threat fields #505
threat fields #505
Conversation
added threat fields
|
Also, please make sure to run a full Right now CI is failing because |
|
Works for me Mike (was thinking the same thing but was unsure of which to
separate) - I'll update today
…On Tue, Aug 13, 2019 at 9:46 AM Mike Paquette ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In schemas/threat.yml
<#505 (comment)>:
> +
+ - name: severity
+ level: extended
+ type: keyword
+ short: Severity of the threat as identified by the observer/ threat intel feed
+ description: >
+ Typically a qualitative description of the risk associated with the observed threat or IOC
+ example: high
+
+ - name: confidence
+ level: extended
+ type: keyword
+ short: Predicted accuracy of the threat identification
+ description: >
+ Typically a qualitative description of the confidence that the threat identification is correct
+ example: medium
@dainperkins <https://github.com/dainperkins> I would prefer that we add
fields threat.tactic.reference and threat.technique.reference to hold
hyperlinks to reference material, rather than including the URL in the
description field. I also suggest that we use a .name and .id for each
tactic and technique, as listed in #291
<#291>, so that would give us:
- threat.tactic.id
- threat.tactic.name
- threat.tactic.reference
- threat.technique.id
- threat.technique.name
- threat.technique.reference
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#505?email_source=notifications&email_token=AJMZFSPDQFRPX3YLQ2D3LELQEK3LDA5CNFSM4IF32FJKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCBMWBKA#discussion_r313404687>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AJMZFSLGFPBMHFWDWDPGEG3QEK3LDANCNFSM4IF32FJA>
.
|
|
Removed the lowercase, and updated the desc in the newest version
…On Tue, Aug 13, 2019 at 9:46 AM Mike Paquette ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In schemas/threat.yml
<#505 (comment)>:
> + level: extended
+ type: keyword
+ short: Name or classification of the threat detected or reported
+ description: >
+ Threat name as reported by system or intel provider
+
+ The field value must be normalized to lowercase for querying. See
+ the documentation section "Implementing ECS".
+ example: ntp reserved mode denial of service
+
+ - name: tactic
+ level: extended
+ type: keyword
+ short: Mitre ATT&CK Matrix tactic
+ description: >
+ The Mitre ATT&CK Matrix Tactic categorization of the identified threat
@webmat <https://github.com/webmat> @dainperkins
<https://github.com/dainperkins> I think ECS should not "require" the
MITRE ATT&CK framework, but should allow it, and as @webmat
<https://github.com/webmat> suggests, making this explicit in the
descriptions of the fields.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#505?email_source=notifications&email_token=AJMZFSJMJ4IVW6EFRTXFKBDQEK3KJA5CNFSM4IF32FJKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCBMWAEA#discussion_r313404572>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AJMZFSIVBHCEQDT6K3IA6RTQEK3KJANCNFSM4IF32FJA>
.
|
|
Not really sure what to do about the conflicts... |
Updated threat fields per recommendations
|
I think I figured it out |
revised short desc. to better align to tootip thoughts
|
Suppose someone's looking at a Suricata alert like this one: How would you suggest the mapping is done? I think But should Or perhaps we should treat actual alerts as a separate entity than threats? Map the alert details to an eventual |
|
I'd put id/name in as described.
I wouldn't be against adding threat.category to extend the basic threat
concept (as reported by the observer), then leaving the tactic and
technique as more specific places to record inferred tactic/technique
information (mapped to ATT&CK, or other internal threat analyzation)
At first I was thinking alert.category could map to threat.technique, but
then people have to decide [do I want to map observed information? Or do I
leverage an additional taxonomy?] given the low impact I think having both
would be beneficial (if for no other reason that the ability to search for
vendor specific threat names, or external classification terms, instead of
one or the other)
I'll add a threat.category, and take a look at a couple other detection
types to see what else could go into the overall (risk is set, tho I have
yet to figure out how to add threat to the risk.yml fields as a possible
top level as threat doesn't exist in my risk branch...)
/d
…On Thu, Sep 5, 2019 at 11:20 AM Mathieu Martin ***@***.***> wrote:
Suppose someone's looking at a Suricata alert like this one
<https://github.com/elastic/beats/blob/v7.3.0/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json#L42-L46>
:
"suricata.eve.alert.category": "Attempted Information Leak",
"suricata.eve.alert.gid": 1,
"suricata.eve.alert.rev": 4,
"suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound",
"suricata.eve.alert.signature_id": 2013028,
How would you suggest the mapping is done?
I think alert.signature_id maps to threat.id and alert.signature maps to
threat.name.
But should alert.category be mapped to threat.technique.name? Seems like
we'd like to both allow people to keep their alert source's categorization,
as it's good to have a 1:1 mapping with the source, when investigating what
the alert means. But it would also be useful to let people map to a third
party categorization framework. I'm sure there's already people who've
mapped Suricata's alerts to the ATT&CK framework.
Or perhaps we should treat actual alerts as a separate entity than
threats? Map the alert details to an eventual alert field set, and add
the threat field set purely as a categorization scheme on top of the
alert?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#505?email_source=notifications&email_token=AJMZFSMEPMQNZC6AEBSKVXDQIEPUPA5CNFSM4IF32FJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD57RBVA#issuecomment-528421076>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AJMZFSI5IYCANJXTOAP46H3QIEPUPANCNFSM4IF32FJA>
.
|
|
@dainperkins another thing that occurred to me. It might be worth adding a field that states which kind of categorization is being done. Is it MITRE, are people shoving QRadar in tactic & technique, or another vendor specific thing. So perhaps something like I can guarantee that in a big enough organization, people will be using more than one different taxonomy, because |
|
excellent idea
…On Thu, Sep 5, 2019 at 1:58 PM Mathieu Martin ***@***.***> wrote:
@dainperkins <https://github.com/dainperkins> another thing that occurred
to me. It might be worth adding a field that states which kind of
categorization is being done. Is it MITRE, are people shoving QRadar in
tactic & technique, or another vendor specific thing.
