diff --git a/STIX_external_reference/readme.md b/STIX_external_reference/readme.md index 4a0d3fd..2591543 100644 --- a/STIX_external_reference/readme.md +++ b/STIX_external_reference/readme.md @@ -20,29 +20,71 @@ ## Windows Security Event Object -**Type Name:** windows-security-evt +**Type Name:** x-windows-security-evt ## Properties -| Property Name | Type | Description | -| --------------- | ---------- | -------------------------------------------------------- | -| type (required) | string | The value of this property MUST be windows-security-evt. | -| id | identifier | The ID of a secuity type | -| level | integer | | -| task | integer | | -| opcode | integer | | -| created | timestamp | | -| record | integer | | -| process | integer | | -| thread | integer | | -| computer | string | The ID of the computer | -| user | string | The security user ID | +| Property Name | Type | Description | +| ------------------ | ---------- | -------------------------------------------------------- | +| type (required) | string | The value of this property MUST be windows-security-evt. | +| id (required) | identifier | The ID of a secuity type | +| level | integer | | +| task | integer | | +| opcode | integer | | +| created (required) | timestamp | | +| record | integer | | +| process | integer | | +| thread | integer | | +| computer | string | The name of the computer | +| user | string | The security user ID | +| belongs_to_ref | identity | The relation describes that the source is a part of file | ## Relationships -| Embedded Relationships | | -| ---------------------- | ---------- | -| created_by_ref | identifier | +| Source | Relationship Type | Target | Description | +| ------ | ----------------- | ------ | ----------- | + +```json +{ + "type": "x-windows-security-evt", + "spec_version": "2.1", + "id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", + "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "created": "2016-04-06T20:03:00.000Z", + "level": 0, + "opcode": 0, + "record": 1101704, + "proces": 58, + "thread": 511, + "Computer": "DC01.contoso.local", + "belongs_to_ref": "file--9460a8a8-6351-40bb-b5ad-18f3265bbf7a" +} +``` + +## Browser History Record Object + +**Type Name:** x-browser-history-record + +## Properties + +| Property Name | Type | Description | +| ------------------ | ----------------------- | ----------------------------------------------------------------------------------------------------------------- | +| type (required) | string | The value of this property MUST be browser-history | +| id (required) | identifier | The ID of a browser history record | +| url | string | | +| title | string | The title of a web page has been visited | +| visit-time | timestamp | | +| visit-count | integer | The number of times visited | +| browser-type | identifier | The values for this property SHOULD come from the browser-type-ov open vocabulary. | +| file-requested_ref | identifier | The ID of the file the requst requested | +| computer | string | The name of the computer | +| user-account | identifier | The user-account that is associated with record | +| belongs_to_ref | list of type identifier | The source of object. The objects referenced in this list MUST be of type file or artifact (e.g., cache, memory). | + +## Relationships + +| Source | Relationship Type | Target | Description | +| ------ | ----------------- | ------ | ----------- | ```json { @@ -56,11 +98,33 @@ "record": 1101704, "proces": 58, "thread": 511, - "Computer": "DC01.contoso.local" + "Computer": "DC01.contoso.local", + "belongs_to_ref": "file--9460a8a8-6351-40bb-b5ad-18f3265bbf7a" } ``` -references: +## Browser Type Open Vocabulary + +Vocabulary Name: browser-type-ov + +| ocabulary Value | Description | +| --------------- | ------------------------------ | +| chrome | Google chrome browser | +| ie | Internet explore | +| edge | Microsoft Edge | +| firefox | Mozilla Firefox | +| safari | Apple Safari | +| chromium | Open source Chrome alternative | +| opera | | +| maxthon | | +| brave | | +| 360-secure | 360 Secure Browser | +| tor | | +| other | | + +# references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4608 - [Event Logging Structures](https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging-structures?redirectedfrom=MSDN) +- https://github.com/libyal/libevt/blob/main/documentation/Windows%20Event%20Log%20(EVT)%20format.asciidoc +- https://github.com/williballenthin/python-evtx