Examples mappings

mapping-examples/security-datasets/GoldenSAML/GoldenSAML_AADAuditEvents.yaml

@@ -0,0 +1,59 @@
+# SecurityDatasets GoldenSAML AADAuditEvents.json to OSCF mapping
+
+
+time: TimeGenerated
+
+
+# endpoint: see https://schema.ocsf.io/1.1.0/objects/endpoint
+device: &endpoint
+    uid: TenantId
+
+
+# https://schema.ocsf.io/1.1.0/objects/http_request
+http_request:
+    user_agent: UserAgent
+
+
+# https://schema.ocsf.io/1.1.0/objects/managed_entity
+entity:
+    uid:
+        - targetId
+        - ModifiedApplicationObjectId
+    type:
+        - targetType
+        - Type
+    name:
+        - targetDisplayName
+        - ModifiedApplication
+    data: TargetResources
+
+
+actor:
+    user:
+        endpoint: *endpoint
+        uid: InitiatedBy.user.id
+        name: InitiatedBy.user.userPrincipalName
+
+
+# https://schema.ocsf.io/1.2.0/classes/user_access
+privileges: Permissions
+
+
+type_uid:
+    native_field: OperationName
+    native_value:
+        300403: # Entity Management: Update
+            - "Update application – Certificates and secrets management "
+            - "Update application"
+        300501: # User Access Management: Assign Privileges
+            - "Add delegated permission grant"
+
+type_name: OperationName
+
+status_id:
+  - native_field: Result
+    native_value:
+        1: # Success
+            - "success"
+        2: # Failure
+            - "failure"

mapping-examples/security-datasets/GoldenSAML/GoldenSAML_Microsoft365DefenderEvents.yaml

@@ -0,0 +1,125 @@
+# SecurityDatasets GoldenSAML Microsoft365DefenderEvents.json to OSCF mapping
+
+
+time: Timestamp
+
+
+# endpoint: see https://schema.ocsf.io/1.1.0/objects/endpoint
+device: &endpoint
+    hostname: DeviceName
+    uid: DeviceId
+
+
+file: &file
+    endpoint: *endpoint
+    name: FileName
+
+
+# https://schema.ocsf.io/1.1.0/objects/process
+process:
+    endpoint: *endpoint
+    cmd_line: ProcessCommandLine
+    pid: ProcessId
+    uid: ProcessId
+    hash:
+        md5: MD5
+        sha1: SHA1
+        sha256: SHA256
+
+
+actor:
+    process:
+        endpoint: *endpoint
+        cmd_line: InitiatingProcessCommandLine
+        pid: InitiatingProcessId
+        uid: InitiatingProcessId
+        parent_process:
+            endpoint: *endpoint
+            pid: InitiatingProcessParentId
+            uid: InitiatingProcessParentId
+            file:
+                name: InitiatingProcessParentFileName
+        file:
+            name: InitiatingProcessFileName
+            path: InitiatingProcessFolderPath
+            hash:
+                md5: InitiatingProcessMD5
+                sha1: InitiatingProcessSHA1
+                sha256: InitiatingProcessSHA256
+            parent_folder:
+                native_field: InitiatingProcessFolderPath
+                native_op: LIKE
+                native_value: winpath_startswith
+                ocsf_value: dirname
+    user:
+        endpoint: *endpoint
+        uid: InitiatingProcessAccountSid
+        name: InitiatingProcessAccountName
+        domain: InitiatingProcessAccountDomain
+
+
+# src_endpoint: see https://schema.ocsf.io/1.1.0/objects/endpoint
+src_endpoint:
+    ip: IPAddress
+    port: Port
+
+
+# dst_endpoint: see https://schema.ocsf.io/1.1.0/objects/endpoint
+dst_endpoint:
+    hostname: DestinationDeviceName
+    ip: DestinationIPAddress
+    port: DestinationPort
+
+
+# https://schema.ocsf.io/1.1.0/objects/user
+user:
+    domain: AccountDomain
+    name: AccountName
+    uid: AccountSid
+
+
+# https://schema.ocsf.io/1.1.0/objects/http_request
+http_request:
+    user_agent: UserAgent
+
+
+# https://schema.ocsf.io/1.1.0/objects/query_info
+query_info:
+    uid: ReportId_long
+    attr_list: AdditionalFields_string.AttributeList
+    search_filter: AdditionalFields_string.SearchFilter
+
+
+# https://schema.ocsf.io/1.1.0/objects/managed_entity
+entity:
+    uid: ReportId_long
+    data: ActivityObjects
+
+
+# https://schema.ocsf.io/1.2.0/classes/user_access
+privileges: Permissions
+
+
+# https://schema.ocsf.io/1.1.0/classes/base_event
+# Base Event
+type_uid:
+    native_field: ActionType
+    native_value:
+        300403: # Entity Management: Update
+            - "MailItemsAccessed"
+        300501: # User Access Management: Assign Privileges
+            - "Add delegated permission grant."
+        600504: # Datastore Activity: Query
+            - "LdapSearch"
+        600599: # Datastore Activity: Other
+            - "Directory Services replication"
+
+type_name: ActionType
+
+status_id:
+  - native_field: RawEventData.ResultStatus
+    native_value:
+        1: # Success
+            - "Succeeded"
+        2: # Failure
+            - "Failed"

mapping-examples/security-datasets/GoldenSAML/GoldenSAML_OfficeActivityEvents.yaml

