-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added the is_alert flag to the dictionary, the security_control profile and detection_finding class #1178
Conversation
…profile, and the detection_finding class. Signed-off-by: Paul Agbabian <[email protected]>
Signed-off-by: Paul Agbabian <[email protected]>
What is the purpose of this flag? Isn't a security alert a result of the detection? |
Yes, it is. However there are two ways to model an 'alert' or detection, yet there was the assumption that there was only Detection Finding (which was added post 1.0). Originally security alerts were modeled by combining Security Control profile with the associated Activity event that was being monitored by the security control product. Those are the typical alerts coming from firewalls and AV products. Findings were the result of known analytics, usually coming from a SIEM or UBA type of product, and often analyzing multipile events. The purpose of this flag This came up via a Slack question, on how to model alerts from Suricata, followed by some assumptions that all alerts (not just network alerts) needed to be Detection Findings (due to the name possibly). I will make this a topic for this week. |
It could be determined from related_analytics and data_sources, however I guess there is no harm in having a flag. |
Signed-off-by: Paul Agbabian <[email protected]>
…tection Signed-off-by: Paul Agbabian <[email protected]>
…to is_detection Signed-off-by: Paul Agbabian <[email protected]>
Added the risk and confidence attributes to Security Control Added the ris_details attribute to Data Security Finding Adjusted the common attributes with Security Control to add profile: null Signed-off-by: Paul Agbabian <[email protected]>
…ng and security_control. Signed-off-by: Paul Agbabian <[email protected]>
Signed-off-by: Paul Agbabian <[email protected]>
Signed-off-by: Paul Agbabian <[email protected]>
…ode the description and of firewall_rule. Signed-off-by: Paul Agbabian <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgfm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great additions!
I resolved this conversation, in favor of a quick followup PR to update the description of |
Related Issue: 1177
Description of changes:
Added an attribute,
is_alert
that indicates that an event is an alertable signal, either determined by a security product monitoring activities, via theSecurity Control
profile, or by an analytic process on one or more events via theDetection Finding
class.Note that not all findings are alertable signals, for example
detection_finding
s have Update and Close activities that likely would not be alertable, while Create activities might be.In addition, added the
confidence
andrisk
family of attributes to theSecurity Control
profile, and a missingrisk_details
attribute todata_security_finding
.Earlier versions of the PR, and the Issue #1177 were referring to the
is_alert
attribute asis_detection
but the meaning of the two are not the same, in particular state changes indetection_finding
whilefinding
events, are not themselves new detections warranting any signaling (unless an incident management system wants to issue update alerts as one example).