Key change to be in line with OSSEM-DM

* event_code --> event_id
* title --> name

aws/README.yml

@@ -1,4 +1,4 @@
-title: Amazon Web Services(AWS) Event Logs
+name: Amazon Web Services(AWS) Event Logs
 description: Data dictionaries for AWS DataSources
 images: []
 references:
@@ -13,4 +13,4 @@ references:
 - text: AWS Elastic Load Balancer Access Logs
   link: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html
 - text: AWS Route53 DNS Logs
-  link: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/query-logs.html
+  link: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/query-logs.html

aws/events/cloudtrail.yml

@@ -1,8 +1,8 @@
-title: Cloudtrail
+name: Cloudtrail
 description: AWS CloudTrail Log format common schema
 platform: aws
 log_source: cloudtrail
-event_code: cloudtrail
+event_id: cloudtrail
 event_version: '1.05'
 event_fields:
 - standard_name: TBD

aws/events/elb_access_logs.yml

@@ -1,8 +1,8 @@
-title: Elastic Load Balancing(ELB) Access Logs
+name: Elastic Load Balancing(ELB) Access Logs
 description: Elastic Load Balancing(ELB) Access Event Schema
 platform: aws
 log_source: elb_access_logs
-event_code: elb_access
+event_id: elb_access
 event_version: '0'
 event_fields:
 - standard_name: TBD

aws/events/route53_dns_logs.yml

@@ -1,8 +1,8 @@
-title: AWS Route 53 DNS Logs
+name: AWS Route 53 DNS Logs
 description: AWS Route 53 DNS Log format common schema
 platform: aws
 log_source: route53_dns_log
-event_code: route53_dns
+event_id: route53_dns
 event_version: '1'
 event_fields:
 - standard_name: TBD

aws/events/s3_server_access_logs.yml

@@ -1,8 +1,8 @@
-title: S3 Server Access Logs
+name: S3 Server Access Logs
 description: S3 Server Access Log format common schema.
 platform: aws
 log_source: s3_server_access_log
-event_code: s3_server_access
+event_id: s3_server_access
 event_version: '0'
 event_fields:
 - standard_name: TBD

aws/events/security_finding_format.yml

@@ -1,8 +1,8 @@
-title: Security Finding Format(SFF)
+name: Security Finding Format(SFF)
 description: AWS Security Finding Format common schema.
 platform: aws
 log_source: security_finding_format
-event_code: security_finding_format
+event_id: security_finding_format
 event_version: '0'
 event_fields:
 - standard_name: TBD
@@ -21,7 +21,7 @@ event_fields:
   standard_type: TBD
   name: Confidence
   type: integer
-  description: "A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.Confidence is scored on a 0\u2013100 basis using a ratio scale, where 0 means zero-percent confidence and 100 means 100-percent confidence.However, a data exfiltration detection based on a statistical deviation of network traffic has a much lower confidence because an actual exfiltration hasn't been verified."
+  description: "A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.Confidence is scored on a 0–100 basis using a ratio scale, where 0 means zero-percent confidence and 100 means 100-percent confidence.However, a data exfiltration detection based on a statistical deviation of network traffic has a much lower confidence because an actual exfiltration hasn't been verified."
   sample_value: '42'
 - standard_name: TBD
   standard_type: TBD
@@ -33,7 +33,7 @@ event_fields:
   standard_type: TBD
   name: Criticality
   type: integer
-  description: "The level of importance that is assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.  Criticality is scored on a 0\u2013100 basis, using a ratio scale that supports only full integers. This means that you should assess not only which findings impact resources that are more critical than others but also how much more critical those resources are compared to other resources. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources."
+  description: "The level of importance that is assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.  Criticality is scored on a 0–100 basis, using a ratio scale that supports only full integers. This means that you should assess not only which findings impact resources that are more critical than others but also how much more critical those resources are compared to other resources. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources."
   sample_value: '99'
 - standard_name: TBD
   standard_type: TBD
@@ -177,7 +177,7 @@ event_fields:
   standard_type: TBD
   name: VerificationState
   type: string
-  description: "The veracity of a finding. Findings products can provide the value of UNKNOWN for this field. A findings product should provide this value if there is a meaningful analog in the findings product's system. This field is typically populated by a user determination or action after they have investigated a finding.Valid values:* UNKNOWN \u2013 The default disposition of a security finding unless a user changes it.* TRUE_POSITIVE \u2013 A user sets this value if the security finding has been confirmed.* FALSE_POSITIVE \u2013 A user sets this value if the security finding has been determined to be a false alarm.* BENIGN_POSITIVE \u2013 A user sets this value as a special case of TRUE_POSITIVE where the finding doesn't   pose any threat, is expected, or both"
+  description: "The veracity of a finding. Findings products can provide the value of UNKNOWN for this field. A findings product should provide this value if there is a meaningful analog in the findings product's system. This field is typically populated by a user determination or action after they have investigated a finding.Valid values:* UNKNOWN – The default disposition of a security finding unless a user changes it.* TRUE_POSITIVE – A user sets this value if the security finding has been confirmed.* FALSE_POSITIVE – A user sets this value if the security finding has been determined to be a false alarm.* BENIGN_POSITIVE – A user sets this value as a special case of TRUE_POSITIVE where the finding doesn't   pose any threat, is expected, or both"
   sample_value: TRUE_POSITIVE
 - standard_name: TBD
   standard_type: TBD
@@ -189,7 +189,7 @@ event_fields:
   standard_type: TBD
   name: "WorkflowState (deprecated)"
   type: string
-  description: "This field is being deprecated in favor of the Status field of the Workflow object.The workflow state of a finding. Findings products can provide the value of NEW for this field. A findings product can provide a value for this field if there is a meaningful analog in the findings product's system.Valid values:* NEW \u2013 This can be associated with findings in the Active record state. This is the default workflow state for any new finding.* ASSIGNED \u2013 This can be associated with findings in the Active record state.   The finding has been acknowledged and given to someone to review or address.* IN_PROGRESS \u2013 This can be associated with findings in the Active record state. Team members are actively working on the finding.* RESOLVED \u2013 This can be associated with findings in the Archived record state.   This differs from DEFERRED findings in that if the finding were to occur again (be updated by the native service)   or any new finding matching this, the finding appears to customers as an active, new finding.* DEFERRED \u2013 This can be associated with findings in the Archived record state, and it means that any additional findings   that match this finding aren't shown for a set amount of time or indefinitely.  Either the customer doesn't consider the finding to be applicable, or it's a known issue that they don't want to include   in the active dataset.* DUPLICATE \u2013 This can be associated with findings in the Archived record state.   It means that the finding is a duplicate of another finding."
+  description: "This field is being deprecated in favor of the Status field of the Workflow object.The workflow state of a finding. Findings products can provide the value of NEW for this field. A findings product can provide a value for this field if there is a meaningful analog in the findings product's system.Valid values:* NEW – This can be associated with findings in the Active record state. This is the default workflow state for any new finding.* ASSIGNED – This can be associated with findings in the Active record state.   The finding has been acknowledged and given to someone to review or address.* IN_PROGRESS – This can be associated with findings in the Active record state. Team members are actively working on the finding.* RESOLVED – This can be associated with findings in the Archived record state.   This differs from DEFERRED findings in that if the finding were to occur again (be updated by the native service)   or any new finding matching this, the finding appears to customers as an active, new finding.* DEFERRED – This can be associated with findings in the Archived record state, and it means that any additional findings   that match this finding aren't shown for a set amount of time or indefinitely.  Either the customer doesn't consider the finding to be applicable, or it's a known issue that they don't want to include   in the active dataset.* DUPLICATE – This can be associated with findings in the Archived record state.   It means that the finding is a duplicate of another finding."
   sample_value: NEW
 references:
 - text: AWS Security Finding Format (ASFF) Syntax

aws/events/vpc_flow_log.yml

@@ -1,8 +1,8 @@
-title: VPC Flow Logs
+name: VPC Flow Logs
 description: VPC Flow Log format common schema.
 platform: aws
 log_source: vpc_flow_log
-event_code: vpc_flow
+event_id: vpc_flow
 event_version: '2'
 event_fields:
 - standard_name: TBD

azure/README.yml

@@ -1,4 +1,4 @@
-title: Azure Event Logs
+name: Azure Event Logs
 description: Data dictionaries for Azure
 images: []
 references:
@@ -11,4 +11,4 @@ references:
 - text: AADServicePrincipalSigninLogs
   link: https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadserviceprincipalsigninlogs
 - text: AuditLogs
-  link: https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs
+  link: https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/auditlogs

