How do I model a detection? #1177
Comments
|
Thanks for structuring the conversation around this topic, Paul.
In this light, a Detection Finding feels like a bundle of individual events (
This requires quite some mental flexibility in order to see a "control action" something like a SOAR dispatch trigger. I actually like the word "action" much better, as it simply signifies that something has acted upon something else. The world "control" feels from a firewall era where inline security measures were the norm. So perhaps we should consider a different name? More importantly, though, it seems that this profile is currently the only way to "alertify" existing events. By injecting the profile, we obtain the judgement from the thing that worked on the event. Since many detection tools operate by tagging/flagging events, I expect seems that escalating a regular event through profile injection a standard use case. Suricata alerts, for instance, work exactly like this. They basically attach an alert record to a regular event. In OCSF, it would be nice to have a standard procedure where we can capture the alert details through the injected events. This is currently ill-supported. For example, the alert message would have to put in the Base Event's message field. I see two options: adding a new profile that is geared towards alertification, or enhancing the Security Control profile.
I find this confusing, as it feels like a tautology—at least for the Detection Finding. The name of the event implies that it's a detection. While I see where you are coming from, I would expect newcomers to have a hard time with these semantics. Perhaps we can have an enumeration type, with |
|
Good comments Matthias - I will make this a topic for this week's call. To some extent, having As for it being confusing, it might be at first, but a query for any event where |
|
A few thoughts from me on this proposal...
This is not the impression given by the description for
Detections often arise not from a single activity but rather from a sequence of activities. This means that embedding information about a single activity would lack generality anyway. The I think that the existence of multi-activity detections weakens the case for a "this activity is malicious" flag. An approach based on flagging a single activity cannot describe a multi-activity detection. This could lead to inconsistent and/or overly complex implementations because a vendor might decide to set the Applying the A final concern about this proposal is that the usefulness of the |
|
Good thoughts Dave, thanks. Yes, this approach isn't perfect - however, note thqt this came about because Matthias found that Detection Finding could not model the outputs of Suricata, he needed the activity data of source, destination, ports etc. that the Network Activity classes offer. The Security Control profile was designed for this purpose, and when I pointed this out to him, it solved his initial problem. Before we had profiles, we had sibling 'Alert' classes for every Activity class in System and Network. Note that originally there was not the Similarly, there was a EDR activities and verdicts and judgements were never inteded to be Security Control profile events - unless they are also acting as control points - i.e. blocking activities. Therefore, I wouldn't discredit the Hence, tying these different types of detections together. Querying them is simpler if there is something that is common and until now, the original activity overlay approach is lost with I am not married to this approach, what I am against is using Lastly, In any case, this is a topic for tomorrow's weekly call as it has caused quite a stir - hope you can join. |
|
Regarding |
|
Yes in fact I was updating the PR to do exactly that, but I haven’t pushed
it until we discuss today.
Paul (from my mobile device)
…On Tue, Sep 17, 2024 at 3:47 AM Dave McCormack ***@***.***> wrote:
Regarding action_id and disposition_id, I wasn't aware of the
significance of the No Action value for the latter. That does make the
Security profile more suitable for use in non-enforcing contexts. Might
it be even clearer though to have an explicit None entry in the action_id
enum? It's a little contradictory for the disposition_id to say that No
Action has been taken and for the action_id to say that the activity was
Allowed.
—
Reply to this email directly, view it on GitHub
<#1177 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AS5LBZTPD3WKM7Q3QCWJF3TZXACCTAVCNFSM6AAAAABOGETUQKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNJVGI4TENZZGI>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
I recommend producing one or two good concrete scenarios with real world example data, ideally from multiple cross-domain producers, to hang this entire conversation on and demonstrate. Without examples, it's hard for me to follow or provide substantive feedback. |
|
I have to be honest, the "alertification" of activities using the Security Control profile is not something I would have expected. In my head, ALL alerts would be represented by Detection Findings that, possibly, point to one or more events using Considering that, no wonder I was struggling to find a spot for alert "details". Across the domains of endpoint, network, email and identity, alone, the possible set of alert details is large but I thought the intent of I was unable to attend the last Thursday call. Was any consensus reached? |
…le and detection_finding class (#1178) #### Related Issue: 1177 #### Description of changes: Added an attribute, `is_alert` that indicates that an event is an alertable signal, either determined by a security product monitoring activities, via the `Security Control` profile, or by an analytic process on one or more events via the `Detection Finding` class. Note that not all findings are alertable signals, for example `detection_finding`s have Update and Close activities that likely would not be alertable, while Create activities might be. In addition, added the `confidence` and `risk` family of attributes to the `Security Control` profile, and a missing `risk_details` attribute to `data_security_finding`. Earlier versions of the PR, and the Issue #1177 were referring to the `is_alert` attribute as `is_detection` but the meaning of the two are not the same, in particular state changes in `detection_finding` while `finding` events, are not themselves new detections warranting any signaling (unless an incident management system wants to issue update alerts as one example). --------- Signed-off-by: Paul Agbabian <[email protected]> Co-authored-by: Rajas <[email protected]>
There has been some discussion and confusion on how to represent a security detection in OCSF. One obvious approach is to use the
Detection Findingclass, however it isn't appropriate for all types of detections: it was designed for events representing analytics systems such as SIEMs where in general there are many events, not all themselves detections, behind the finding, and those events may all have different activities. While theevidencesarray can hold auxiliary information that the detection may have affected, or artifacts that may be causal to the detection, theDetection Findingdoes not directly give any information about a single activity that signaled the detection. These are usually thought of as security alerts, although we avoid the name alert in the schema as one product's alert output may be another consuming product's event. A detection is more general.The
Security Controlprofile is intended to augment activities that are monitored by a security product, either a detection point like an IDS, or an enforcement point like a firewall or anti-malware solution. The profile is added directly onto the activity classes, such as theSystem ActivityandNetwork Activityclasses, thereby directly preserving the underlying activities, for example detection of malware when a file is opened, or denial of a connection when opened. Thedispositionof the event, added by the profile, reflects the outcome of the activity that was monitored by the security control. For example, the file open may be blocked when malware is detected, or the file might be quarantined.Note that the profile can also be applied to
Detection Finding(andData Security Finding) in the cases where the analytic against the events also produced some type of control action. In the case of a SIEM, it might be running a SOAR playbook or other action.The issue with having these two approaches is that an analyst wants to know about any detection, regardless of how it was determined. One approach would be to query for the
Security Controlprofile, but not allDetection Findingsneed the profile, yet they are still detections by their very name.The solution proposed is simple: add a new attribute,
is_detection, to the profile and to theDetection Findingclass. When an event or a finding is a detection, it is set to true. In the case ofDetection Findingthis should always be the case. For most other events that are augmented by the profile, due to the event stemming from a security product control point,is_detectionshould also be set totrue.A top level query of all events where
is_detection = truewould return any "alerts" as well as any detection findings.The
Security Controlprofile can also be used for non-detection oriented controls, such as access control onApplication Activity. In this case,is_detectionwould be set tofalse.The text was updated successfully, but these errors were encountered: