Skip to content

Commit 298d497

Browse files
Ginger-HeadedGinger-Headed
authored
Update RootA_Specification.md
1 parent 051598c commit 298d497

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

RootA_Specification.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -262,7 +262,7 @@ Format: `text (max 128 characters)`
262262

263263
Required: *optional*
264264

265-
Description: ?????
265+
Description: A category is used when disparate data sources provide the same type of event logging. For instance, Microsoft Windows 4688 & Sysmon Event ID 1 both provide process creation logs and share many of the same fields. Therefore, we can write and consume rules written generally for "process_creation" instead of rules written specifically for exact data sources. The same goes for most firewalls, proxies, etc.
266266

267267
Example: `category: process_creation`
268268

@@ -273,7 +273,7 @@ Format: `text (max 128 characters)`
273273

274274
Required: *optional*
275275

276-
Description: ?????
276+
Description: A service is used when a distinct data source exists for the relevant event logs. As an example, Amazon Cloudtrail eventing is specific to AWS. You generally cannot use a rule made for one service against another data source.
277277

278278
Example: `service: apache`
279279

0 commit comments

Comments
 (0)