-
Notifications
You must be signed in to change notification settings - Fork 419
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Additional groups (Vulnerability / Threat) #113
Comments
@dainperkins I think this makes sense. One idea is that the I had not thought of vulnerability.* in the same way, but perhaps we should? Would you see the |
@MikePaquette Its threat detection, and I had started looking at mixing name spaces like so: event.id some_id agent.name PtrX.VA threat.id some-id source.ip destination.ip user.id I was thinking of threat and vulnerability from the standpoint of generalizing threat/vulnerability alerts and then using other name spaces as appropriate (e.g. a vulnerability record would also include a device.ip & device.name- no need for src/dst, whereas a threat would as above typically include source / destination / user fields etc...) If every name space contains those things that are intrinsic to the name space mixing and matching as appropriate seems to cover both standardization, as well as searching (show me all vulnerabilities where host.ip = a.b.c.d, show me all network logs where source.ip = a.b.c.d, or show me all logs where source.ip = a.b.c.d - still requires some type of join to eliminate or concatenate disparate fields, but easy to remember) To be honest I'm still trying to wrap my head around e.g. db normalization vs hdfs, using ECS as device logging schema(s)vs an ECS index schema(s), and how it all plays together. /d |
@dainperkins thanks for the reply. Let's ignore Ah, so you are proposing the BTW, your approach of "mixing and matching" is exactly how we foresee ECS being used. Anyhow, now I understand what you are trying to accomplish, and I think that there are indeed some fields that should be added to cover this information. But some of the information you want to add will fit nicely mixing and matching into existing ECS fields. First, I think the ECS
Given that definition, some existing ECS fields should be used for some of your proposed The fields highlighted in yellow are not currently covered by ECS fields, and I think they do belong. If it turns out we can't use |
We are going to work on this soon. If anybody's got ideas of additional fields that may be required, on top of what's already been mentioned, feel free to chime in. |
Hi Guys, Firstly thanks, for doing this. However I am struggling to determine where within the threat.* definitions / fields I would put details around threat feeds hits. I seem to have the feeling that the current threat feeds are largely geared to the MITRE Att&ck framework, form my reading (And I might be reading it wrong). So I was thinking something along the lines of threat.ioc.provider: feed_vendor_name Any guidance / advice is greatly appreciated Hopefully as we move forward we would then start populating the other fields within the threat.* definition Thanks |
@dainperkins I think we can close this, right? |
Both "threat" and "vulnerability" have been added to ECS (a while ago). Closing :-) |
Would it make sense to add additional groups for things like vulnerabilities and threats for correlating between various services and getting granular definitions of this type of data?
e.g.
vulnerability.id
vulnerability.type
vulnerability.first.scanned
vulnerability.last.scanned
vulenerability.status (e.g. open / closed as of current date)
vulnerability.description
vulnerability.cve
vulnerability.severity
threat.id
threat.name
threat.type
threat.description
threat.risk_score
threat.confidence
Thanks
/d
The text was updated successfully, but these errors were encountered: