config.yaml

#----------------------------- BASIC CONFIGURATION --------------------------------------
#Log-sources input directory, see the dataset example (cadets,trace,theia,fivedirections) 
input-dir: experiment/input/cadets/

#Minimum log line number to be processed (minimum 1)
line-number: 100000

#Save the output in RDF and .HDT (true/false)
backup-file: true

#Output directory, any output file (.rdf/hdt) will be stored in this folder 
output-dir: experiment/output/

#----------------------------- TARGETED TRIPLE STORE AND NAMEGRAPH ------------------------
#This option requires a triplestore (currently Krystal support GraphDB) installed.
#for GraphDB, Krystal requires a repository to be created beforehand
#Option for storing output data to the triplestore (true/false)
live-store: true

#Triple Store type (e.g., graphdb, virtuoso)
triple-store: graphdb

#Endpoint for storing rdf output to triple Store
#For GraphDB, sparql-endpoint can be access via http://localhost:7200/repositories/<repository-name>
sparql-endpoint: http://localhost:7200/repositories/Krystal

#Namegraph of the RDF graph on the triplestore (the output filename will be generated based on this namegraph
namegraph: http://w3id.org/sepses/graph/cadets

#----------------------------- SYSTEM SETTING -------------------------------------------
#Jena TDB directory, this directory is required for storing jena TDB temporary file
tdb-dir: experiment/tdb

#Directory for Krystal Ontology 
ontology: experiment/ontology/log-ontology.ttl

#OS platform of the log sources, (e.g. ubuntu14 for cadets, trace ; freebsd for theia ; windows for fivedirections)
os-platform: ubuntu14

#----------------------------- THREAT DETECTION TECHNIQUES -------------------------------
#List of possible threat detection techniques, set to "true" to apply otherwise set to "false"
tag-propagation: true

#Setting tag-attenuation into true requires tag-propagation to be true 
tag-attenuation: true
ab: 0.2 #attenuation value for benign
ae: 0.1 #attenuation value for suspect  

#Setting tag-decay into true requires tag-propagation to be true 
tag-decay: true
period: 0.25 #decay half live (second)
tb: 0.75 #quiescent tag values for benign
te: 0.45 #aquiescent tag values for suspect

#Setting policy-based-rule into true requires tag-propagation and tag-attenuation-decay to be true 
policy-based-rule: true

#Signature base detection, currently it only supports rule detection from Sigma Rule 
signature-based-rule: true 

#Sigma rule directory for linux 
rule-dir : experiment/rule/

#Sigma rule directory for windows
rule-dir-win : experiment/rule_win/ 

#----------------------------- CONFIDENTIAL DIRECTORY -------------------------------
#List of any confidential directory on the targetted hosts / logsources 
#These will be used as  initialization of confidentiality score in tag-propagation technique during provenance graph building)
confidential-dir:
 - /etc/passwd
 - /var/log
 - /etc/shadow
 - /documents/

 #----------------------------- AUDIT EVENTS-----------------------------------------
#List of any events from audit data that need to be included in the provenance graph building. 
#Event filter for log processing (filter only the uncommented events (event with #))
field-filter:
 #- EVENT_FORK
 - EVENT_EXIT
 - EVENT_MPROTECT
 - EVENT_LOGIN
 #- EVENT_CLONE
 #- EVENT_LOADLIBRARY
 #- EVENT_EXECUTE
 - EVENT_ACCEPT
 - EVENT_RECVMSG
 - EVENT_SENDMSG
 #- EVENT_SENDTO
 #- EVENT_MODIFY_FILE_ATTRIBUTES
 - EVENT_CHECK_FILE_ATTRIBUTES
 - EVENT_RENAME
 #- EVENT_RECVFROM
 - EVENT_MODIFY_PROCESS
 - EVENT_CHANGE_PRINCIPAL
 - EVENT_LINK
 - EVENT_UNLINK
 - EVENT_CLOSE
 - EVENT_SIGNAL
 - EVENT_OPEN
 #- EVENT_READ
 #- EVENT_WRITE
 - EVENT_MMAP
 - EVENT_CREATE_OBJECT
 - EVENT_LSEEK
 - EVENT_FCNTL
 - EVENT_RECVMSG
 - EVENT_BIND
 - EVENT_OTHER
 - EVENT_CONNECT
 - EVENT_TRUNCATE
 - EVENT_ADD_OBJECT_ATTRIBUTE