Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added the is_alert flag to the dictionary, the security_control profile and detection_finding class #1178

Merged
merged 12 commits into from
Sep 27, 2024
Merged

Added the is_alert flag to the dictionary, the security_control profile and detection_finding class #1178

merged 12 commits into from
Sep 27, 2024

Conversation

pagbabian-splunk
Copy link
Contributor

@pagbabian-splunk pagbabian-splunk commented Sep 13, 2024
edited
Loading

Related Issue: 1177

Description of changes:

Added an attribute, is_alert that indicates that an event is an alertable signal, either determined by a security product monitoring activities, via the Security Control profile, or by an analytic process on one or more events via the Detection Finding class.

Note that not all findings are alertable signals, for example detection_findings have Update and Close activities that likely would not be alertable, while Create activities might be.

In addition, added the confidence and risk family of attributes to the Security Control profile, and a missing risk_details attribute to data_security_finding.

Earlier versions of the PR, and the Issue #1177 were referring to the is_alert attribute as is_detection but the meaning of the two are not the same, in particular state changes in detection_finding while finding events, are not themselves new detections warranting any signaling (unless an incident management system wants to issue update alerts as one example).

@pagbabian-splunk
Added the is_detection flag to the dictionary, the security_conttrol …
975b273 
…profile, and the detection_finding class.

Signed-off-by: Paul Agbabian <[email protected]>
@pagbabian-splunk pagbabian-splunk changed the title Added the is_detection flag to the dictionary, the security_conttrol … Added the is_detection flag to the dictionary, the security_conttrol profile and detection_finding class Sep 13, 2024
@pagbabian-splunk pagbabian-splunk changed the title Added the is_detection flag to the dictionary, the security_conttrol profile and detection_finding class Added the is_detection flag to the dictionary, the security_control profile and detection_finding class Sep 13, 2024
@irakledibm
Copy link
Contributor

What is the purpose of this flag? Isn't a security alert a result of the detection?

@pagbabian-splunk
Copy link
Contributor Author

Yes, it is. However there are two ways to model an 'alert' or detection, yet there was the assumption that there was only Detection Finding (which was added post 1.0). Originally security alerts were modeled by combining Security Control profile with the associated Activity event that was being monitored by the security control product. Those are the typical alerts coming from firewalls and AV products. Findings were the result of known analytics, usually coming from a SIEM or UBA type of product, and often analyzing multipile events.

The purpose of this flag is_detection is to tie the two types of detections together from a query perspective. All Detection Findings are detections, and most but not all Security Control activities are detections. This is because Security Control was expanded to apply to access control activities, starting with its applications to Web Resource Activity. Not all 'Actions' of Allowed or Denied would constitute detections.

This came up via a Slack question, on how to model alerts from Suricata, followed by some assumptions that all alerts (not just network alerts) needed to be Detection Findings (due to the name possibly). I will make this a topic for this week.

@irakledibm
Copy link
Contributor

It could be determined from related_analytics and data_sources, however I guess there is no harm in having a flag.

@pagbabian-splunk pagbabian-splunk added enhancement New feature or request findings Issues related to Findings Category non_breaking Non Breaking, backwards compatible changes v1.4.0 or later Changes marked for versions beyond v1.3.0 of OCSF labels Sep 17, 2024
floydtree
floydtree requested changes Sep 17, 2024
View reviewed changes
dictionary.json Outdated Show resolved Hide resolved
irakledibm
irakledibm previously approved these changes Sep 25, 2024
View reviewed changes
@pagbabian-splunk
Changed name of is_detection to is_alert
3e0912f 
Added the risk and confidence attributes to Security Control
Added the ris_details attribute to Data Security Finding
Adjusted the common attributes with Security Control to add profile: null

Signed-off-by: Paul Agbabian <[email protected]>
@pagbabian-splunk
Updated to reflect additional attributes added to data_security_findi…
4f23a1c 
…ng and security_control.

Signed-off-by: Paul Agbabian <[email protected]>
@pagbabian-splunk pagbabian-splunk changed the title Added the is_detection flag to the dictionary, the security_control profile and detection_finding class Added the is_alert flag to the dictionary, the security_control profile and detection_finding class Sep 26, 2024
mikeradka
mikeradka previously approved these changes Sep 27, 2024
View reviewed changes
@pagbabian-splunk
Added the policy attribute to the security_control profile, and overr…
2bd4831 
…ode the description and of firewall_rule.

Signed-off-by: Paul Agbabian <[email protected]>
irakledibm
irakledibm approved these changes Sep 27, 2024
View reviewed changes
Copy link
Contributor

@irakledibm irakledibm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgfm

Aniak5
Aniak5 approved these changes Sep 27, 2024
View reviewed changes
Copy link
Contributor

@Aniak5 Aniak5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great additions!

@floydtree
Copy link
Contributor

I resolved this conversation, in favor of a quick followup PR to update the description of is_alert in detection finding class. Everything else in this PR looks great.

@floydtree floydtree self-requested a review September 27, 2024 18:45
@floydtree floydtree merged commit a2e0442 into main Sep 27, 2024
3 checks passed
@floydtree floydtree deleted the is_detection branch September 27, 2024 18:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@irakledibm irakledibm irakledibm approved these changes

@mikeradka mikeradka mikeradka approved these changes

@floydtree floydtree floydtree approved these changes

@Aniak5 Aniak5 Aniak5 approved these changes

@zschmerber zschmerber Awaiting requested review from zschmerber zschmerber is a code owner

@JasonKeirstead JasonKeirstead Awaiting requested review from JasonKeirstead

Assignees
No one assigned
Labels
enhancement New feature or request findings Issues related to Findings Category non_breaking Non Breaking, backwards compatible changes v1.4.0 or later Changes marked for versions beyond v1.3.0 of OCSF
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@pagbabian-splunk @irakledibm @floydtree @Aniak5 @mikeradka