Re: [oca-architecture-wg] Architecute Workroup material for Thursday (Our last call for 2021!)


Jason Keirstead
 

There are several key data models in wide use in the EDR space already


- OSSEM Data Model (mapped as well to ASIM / Azure Sentinel model)  https://github.com/OTRF/OSSEM-DM
- MITRE CAR Data Model - https://car.mitre.org/data_model/
 
I would advise taking a strong look at these. I am not a fan of making proliferating data models. I prefer aligning to existing. (I wrote a whole blog series on this :) 
 
-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management
www.ibm.com/security

 
Assistant - Mauricio Durán Cambronero (mauduran@...)

Co-Chair - Open Cybersecurity Alliance, Project Governing Board
www.opencybersecurityalliance.org
 
 
 

----- Original message -----
From: "David Kemp" <dk190a@...>
Sent by: oca-architecture-wg@...
To: oca-architecture-wg@...
Cc: oca-pgb@...
Subject: [EXTERNAL] Re: [oca-architecture-wg] Architecute Workroup material for Thursday (Our last call for 2021!)
Date: Thu, Dec 9, 2021 1:34 PM
 
I strongly agree that models are the key to enabling cross-environment progress. I did a tiny bit of looking into OSQuery and discovered that although they have some cross-platform models, even those have OS-specific fields that should be abstracted ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
I strongly agree that models are the key to enabling cross-environment progress.  I did a tiny bit of looking into OSQuery and discovered that although they have some cross-platform models, even those have OS-specific fields that should be abstracted up to common elements and then mapped back down to the operating environment.

Models-Я-Us (the OCA Ontology subgroup) should be front and center on this part of the activity, working with EDR to prioritize needs and identify low-hanging fruit.  OpenC2 is based on the JADN information model, and I've been working with SPDX / 3T-SBOM on translating their logical model to our information model.

Thanks Dennis and Russ, this looks like a promising way forward if we can find the XDR expertise to energize development of the OCA logical model.

Regards,
Dave
 
On Tue, Dec 7, 2021 at 12:22 PM Russell Warren <russell.warren@...> wrote:

Hello All
  Dennis and I met last week and he has prepared some material (attached) for our next call.  Please pre-read the material as we are asking the group for some input on next steps.
(See attached file: OCA EDR Schema Extension - Challenges v 0.3.pptx)


Thank you
Russ and Dennis


 

 

 

 


Join oca-pgb@lists.oasis-open-projects.org to automatically receive all group messages.