azure/events/AuditLogs.yml

@@ -1,8 +1,8 @@
-title: Audit log for Azure Active Directory
+name: Audit log for Azure Active Directory
 description: Audit logs for Azure AD which includes system activity information about user and group management managed applications and directory activities.
 platform: azure
 log_source: auditlogs
-event_code: auditlogs
+event_id: auditlogs
 event_version: ''
 event_fields:
 - standard_name: TBD
@@ -22,7 +22,7 @@ event_fields:
   name: ActivityDateTime
   type: datetime
   description: "Date and time the activity was performed in UTC."
-  sample_value:  2021-08-03T18:48:33.8527147Z
+  sample_value: 2021-08-03T18:48:33.852715Z
 - standard_name: TBD
   standard_type: TBD
   name: ActivityDisplayName
@@ -34,7 +34,7 @@ event_fields:
   name: AdditionalDetails
   type: dynamic
   description: "Indicates additional details on the activity."
-  sample_value: | 
+  sample_value: |
     [
       {
         "key":"User-Agent",
@@ -76,7 +76,7 @@ event_fields:
   name: InitiatedBy
   type: dynamic
   description: "User or app initiated the activity."
-  sample_value: | 
+  sample_value: |
     {
       "app":
         {
@@ -208,7 +208,7 @@ event_fields:
   name: TimeGenerated
   type: datetime
   description: "The date and time of the event in UTC"
-  sample_value:  2021-08-03T18:48:33.8527147Z
+  sample_value: 2021-08-03T18:48:33.852715Z
 - standard_name: TBD
   standard_type: TBD
   name: Type

azure/events/aad_managedidentity_signinlogs.yml

@@ -1,8 +1,8 @@
-title: Managed Identity Signin Logs
+name: Managed Identity Signin Logs
 description: Managed identity Azure Active Directory sign-in logs.
 platform: azure
 log_source: aadmanagedidentitysigninlogs
-event_code: aadmanagedidentitysigninlogs
+event_id: aadmanagedidentitysigninlogs
 event_version: ''
 event_fields:
 - standard_name: TBD
@@ -152,7 +152,7 @@ event_fields:
   name: TimeGenerated
   type: datetime
   description: "The date and time of the event in UTC"
-  sample_value:  2021-08-03T18:48:33.8527147Z
+  sample_value: 2021-08-03T18:48:33.852715Z
 - standard_name: TBD
   standard_type: TBD
   name: Type
@@ -162,4 +162,4 @@ event_fields:
 references:
 - text: Azure AADManagedIdentitySigninLogs schema
   link: https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadmanagedidentitysigninlogs
-tags: []
+tags: []

azure/events/aad_noninteractiveuser_signinlogs.yml

@@ -1,8 +1,8 @@
-title: Non-interactive user Signin Logs
+name: Non-interactive user Signin Logs
 description: Non-interactive Azure Active Directory sign-in logs from user..
 platform: azure
 log_source: aadnoninteractiveuserigninlogs
-event_code: aadnoninteractiveuserigninlogs
+event_id: aadnoninteractiveuserigninlogs
 event_version: ''
 event_fields:
 - standard_name: TBD
@@ -28,7 +28,7 @@ event_fields:
   name: AuthenticationDetails
   type: string
   description: "The result of the authentication attempt and additional details on the authentication method."
-  sample_value: | 
+  sample_value: |
     [ 
         {
           "authenticationStepDateTime":"2018-11-06T18:48:03.8313489Z",
@@ -168,7 +168,7 @@ event_fields:
   name: IsRisky
   type: bool
   description: "Indicates if a sign-in is considered risky or not"
-  sample_value: null  
+  sample_value:
 - standard_name: TBD
   standard_type: TBD
   name: Level
@@ -314,13 +314,13 @@ event_fields:
   name: RiskState
   type: string
   description: "Risky user state"
-  sample_value: "none"    
+  sample_value: "none"
 - standard_name: TBD
   standard_type: TBD
   name: SignInEventTypes
   type: string
   description: 'The types that are associated with the sign-in. Examples include "interactive", "refreshToken", "managedIdentity", "continuousAccessEvaluation" and many more'
-  sample_value: null
+  sample_value:
 - standard_name: TBD
   standard_type: TBD
   name: SourceSystem
@@ -332,7 +332,7 @@ event_fields:
   name: Status
   type: dynamic
   description: "Details of the sign-in status"
-  sample_value: {"errorCode":0}
+  sample_value: {"errorCode": 0}
 - standard_name: TBD
   standard_type: TBD
   name: TenantId
@@ -344,13 +344,13 @@ event_fields:
   name: TimeGenerated
   type: datetime
   description: "The date and time of the event in UTC"
-  sample_value:  2021-08-03T18:48:33.8527147Z
+  sample_value: 2021-08-03T18:48:33.852715Z
 - standard_name: TBD
   standard_type: TBD
   name: TokenIssuerName
   type: string
   description: "Name of the identity provider (e.g. sts.microsoft.com )"
-  sample_value: null
+  sample_value:
 - standard_name: TBD
   standard_type: TBD
   name: TokenIssuerType

