{"id":13454280,"url":"https://github.com/OTRF/OSSEM","last_synced_at":"2025-03-24T05:33:39.151Z","repository":{"id":41852810,"uuid":"123052690","full_name":"OTRF/OSSEM","owner":"OTRF","description":"Open Source Security Events Metadata (OSSEM)","archived":false,"fork":false,"pushed_at":"2023-02-27T02:58:11.000Z","size":57351,"stargazers_count":1237,"open_issues_count":16,"forks_count":214,"subscribers_count":107,"default_branch":"master","last_synced_at":"2024-10-29T21:02:10.541Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OTRF.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2018-02-27T01:09:15.000Z","updated_at":"2024-10-22T21:39:16.000Z","dependencies_parsed_at":"2022-09-07T17:22:24.444Z","dependency_job_id":"40a34f34-3f8d-47a4-adcb-e831435862a3","html_url":"https://github.com/OTRF/OSSEM","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OTRF%2FOSSEM","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OTRF%2FOSSEM/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OTRF%2FOSSEM/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OTRF%2FOSSEM/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OTRF","download_url":"https://codeload.github.com/OTRF/OSSEM/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245217403,"owners_count":20579291,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T08:00:52.558Z","updated_at":"2025-03-24T05:33:36.431Z","avatar_url":"https://github.com/OTRF.png","language":"Python","readme":"# Open Source Security Events Metadata (OSSEM)\n\n[![Open Source Love](https://badges.frapsoft.com/os/v3/open-source.svg?v=103)](https://github.com/ellerbrock/open-source-badges/)\n![Open_Threat_Research Community](https://img.shields.io/badge/Open_Threat_Research-Community-brightgreen.svg)\n[![Twitter](https://img.shields.io/twitter/follow/OSSEM_Project.svg?style=social\u0026label=Follow)](https://twitter.com/OSSEM_Project)\n\nA community-led project focused primarily on the documentation, standardization and modeling of security event logs.\n\n\u003cimg src=\"resources/images/OSSEM_logo.png\" width=300\u003e\n\n## https://ossemproject.com/intro.html\n\n# Goals\n\n* Define and share a common data moel in order to improve the data standardization and transformation of security event logs\n* Define and share data structures and relationships identified in security events logs\n* Provide detailed information in a dictionary format about several security event logs to the community\n* Learn more about security event logs (Windows, Linux, MacOS, Azure, AWS, etc)\n\n# Project Structure\n\n* [Data Dictionaries (DD)](https://github.com/OTRF/OSSEM-DD):\n  * Contains specific information about several security event logs organized by operating system and their respective data providers.\n  * Each dictionary describes a single event log and its corresponding field names.\n  * It provides the foundational concepts to create a data wiki in an organization.\n* [Common Data Model (CDM)](https://github.com/OTRF/OSSEM-CDM)\n  * Facilitates the normalization of data by providing a standard way to parse security event logs.\n  * The project is organized by [schema entities](https://github.com/OTRF/OSSEM-CDM/tree/master/schemas/entities) identified in several data sources.\n  * The definitions of each schema entity and its respective attributes (field names) are mostly general descriptions that could help and expedite event logs parsing procedures.\n  * The project also provides the concept of [schema tables](https://github.com/OTRF/OSSEM-CDM/tree/master/schemas/tables) to aggregate common entities and parse similar data sources. For example, HTTP, Port and User Agent entities can be used to normalize network traffic metadata captured in a network environment.\n* [Detection Model (DM)](https://github.com/OTRF/OSSEM-DM):\n  * Focuses on identifying [relationships](https://github.com/OTRF/OSSEM-DM/tree/main/relationships) among security events to facilitate the development of data analytics and help validate the detection of adversary techniques.\n\n# Sponsors\n\n[\u003cimg src=\"https://user-images.githubusercontent.com/9653181/148482477-a2e88cec-dac5-4372-a3fc-e568e47b237f.png\" width=\"250\" vspace=\"10\"/\u003e](https://www.tines.com/?utm_source=oss\u0026utm_medium=sponsorship\u0026utm_campaign=Cyb3rWard0g)\n\n# Author\n\n* Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g)\n\n# Current Committers\n\n* Jose Luis Rodriguez [@Cyb3rPandaH](https://twitter.com/Cyb3rPandaH)\n* Nate Guagenti [@neu5ron](https://twitter.com/neu5ron)\n* Ricardo Dias [@hxnoyd](https://twitter.com/hxnoyd)\n\n# Projects Using OSSEM\n\n* [HELK](https://github.com/Cyb3rWard0g/HELK)\n* [Azure Sentinel Normalization](https://docs.microsoft.com/en-us/azure/sentinel/normalization-schema)\n\n# Resources\n\n* [Ready to hunt? First, Show me your data!](https://cyberwardog.blogspot.com/2017/12/ready-to-hunt-first-show-me-your-data.html)\n* [What's new in Windows 10, versions 1507 and 1511](https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bkmk-lsass)\n* [Download Security Audit Events for Windows (Spreadsheet)](https://www.microsoft.com/en-us/download/details.aspx?id=50034)\n* [Advanced Security Audit Policy Settings](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings)\n* [Monitoring Active Directory for Signs of Compromise](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise#audit-account-management)\n* [Audit Policy Recommendations](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations)\n* [Use Windows Event Forwarding to help with intrusion detection](https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection)\n* [Minimum recommended minimum audit policy](https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection#a-href-idbkmk-appendixaaappendix-a---minimum-recommended-minimum-audit-policy)\n* [Windows ITPro Docs - Threat Protection](https://github.com/MicrosoftDocs/windows-itpro-docs/tree/master/windows/security/threat-protection)\n* [MITRE ATT\u0026CKcon 2018: Hunters ATT\u0026CKing with the Data](https://youtu.be/QCDBjFJ_C3g)\n* [MITRE ATT\u0026CKcon 2.0: Ready to ATT\u0026CK? Bring Your Own Data (BYOD) and Validate Your Data Analytics!](https://youtu.be/eM0c_Gil-38)\n* [Defining ATT\u0026CK Data Sources, Part I: Enhancing the Current State](https://medium.com/mitre-attack/defining-attack-data-sources-part-i-4c39e581454f)\n* [Defining ATT\u0026CK Data Sources, Part II: Operationalizing the Methodology](https://medium.com/mitre-attack/defining-attack-data-sources-part-ii-1fc98738ba5b)\n","funding_links":[],"categories":["Threat Detection and Hunting","Python","Synopsis"],"sub_categories":["Resources","Table of Contents"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOTRF%2FOSSEM","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FOTRF%2FOSSEM","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOTRF%2FOSSEM/lists"}