So perhaps something like threat.taxonomy, or threat.framework, in which
you could put values such as "mitre_attack", "qradar", etc...
I can guarantee that in a big enough organization, people will be more
than one different taxonomy, because [reasons]. So being able to separate
them from one another may be helpful.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#505?email_source=notifications&email_token=AJMZFSLVKXFIYLQHG2DP3STQIFCDLA5CNFSM4IF32FJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6AE6DY#issuecomment-528502543>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AJMZFSLJVNPVCO3LL26DECTQIFCDLANCNFSM4IF32FJA>
.
|
|
was also thinking sig revision would be a good add (suricata has it, as
does snort)
…On Thu, Sep 5, 2019 at 1:58 PM Mathieu Martin ***@***.***> wrote:
@dainperkins <https://github.com/dainperkins> another thing that occurred
to me. It might be worth adding a field that states which kind of
categorization is being done. Is it MITRE, are people shoving QRadar in
tactic & technique, or another vendor specific thing.
So perhaps something like threat.taxonomy, or threat.framework, in which
you could put values such as "mitre_attack", "qradar", etc...
I can guarantee that in a big enough organization, people will be more
than one different taxonomy, because [reasons]. So being able to separate
them from one another may be helpful.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#505?email_source=notifications&email_token=AJMZFSLVKXFIYLQHG2DP3STQIFCDLA5CNFSM4IF32FJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6AE6DY#issuecomment-528502543>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AJMZFSLJVNPVCO3LL26DECTQIFCDLANCNFSM4IF32FJA>
.
|
revised changelog.next, added threat.category, threat.framework, revised organization
make of previous updates
fixed spelling updated desc's
|
An "outcome" or "action" field could store actions take by the observer or agent. For example
Not sure if this should go in threat or the event schema. |
|
@mbudge Yes, the actions such as those you list, are in many ways the "story" of the event, so I think this is better captured at the event level using the |
|
I'd like to close on this soon, but there's something that's been bugging me about the proposal. According to the field set's definition, it sounds like it would be fine to either use this to map one's alerts to a taxonomy, or to use the source alert categorization as is (e.g. the Suricata alert categories). I think this field set should purely focus on making it possible to map alerts to the user's chosen taxonomy. Can be mitre, can be another taxonomy. Corollary to that, I think it would be important to work on a sister field set that is specifically meant to capture the generic concepts about alerts. Before we have both, I think having only "threat.*" will be confusing. I think the absence of the "alert" field set is what led us to discussing the addition Here's how I would envision the two. Let's take the same example as above to illustrate: Given the existence of an alert field set, the mapping I would see would be:
Then if someone is using Mitre, they would have mapped the known Suricata alerts to the mitre taxonomy, and the resulting event would also have these populated:
If the user is actually using a different taxonomy, all of |
|
Heads up as well. Ray is working on a misp importer Filebeat module here elastic/beats#13805. There's some commonalities. Worth giving this a look, while pondering all this. |
schemas/threat.yml
Outdated
| - name: revision | ||
| format: string | ||
| level: extended | ||
| type: long |
There was a problem hiding this comment.
Just spotted this. It should be keyword. Not all revisions are purely numeric.
|
Forgot to commit before pull req 1 today... |
CHANGELOG.next.md
Outdated
| @@ -11,6 +11,8 @@ Thanks, you're awesome :-) --> | |||
|
|
|||
| ### Added | |||
|
|
|||
| * Remnoved threat event fields #505 | |||
There was a problem hiding this comment.
We simplified the PR, but this PR is still "Adding threat fields" :-)
There was a problem hiding this comment.
I had not noticed all the places you had added the multi_fields. Since the threat fields are now solely focused on mapping to a taxonomy, it means the range of expected values will be much more limited. Therefore I think we should remove all of the multi-fields in here for now. We can add them back later if there's a need.
I'm also requesting changes on the field set short and full definitions.
Once these are in place, we can merge.
- Fix the changelog
- Remove all multi-field
- Adjust fieldset's short description
- Adjust fieldset's main description
Thanks @dainperkins!
simplified threat fields, limiting to taxonomy fields for ecs 1.2
updated changelog for revised threat fieldset for 1.2
spelling / changelog fixes
schemas/threat.yml
Outdated
| These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a | ||
| common taxonomy. The threat.technique.* are meant to capture the high level category of the threat | ||
| (e.g. "exfiltration"). The threat.tactic.* fields are meant to capture which kind of approach is used by | ||
| this detected threat, to accomplish the goal (e.g. "data compressed"). |
There was a problem hiding this comment.
I asked you to adjust the fieldset definition, and I got tactic and technique reversed 😂 Sorry about that.
High level category is tactic, and technique is the actual method used. Please update it to undo my mistake:
These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a
common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat
(e.g. "exfiltration"). The threat.technique.* fields are meant to capture the method used by
this detected threat, to accomplish the goal (e.g. "data compressed").
fixed tactc/technique & replicated impact:endpoint DOS in top level example
|
Oops, that last LGTM was on the wrong PR 🤦♂ |
added threat fields for e.g. threat reports from IDS/IPS, NGFW, etc...