ["sysmon_13"]
+    file_path: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    previous_creation_time: ["sysmon_13"]
+    uid: ["sysmon_13"]
diff --git a/data_model/flow.yaml b/data_model/flow.yaml
@@ -90,3 +90,21 @@ fields:
   - name: uid
     description: User ID or SID of the flow-handling entity.
     example: S-1-5-18
+coverage_map:
+  start:
+    dest_hostname: ["sysmon_13"]
+    dest_ip: ["sysmon_13"]
+    dest_port: ["sysmon_13"]
+    exe: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    hostname: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    src_fdqn: ["sysmon_13"]
+    src_hostname: ["sysmon_13"]
+    src_ip: ["sysmon_13"]
+    src_port: ["sysmon_13"]
+    start_time: ["sysmon_13"]
+    transport_protocol: ["sysmon_13"]
+    uid: ["sysmon_13"]
+    user: ["sysmon_13"]
diff --git a/data_model/module.yaml b/data_model/module.yaml
@@ -46,3 +46,16 @@ fields:
   - name: signature_valid
     description: Boolean indicator of whether the signature is current and not revoked
     example: true
+coverage_map:
+  load:
+    fqdn: ["sysmon_13"]
+    hostname: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    md5_hash: ["sysmon_13"]
+    module_name: ["sysmon_13"]
+    module_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    sha1_hash: ["sysmon_13"]
+    signature_valid: ["sysmon_13"]
+    signer: ["sysmon_13"]
+    tid: ["sysmon_13"]
diff --git a/data_model/process.yaml b/data_model/process.yaml
@@ -93,3 +93,27 @@ fields:
   - name: uid
     description: User ID under which original process is running.
     example: 509
+coverage_map:
+  access:
+    access_level: ["sysmon_13"]
+    call_trace: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    guid: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    sid: ["sysmon_13"]
+    target_guid: ["sysmon_13"]
+    target_pid: ["sysmon_13"]
+    target_name: ["sysmon_13"]
+  create:
+    command_line: ["sysmon_13"]
+    current_working_directory: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    integrity_level: ["sysmon_13"]
+    parent_command_line: ["sysmon_13"]
+    parent_guid: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    ppid: ["sysmon_13"]
+    sha256_hash: ["sysmon_13"]
+    sid: ["sysmon_13"]
diff --git a/data_model/registry.yaml b/data_model/registry.yaml
@@ -44,3 +44,43 @@ fields:
   - name: new_content
     description: The data within the new value, or the new name of a key, after an edit event.
     example: \%SystemRoot%\system32\svchost.exe, HKLM\SYSTEM\CurrentControlSet\services\RpcSs
+coverage_map:
+  add:
+    data: ["autoruns_13.98", "sysmon_13"]
+    fqdn: ["sysmon_13"]
+    hostname: ["autoruns_13.98"]
+    hive: ["autoruns_13.98", "sysmon_13"]
+    key: ["autoruns_13.98", "sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    type: ["autoruns_13.98"]
+    user: ["sysmon_13"]
+    value: ["autoruns_13.98"]
+  key_edit:
+    data: ["autoruns_13.98", "sysmon_13"]
+    fqdn: ["sysmon_13"]
+    hostname: ["autoruns_13.98"]
+    hive: ["autoruns_13.98", "sysmon_13"]
+    key: ["autoruns_13.98", "sysmon_13"]
+    image_path: ["sysmon_13"]
+    new_content: ["autoruns_13.98", "sysmon_13"]
+    pid: ["sysmon_13"]
+    type: ["autoruns_13.98"]
+    user: ["sysmon_13"]
+    value: ["autoruns_13.98", "sysmon_13"]
+  remove:
+    data: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    hive: ["sysmon_13"]
+    key: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    user: ["sysmon_13"]
+  value_edit:
+    data: ["autoruns_13.98"]
+    hostname: ["autoruns_13.98"]
+    hive: ["autoruns_13.98"]
+    key: ["autoruns_13.98"]
+    new_content: ["autoruns_13.98"]
+    type: ["autoruns_13.98"]
+    value: ["autoruns_13.98"]
diff --git a/data_model/service.yaml b/data_model/service.yaml
@@ -43,3 +43,16 @@ fields:
   - name: uid
     description: The ID of SID of the user who acted on the service
     example: S-1-5-18
+coverage_map:
+  create:
+    command_line: ["autoruns_13.98"]
+    exe: ["autoruns_13.98"]
+    fqdn: ["autoruns_13.98"]
+    hostname: ["autoruns_13.98"]
+    image_path: ["autoruns_13.98"]
+  delete:
+    command_line: ["autoruns_13.98"]
+    exe: ["autoruns_13.98"]
+    fqdn: ["autoruns_13.98"]
+    hostname: ["autoruns_13.98"]
+    image_path: ["autoruns_13.98"]
diff --git a/data_model/socket.yaml b/data_model/socket.yaml
@@ -39,3 +39,31 @@ fields:
   - name: local_path
     description: In the case that a socket is used for local interprocess communication, the socket binds to a local filepath, and will usually be visible in the filesystem. This is the case with AF_UNIX type sockets.
     example: "/tmp/foo"
+coverage_map:
+  bind:
+    family: ["osquery_4.6.0"]
+    image_path: ["osquery_4.6.0"]
+    local_address: ["osquery_4.6.0"]
+    local_port: ["osquery_4.6.0"]
+    pid: ["osquery_4.6.0"]
+    protocol: ["osquery_4.6.0"]
+    remote_address: ["osquery_4.6.0"]
+    remote_port: ["osquery_4.6.0"]
+  listen:
+    family: ["osquery_4.6.0"]
+    image_path: ["osquery_4.6.0"]
+    local_address: ["osquery_4.6.0"]
+    local_port: ["osquery_4.6.0"]
+    pid: ["osquery_4.6.0"]
+    protocol: ["osquery_4.6.0"]
+    remote_address: ["osquery_4.6.0"]
+    remote_port: ["osquery_4.6.0"]
+  close:
+    family: ["osquery_4.6.0"]
+    image_path: ["osquery_4.6.0"]
+    local_address: ["osquery_4.6.0"]
+    local_port: ["osquery_4.6.0"]
+    pid: ["osquery_4.6.0"]
+    protocol: ["osquery_4.6.0"]
+    remote_address: ["osquery_4.6.0"]
+    remote_port: ["osquery_4.6.0"]
diff --git a/data_model/thread.yaml b/data_model/thread.yaml
@@ -56,3 +56,16 @@ fields:
   - name: uid
     description: The ID of SID of the user who directly or indirectly acted on the thread
     example: S-1-5-18
+coverage_map:
+  remote_create:
+    hostname: ["sysmon_13"]
+    src_pid: ["sysmon_13"]
+    src_tid: ["sysmon_13"]
+    start_address: ["sysmon_13"]
+    start_function: ["sysmon_13"]
+    start_module: ["sysmon_13"]
+    start_module_name: ["sysmon_13"]
+    tgt_pid: ["sysmon_13"]
+    tgt_tid: ["sysmon_13"]
+    uid: ["sysmon_13"]
+    user: ["sysmon_13"]
diff --git a/data_model/user_session.yaml b/data_model/user_session.yaml