Merge pull request #170 from Amndeep7/generate_datamodel

Create generate_datamodels script

Author: alexiacrumpton

.github/workflows/regenerate-docs.yml

@@ -16,6 +16,9 @@ jobs:
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.head_ref }}
+      - name: Clean /docs/data_model
+        shell: bash
+        run: rm -rfv ./docs/data_model
       - name: Clean /docs/analytics
         shell: bash
         run: rm -rfv ./docs/analytics
@@ -29,6 +32,9 @@ jobs:
           cache: 'pip'
       - name: Install script dependencies
         run: pip install -r ./scripts/requirements.txt
+      - name: Regenerate datamodels
+        working-directory: ./scripts
+        run: python generate_datamodels.py
       - name: Regenerate analytics
         working-directory: ./scripts
         run: python generate_analytics.py

data_model/authentication.yaml

@@ -1,6 +1,6 @@
 ---
 name: Authentication
-description: Authentication events occur whenever a user attempts to login to a system, or a user or process attempts to access a privileged system resource.
+description: An authentication event occurs whenever a user or process attempts to access a privileged system resource. Examples include logging into a system, or elevating privilege.
 actions:
   - name: success
     description: The event corresponding to an authentication service responding positively to an authentication request.

data_model/driver.yaml

@@ -40,3 +40,11 @@ fields:
   - name: signature_valid
     description: Boolean indicator of whether the driver is signed and whether the signature is current and not revoked
     example: true
+coverage_map:
+  load:
+    fqdn: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    sha256_hash: ["sysmon_13"]
+    signature_valid: ["sysmon_13"]
+    signer: ["sysmon_13"]

data_model/email.yaml

@@ -1,6 +1,6 @@
 ---
 name: Email
-description: Email events are at the email server level.
+description: Email events are at the mail server level.
 actions:
   - name: deliver
     description: The event corresponding to an email being sent to an end recipient.

data_model/file.yaml

@@ -94,3 +94,38 @@ fields:
   - name: uid
     description: The user ID or SID for the acting entity.
     example: S-1-5-18
+coverage_map:
+  create:
+    company: ["autoruns_13.98", "sysmon_13"]
+    creation_time: ["autoruns_13.98", "sysmon_13"]
+    file_name: ["autoruns_13.98"]
+    file_path: ["sysmon_13"]
+    fqdn: ["autoruns_13.98", "sysmon_13"]
+    hostname: ["autoruns_13.98"]
+    image_path: ["sysmon_13"]
+    md5_hash: ["autoruns_13.98"]
+    pid: ["sysmon_13"]
+    signer: ["sysmon_13"]
+  delete:
+    fqdn: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    uid: ["sysmon_13"]
+  modify:
+    company: ["autoruns_13.98"]
+    creation_time: ["autoruns_13.98"]
+    file_name: ["autoruns_13.98"]
+    fqdn: ["autoruns_13.98"]
+    hostname: ["autoruns_13.98"]
+    md5_hash: ["autoruns_13.98"]
+    sha256_hash: ["autoruns_13.98"]
+    signature_valid: ["autoruns_13.98"]
+    signer: ["autoruns_13.98"]
+  timestomp:
+    creation_time: ["sysmon_13"]
+    file_path: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    previous_creation_time: ["sysmon_13"]
+    uid: ["sysmon_13"]

data_model/flow.yaml

@@ -90,3 +90,21 @@ fields:
   - name: uid
     description: User ID or SID of the flow-handling entity.
     example: S-1-5-18
+coverage_map:
+  start:
+    dest_hostname: ["sysmon_13"]
+    dest_ip: ["sysmon_13"]
+    dest_port: ["sysmon_13"]
+    exe: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    hostname: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    src_fdqn: ["sysmon_13"]
+    src_hostname: ["sysmon_13"]
+    src_ip: ["sysmon_13"]
+    src_port: ["sysmon_13"]
+    start_time: ["sysmon_13"]
+    transport_protocol: ["sysmon_13"]
+    uid: ["sysmon_13"]
+    user: ["sysmon_13"]

data_model/module.yaml

@@ -46,3 +46,16 @@ fields:
   - name: signature_valid
     description: Boolean indicator of whether the signature is current and not revoked
     example: true
+coverage_map:
+  load:
+    fqdn: ["sysmon_13"]
+    hostname: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    md5_hash: ["sysmon_13"]
+    module_name: ["sysmon_13"]
+    module_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    sha1_hash: ["sysmon_13"]
+    signature_valid: ["sysmon_13"]
+    signer: ["sysmon_13"]
+    tid: ["sysmon_13"]

data_model/process.yaml

@@ -93,3 +93,27 @@ fields:
   - name: uid
     description: User ID under which original process is running.
     example: 509
+coverage_map:
+  access:
+    access_level: ["sysmon_13"]
+    call_trace: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    guid: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    sid: ["sysmon_13"]
+    target_guid: ["sysmon_13"]
+    target_pid: ["sysmon_13"]
+    target_name: ["sysmon_13"]
+  create:
+    command_line: ["sysmon_13"]
+    current_working_directory: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    integrity_level: ["sysmon_13"]
+    parent_command_line: ["sysmon_13"]
+    parent_guid: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    ppid: ["sysmon_13"]
+    sha256_hash: ["sysmon_13"]
+    sid: ["sysmon_13"]

data_model/registry.yaml

@@ -44,3 +44,43 @@ fields:
   - name: new_content
     description: The data within the new value, or the new name of a key, after an edit event.
     example: \%SystemRoot%\system32\svchost.exe, HKLM\SYSTEM\CurrentControlSet\services\RpcSs
+coverage_map:
+  add:
+    data: ["autoruns_13.98", "sysmon_13"]
+    fqdn: ["sysmon_13"]
+    hostname: ["autoruns_13.98"]
+    hive: ["autoruns_13.98", "sysmon_13"]
+    key: ["autoruns_13.98", "sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    type: ["autoruns_13.98"]
+    user: ["sysmon_13"]
+    value: ["autoruns_13.98"]
+  key_edit:
+    data: ["autoruns_13.98", "sysmon_13"]
+    fqdn: ["sysmon_13"]
+    hostname: ["autoruns_13.98"]
+    hive: ["autoruns_13.98", "sysmon_13"]
+    key: ["autoruns_13.98", "sysmon_13"]
+    image_path: ["sysmon_13"]
+    new_content: ["autoruns_13.98", "sysmon_13"]
+    pid: ["sysmon_13"]
+    type: ["autoruns_13.98"]
+    user: ["sysmon_13"]
+    value: ["autoruns_13.98", "sysmon_13"]
+  remove:
+    data: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    hive: ["sysmon_13"]
+    key: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    user: ["sysmon_13"]
+  value_edit:
+    data: ["autoruns_13.98"]
+    hostname: ["autoruns_13.98"]
+    hive: ["autoruns_13.98"]
+    key: ["autoruns_13.98"]
+    new_content: ["autoruns_13.98"]
+    type: ["autoruns_13.98"]
+    value: ["autoruns_13.98"]

data_model/service.yaml

@@ -43,3 +43,16 @@ fields:
   - name: uid
     description: The ID of SID of the user who acted on the service
     example: S-1-5-18
+coverage_map:
+  create:
+    command_line: ["autoruns_13.98"]
+    exe: ["autoruns_13.98"]
+    fqdn: ["autoruns_13.98"]
+    hostname: ["autoruns_13.98"]
+    image_path: ["autoruns_13.98"]
+  delete:
+    command_line: ["autoruns_13.98"]
+    exe: ["autoruns_13.98"]
+    fqdn: ["autoruns_13.98"]
+    hostname: ["autoruns_13.98"]
+    image_path: ["autoruns_13.98"]