Feedback based on usage in Grapl

[insanitybit]

Hey, I saw that feedback was asked for regarding contributing. I'm the author of a tool, Grapl:
https://github.com/insanitybit/grapl

I've decided to adopt a schema that is heavily based on the CIM description here (it's in a branch currently), with only minor changes to support a bit more of a 'graph' feel. As two examples,

• Instead of 'process_path' being an attribute of a process, it is an edge from a ProcessNode to a FileNode
• Instead of having attributes of a parent process be inline with the child process, I just have a ProcessNode, with an edge from parent to child

So it's mostly just a subset.

I chose this over CAR for a few reasons - I found the naming to be more general, and I liked that things such as digital signatures were attached to files, and not processes.

I thought this feedback might be of interest to you. Thanks for putting this project together.

I will say though, I hope that this stabilizes soon. If it takes a long time I will probably end up not bother to make any breaking updates and it would be a shame to diverge.

[Cyb3rWard0g]

Hey @insanitybit , sorry for the late response. I would love to know how we can help. Also, what do you mean with "Stabilizes soon". You mean not Alpha anymore? If you believe something needs to be updated, please submit a PR, and I can provide some feedback too. The short term goal was to document a few data sources and document relationships among events of the same or different data sources (i.e. Windows Sysmon and Security). The next step is to validate the CIM, and also test a few applications on the top of OSSEM such as Graphing, then prototype all that with HELK.

[insanitybit]

Oh, by stability I only mean "not alpha" ie: the schema won't be changing in a breaking way.

[insanitybit]

Hey, looking at the CIM more, it would be great if the Process CIM including information like the creation and termination times of the process. I can open a new issue for this if you'd like?