Develop YAML format for Sensor Coverage

Question

Develop YAML format for Sensor Coverage

ikiril01 opened this issue 5 years ago · comments

We should develop a YAML format for capturing our sensor coverage, so it doesn't have to be done in MD/HTML.

Ivan Kirillov · Answer 1 · Sat Dec 21 2019 06:01:11 GMT+0800 (China Standard Time)

Here's a first stab. Maybe a little too much nesting, but I was going mostly for simplicity:

---
sensor_name: Foo
sensor_version: 1.3.2
sensor_developer: ACME Soft.
sensor_url: http://acme/foo/1.3.2
coverage:
  file:
    create:
      notes: 'sha1_hash is provided only if the tool is configured to do so.'
      fields: 
        - file_name
        - file_path
        - md5_hash
        - sha1_hash
    delete:
      fields: 
        - file_name
        - file_path
        - md5_hash
        - sha1_hash
  driver:
    load: none
    unload: none
  flow:
    start: none
  module:
    load: none
  process:
    create: none
  registry:
    add: none
  service:
    create: none
  thread:
    create: none
  user_session:
    local: none

Ivan Kirillov · Answer 2 · Fri Jan 03 2020 03:34:11 GMT+0800 (China Standard Time)

The "final" YAML format can be seen in the Sysmon 10.4 mappings: https://github.com/mitre-attack/car/blob/master/docs/sensors/sysmon_10.4.yaml

It has changed slightly from the above, as I found using a list-based approach made it much easier to parse.