OSSEM icon indicating copy to clipboard operation
OSSEM copied to clipboard
verified publisher icon OTRF

`event_category_type` is duplicated (?)

Open weh opened this issue 3 years ago • 0 comments

I am not sure if this is a mistake, or how it should be interpreted, but event_category_type can be found twice in the event attributes:

Name Type Description Sample Value
event_category_type string A description of the event, which can help with categorization. If the vendor defines a category/grouping for its log. i.e. Zeek has a few category types for its many logs (network-protocols, network-observations, etc...). Example. sysmon event id 12 is EventType field is this. network-protocols
event_category_type string If the event contains a category, then this it. i.e For the Windows Security channel, this could be something such as Audit object access. For Zeek conn.log, this would be network-protocols. Audit Object Access

https://github.com/OTRF/OSSEM/blob/master/docs/cdm/entities/event.md?plain=1#L9-L10

weh avatar Apr 28 '22 10:04 weh