[RFC] Threat Enrichment - Stage 1 #1400
Conversation
Much of this was taken from what was deleted from elastic#1293 and is in various stages of completion. Will annotate and iterate on the PR.
| particular enrichment. If multiple matches for this indicator object, this could | ||
| be a list */ | ||
| "matched": { | ||
| "atomic": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4", |
There was a problem hiding this comment.
I'm not convinced that matched.atomic and matched.field are sufficient to cover more sophisticated matching mechanisms than an exact match: if e.g. a user wanted to write an indicator match rule with a partial match, or if there were a more sophisticated indicator that itself represented a wildcard/regex value, then the value of the indicator would not be identical to the value from the event and so we may want two fields here.
Similarly, we would not be able to reproduce the exact conditions of the match with only one field value. While I've been told that the indicator field being matched upon should be self-evident, it seems safer to explicitly state it in another field, and I wanted to bring it up one more time before I shut up about it 😉 .
In general, I'm viewing these matched.* fields as the answer to both HOW and WHY a given event was enriched, so keep that in mind and/or correct me on that thinking.
There was a problem hiding this comment.
a user wanted to write an indicator match rule with a partial match, or if there were a more sophisticated indicator that itself represented a wildcard/regex value, then the value of the indicator would not be identical to the value from the event
How are you envisioning this? Are you thinking that there is a mechanical way needed to match like fields. I can think of a use-case, DGAs.
So, if you know an aggressor uses a specific domain structure for C2 (like abc123\.12345abcdef\.xyz), you'd want to be able to match if they use
abc123\.12345abcdef\.xyz
plo958\.59874qwersd\.xyz
lje456\.01258iekduh\.xyz
So, you'd need a way to match url.full:/[aA-zZ]{3}[0-9]{3}\.[0-9]{5}[aA-zZ]{6}\.xyz MATCHES threat.indicator.url.full?
Or am I off?
There was a problem hiding this comment.
@peasead right, the idea is that with anything other than an exact match, the values for the LHS and RHS of the match are going to be different, and we don't have fields to account for both of those right now.
IPs is another example, where one could specify a CIDR block instead of a single IP address.
What is SOP for DGAs within threat intel, currently? Is there any attempt to generalize the pattern/algorithm generating those values?
There was a problem hiding this comment.
I'm not saying it's a must now.
There are some experimental machine learning jobs for DGAs.
There was a problem hiding this comment.
I think we can continue with the implicit "exact value match" semantics for this RFC. If in the future we need to support the aforementioned functionality, I think that we can do so with the addition of two new fields as discussed.
| } | ||
| ``` | ||
|
|
||
| ### Proposed enrichment pipeline mechanics pseudocode |
Co-authored-by: Eric Beahan <[email protected]>
* Removes unnecessary field renames, as fields no longer conflict * Adds a clause for setting a default array value for `threat.enrichments`
This is in fact redundant, but still useful.
* master: Stage 2 changes for RFC 0018 - extending the `threat.*` field set (elastic#1438) Remove deprecated `host.user.*` fields (elastic#1439) Explicitly include user identifiers in `related.user` field description (elastic#1420) Set the merge date on RFC 0018 stage 2 (elastic#1429) [RFC] Extend Threat Fieldset - Stage 2 Proposal (elastic#1395) [Tooling] Add --exclude flag to Generator to support field removal testing (elastic#1411) Add `host.user.*` deprecation notice in field reuse description (elastic#1422) Stage 2 changes for RFC 0015 - `elf` header (elastic#1410) Stage 3 changes for RFC 0012 - `orchestrator` field set (elastic#1417) Support `match_only_text` in Go code generator (elastic#1418) Stage 3 Orchestrator RFC (elastic#1343) moving into folder (elastic#1416) removing use-cases (elastic#1405) removing --oss (elastic#1404) Set the merge date on RFC 0015 stage 2 (elastic#1409) Consolidate `Breaking changes` sections in `CHANGELOG.next` (elastic#1408) RFC-Stage-0: Proposal to add a "ticket" schema / field definition to ECS (elastic#1383) [RFC] `match_only_text` type migration - Stage 0 (elastic#1396) Client port is wrongly documented (elastic#1402) (elastic#1406)
|
Updated all outstanding threads; I think this is ready for review! @devonakerr has agreed to be sponsor on this one, as well. |
There was a problem hiding this comment.
LGTM. Thanks, @rylnd, for the iterations here!
Can we capture @devonakerr as the sponsor under the People section in the document?
rfcs/text/0021-threat-enrichment.md
Outdated
| "event": { | ||
| "provider": "Abuse.ch", | ||
| "dataset": "threatintel.abusemalware", | ||
| "module": "threatintel" |
There was a problem hiding this comment.
note: add event.reference here as well
|
@ebeahan I'll make that change right now, and then we should be good to merge here 👍 |
This provides a more complete example.
|
@ebeahan all good on my end 👍 |
Much of this was taken from what was deleted from #1293 and is in various stages of completion. Will annotate and iterate accordingly.
RFC Preview
Notes
I've stuck with
threat.enrichmentsfor this field name, as it is agnostic of any "matching" verbiage that may not make sense universally, but that brings up its own question (see below). Of note, other potential names that were discussed:threat.matchesthreat.indicatorsthreat.indicator_matchesOutstanding Questions
matched.typesufficient to cover all enrichment cases?matched.type: "manual"ormatched.type: "analyst"would cover the case where an analyst manually finds a matching indicatorthreat.indicatorfields are nested (as a nested array) underthreat.enrichments?