azure/events/aad_serviceprincipal_signinlogs.yml

@@ -1,8 +1,8 @@
-title: Service Principal Signin Logs
+name: Service Principal Signin Logs
 description: Azure authentication signin logs for Service Principals common schema.
 platform: azure
 log_source: aadserviceprincipalsigninlogs
-event_code: aadserviceprincipalsigninlogs
+event_id: aadserviceprincipalsigninlogs
 event_version: ''
 event_fields:
 - standard_name: TBD
@@ -146,7 +146,7 @@ event_fields:
   name: TimeGenerated
   type: datetime
   description: "The date and time of the event in UTC"
-  sample_value:  2021-08-03T18:48:33.8527147Z
+  sample_value: 2021-08-03T18:48:33.852715Z
 - standard_name: TBD
   standard_type: TBD
   name: Type

azure/events/signinlogs.yml

@@ -1,8 +1,8 @@
-title: Signin Logs
+name: Signin Logs
 description: Azure authentication signin logs common schema.
 platform: azure
 log_source: signinlogs
-event_code: signinlogs
+event_id: signinlogs
 event_version: ''
 event_fields:
 - standard_name: TBD
@@ -34,7 +34,7 @@ event_fields:
   name: AuthenticationDetails
   type: string
   description: "The result of the authentication attempt and additional details on the authentication method."
-  sample_value: | 
+  sample_value: |
     [ 
       {
         "authenticationStepDateTime":"2018-11-06T18:48:03.8313489Z",
@@ -192,7 +192,7 @@ event_fields:
   name: IsRisky
   type: bool
   description: "Indicates if a sign-in is considered risky or not"
-  sample_value: null
+  sample_value:
 - standard_name: TBD
   standard_type: TBD
   name: Level
@@ -296,7 +296,7 @@ event_fields:
   name: ResourceProvider
   type: string
   description: ""
-  sample_value: null
+  sample_value:
 - standard_name: TBD
   standard_type: TBD
   name: ResourceTenantId
@@ -368,7 +368,7 @@ event_fields:
   name: ServicePrincipalName
   type: string
   description: "Service Principal Name of the service principal who initiated the sign-in"
-  sample_value: null
+  sample_value:
 - standard_name: TBD
   standard_type: TBD
   name: SignInIdentifier
@@ -380,7 +380,7 @@ event_fields:
   name: SignInIdentifierType
   type: string
   description: ""
-  sample_value: null
+  sample_value:
 - standard_name: TBD
   standard_type: TBD
   name: SourceSystem
@@ -392,19 +392,19 @@ event_fields:
   name: Status
   type: dynamic
   description: "Details of the sign-in status"
-  sample_value: {"errorCode":0}
+  sample_value: {"errorCode": 0}
 - standard_name: TBD
   standard_type: TBD
   name: TimeGenerated
   type: datetime
   description: "The date and time of the event in UTC"
-  sample_value:  2021-08-03T18:48:33.8527147Z
+  sample_value: 2021-08-03T18:48:33.852715Z
 - standard_name: TBD
   standard_type: TBD
   name: TokenIssuerName
   type: string
   description: "Name of the identity provider (e.g. sts.microsoft.com )"
-  sample_value: null
+  sample_value:
 - standard_name: TBD
   standard_type: TBD
   name: TokenIssuerType

cowrie/README.yml

@@ -1,4 +1,4 @@
-title: Cowrie Event Logs
+name: Cowrie Event Logs
 description: 'Data dictionaries for logs from the [Cowrie honeypot](https://github.com/cowrie/cowrie).'
 images: []
 references: