Add event.tactic and event.technique fields #291
Conversation
|
As these are very specific for the security analytics use case I'm starting to think we should group these somewhere outside of |
|
@ruflin that's certainly possible, for example we explored creating a threat.* object in #113 where they could exist. The argument for keeping them in the Let me propose an alternative for consideration. Anyone else have thoughts on this? |
|
Agree that some of the above could actually fit better under threat. Also thinking of |
|
@ruflin I think "outcome" will be used quite broadly across many events, including system (successful vs. failed calls), file (successful vs. failed access attempts), and security (successful vs. failed login attempts) events, so I would try to keep it in the common fields as |
|
What about the tactic and technique added here? Should go under |
|
Yes, I think tactic and threat will fit better under a |
To accommodate security analytics use cases, it is useful to be able to filter, aggregate, and visualize events by the tactics and techniques in use when the event was created. For example the MITRE ATT&CK framework provides a reference list of tactics and techniques.
If an event or alert is generated by a rule that was written to detect certain tactics or techniques, then those tactics and/or techniques would be populated in these fields.
This PR partially addresses questions raised in #113