@@ -0,0 +1,46 @@
+# SecurityDatasets GoldenSAML AADAuditEvents.json to OSCF mapping
+
+
+time: TimeGenerated
+
+
+# endpoint: see https://schema.ocsf.io/1.1.0/objects/endpoint
+device: &endpoint
+    uid: TenantId
+
+
+# src_endpoint: see https://schema.ocsf.io/1.1.0/objects/endpoint
+src_endpoint:
+    ip: Client_IPAddress
+    port: Client_Port
+
+
+# https://schema.ocsf.io/1.1.0/objects/managed_entity
+entity:
+    uid: MailboxGuid
+    type: Type
+    data: Folders
+
+
+actor:
+    user:
+        endpoint: *endpoint
+        uid: LogonUserSid
+        name: UserId
+
+
+type_uid:
+    native_field: Operation
+    native_value:
+        300403: # Entity Management: Update
+            - "MailItemsAccessed"
+
+type_name: Operation
+
+status_id:
+  - native_field: ResultStatus
+    native_value:
+        1: # Success
+            - "Succeeded"
+        2: # Failure
+            - "Failed"

mapping-examples/security-datasets/GoldenSAML/GoldenSAML_WindowsEvents.yaml

@@ -0,0 +1,144 @@
+# SecurityDatasets GoldenSAML WindowsEvents.json to OSCF mapping
+
+time: TimeGenerated
+
+# endpoint: see https://schema.ocsf.io/1.1.0/objects/endpoint
+device: &endpoint
+    hostname:
+        native_field: Computer
+        ocsf_value: lowercase
+    uid: _ResourceId
+
+
+file: &file
+    endpoint: *endpoint
+    name: PipeName
+    type_id:
+        native_field: EventID
+        native_value:
+            6: 18
+
+
+# https://schema.ocsf.io/1.1.0/objects/process
+process: &process
+    endpoint: *endpoint
+    name:
+        native_field: Image
+        native_op: LIKE
+        native_value: winpath_endswith
+        ocsf_value: basename
+    pid:
+        native_field: ProcessId_dynamic
+        ocsf_value: to_int
+    uid: ProcessGuid
+    file:
+        name:
+            native_field: Image
+            native_op: LIKE
+            native_value: winpath_endswith
+            ocsf_value: basename
+        path: Image
+        parent_folder:
+            native_field: Image
+            native_op: LIKE
+            native_value: winpath_startswith
+            ocsf_value: dirname
+
+
+# src_endpoint: see https://schema.ocsf.io/1.1.0/objects/endpoint
+src_endpoint: &src_ref
+    ip: SourceAddress
+    port:
+        - native_field: SourcePort
+          ocsf_value: to_int
+        # normalized by ingestion
+        #- native_field: IpPort
+        #  ocsf_value: to_int
+
+
+# dst_endpoint: see https://schema.ocsf.io/1.1.0/objects/endpoint
+dst_endpoint: &dst_ref
+    ip: DestAddress
+    port:
+        - native_field: DestPort
+          ocsf_value: to_int
+
+
+# https://schema.ocsf.io/1.1.0/objects/user
+user: &user
+    endpoint: *endpoint
+    domain: TargetDomainName
+    name: TargetUserName
+    uid: TargetUserSid
+
+
+# https://schema.ocsf.io/1.2.0/objects/managed_entity?extensions=
+entity:
+    uid: ObjectName
+    type: ObjectType
+    data: Properties
+
+
+# https://schema.ocsf.io/1.1.0/classes/authentication?extensions=win
+# Authentication [3002]
+auth_protocol: AuthenticationPackageName
+logon_type_id:
+    - native_field: LogonType
+      ocsf_value: to_int
+
+
+# https://schema.ocsf.io/1.1.0/classes/base_event
+# Base Event
+type_uid:
+    native_field: EventID
+    native_value:
+        100101: # File System Activity: Create
+            - 11   # Sysmon: FileCreate
+        100701: # Process Activity: Launch
+            - 1    # Sysmon: Process creation
+            - 4688 # Security: Process Create
+        100702: # Process Activity: Terminate
+            - 5    # Sysmon: Process termindated
+            - 4689
+        100703: # Process Activity: Open
+            - 10   # Sysmon: ProcessAccess
+        100704: # Process Activity: Inject
+            - 8    # Sysmon: CreateRemoteThread
+        300201: # auth: logon (success and failure)
+            - 4624 # Security: An account was successfully logged on.
+            - 4625 # Security: An account failed to log on.
+        300400: # Entity Management: Unknown
+            - 4662 # Security: An operation was performed on an object.
+        400101: # Network Activity: Open
+            - 3    # Sysmon: Network connection
+            - 5156 # Security: The Windows Filtering Platform has permitted a connection.
+        100114: # File System Activity: Open
+            - 18   # Sysmon: Pipe connected
+        100799: # Process Activity: Other
+            - 501  # Desktop Window Manager is experiencing heavy resource contention
+
+type_name:
+    native_field: EventID
+    native_value:
+        Pipe connected: 18
+        An account was successfully logged on: 4624
+        An account failed to log on: 4625
+        An operation was performed on an object: 4662
+        Desktop Window Manager is experiencing heavy resource contention: 501
+        The Windows Filtering Platform has permitted a connection: 5156
+
+status_id:
+  - native_field: event.code
+    native_value:
+        1: # Success
+            - 4624 # Security: An account was successfully logged on.
+        2: # Failure
+            - 4625 # Security: An account failed to log on.
+
+
+actor:
+    process: *process
+    user:
+        domain: SubjectDomainName
+        name: SubjectUserName
+        uid: SubjectUserSid