From c8ce4814527c703313baf0463edf60413c928fc7 Mon Sep 17 00:00:00 2001
From: Frank Xu <frank.w.xu@gmail.com>
Date: Fri, 29 Jan 2021 21:34:08 -0500
Subject: [PATCH] add stix

---
 STIX_for_digital_forensics/readme.md | 65 ++++++++++++++++++++++------
 1 file changed, 51 insertions(+), 14 deletions(-)

diff --git a/STIX_for_digital_forensics/readme.md b/STIX_for_digital_forensics/readme.md
index 37a84d1..d6f3d74 100644
--- a/STIX_for_digital_forensics/readme.md
+++ b/STIX_for_digital_forensics/readme.md
@@ -1,4 +1,4 @@
-# Cyber-observable Objects for Digital Forensics
+# STIX for Digital Forensics
 
 The goal of the project is to customize STIX™ for facilitating the sharing of Cyber Forensic Intelligence as well as building the foundations for automated digital forensic investigations. The extension includes:
 
@@ -62,10 +62,10 @@ The WIndow Event object represents an event generated by Windows OS, including a
 | ---------------------- | ---------- | ----------------------------------------------------------------------------------------- |
 | type (required)        | string     | The value of this property MUST be windows-security-evt.                                  |
 | id (required)          | identifier | The ID of a secuity type.                                                                 |
-| log_name (required)    | enum       | The value of this property MUST come from the log-nam-enum enumeration.                   |
-| logged_time (required) | timestamp  |                                                                                           |
-| source                 | string     |                                                                                           |
-| event_id               | integer    |                                                                                           |
+| event_category         | enum       | The value of this property MUST come from the windows-event-category-enum enumeration.    |
+| created_time           | timestamp  | Specified the time the event was created.                                                 |
+| source                 | string     | Specifies the source/provideer of a event.                                                |
+| event_id               | integer    | Specifies a type of event.                                                                |
 | task_category          | string     |                                                                                           |
 | computer               | string     | The name of the computer.                                                                 |
 | user_account_ref       | identifier | The user account that is associated with the evewnt.                                      |
@@ -76,7 +76,7 @@ The WIndow Event object represents an event generated by Windows OS, including a
 | Source | Relationship Type | Target | Description |
 | ------ | ----------------- | ------ | ----------- |
 
-### Windows Event Log Name Enumeration
+### Windows Event Category Enumeration
 
 **Enumeration Name:** windows-event-log-name-enum
 
@@ -88,21 +88,50 @@ The WIndow Event object represents an event generated by Windows OS, including a
 | system           |             |
 | forwarded-events |             |
 
-### Examples
+### Example 1: describes a "logon" event recorded in the security event file.
+
+```json
+[
+  {
+    "type": "x-windows-evt",
+    "spec_version": "2.1",
+    "id": "x-windows-evt--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
+    "event_category": "security",
+    "created_time": "2021-01-06T20:03:00.000Z",
+    "source": "Microsoft Windows security auditing.",
+    "event_id": "4624",
+    "task_category ": "Logon",
+    "computer": "ryzen3790-xu",
+    "user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
+    "saved_to_ref": "file--79e0da61-48e2-4552-874f-83d74262f39d"
+  },
+  {
+    "type": "file",
+    "spec_version": "2.1",
+    "id": "file--79e0da61-48e2-4552-874f-83d74262f39d",
+    "hashes": {
+      "SHA-256": "fe90a7e910cb3a4739bed9180e807e93fa70c90f25a8915476f5e4bfbac681db"
+    },
+    "size": 4518,
+    "name": "security.evt"
+  }
+]
+```
+
+### Example 2: describes a system event generated by CD-Rom
 
 ```json
 {
   "type": "x-windows-evt",
   "spec_version": "2.1",
   "id": "x-windows-evt--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
-  "log_name": "security",
-  "logged_time": "2021-01-06T20:03:00.000Z",
-  "source": "Microsoft Windows security auditing.",
-  "event_id": "4624",
-  "task_category ": "Logon",
-  "computer": "ryzen3790-xu",
+  "event_category": "system",
+  "created_time": "2021-01-06T20:03:00.000Z",
+  "source": "cdrom.",
+  "event_id": "16388",
+  "computer": "informant-PC",
   "user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
-  "saved_to_ref": "file--9460a8a8-6351-40bb-b5ad-18f3265bbf7a"
+  "saved_to_ref": "file--e2dd9934-e6aa-440a-9d51-21ccf990c4f5"
 }
 ```
 
@@ -652,6 +681,12 @@ An event logged by Google drive. The event shows a file (happy_holiday.jpg) has
 ]
 ```
 
+---
+
+## Property Extension for Windows™ Registry Key Object
+
+```
+
 ## threat-actor-type-ov external reference
 
 | Vocabulary Value                     | Description                                                                           |
@@ -696,3 +731,5 @@ An event logged by Google drive. The event shows a file (happy_holiday.jpg) has
 ```
 
 ```
+
+```