From 639c0ad969aa394e9491f0af4958d0041dcb1851 Mon Sep 17 00:00:00 2001 From: Rajas Date: Tue, 26 Dec 2023 10:27:03 -0500 Subject: [PATCH 1/8] new attributes for incident finding class Signed-off-by: Rajas --- dictionary.json | 84 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 81 insertions(+), 3 deletions(-) diff --git a/dictionary.json b/dictionary.json index 12c8ac60d..869f5c635 100644 --- a/dictionary.json +++ b/dictionary.json @@ -178,6 +178,11 @@ "description": "The arguments sent along with the HTTP request.", "type": "string_t" }, + "assignee": { + "caption": "Assignee", + "description": "The name of the user assgined to an Incident.", + "type": "user" + }, "attacks": { "caption": "MITRE ATT&CK® Details", "description": "An array of MITRE ATT&CK® objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", @@ -1472,6 +1477,12 @@ "description": "Describes the supporting information about a generated finding.", "type": "finding_info" }, + "finding_info_list": { + "caption": "Finding Information List", + "description": "A list of associated finding_info objects associated to an incident.", + "is_array": true, + "type": "finding_info" + }, "fingerprint": { "caption": "Fingerprint", "description": "The digital fingerprint associated with an object.", @@ -2530,13 +2541,38 @@ }, "priority": { "caption": "Priority", - "description": "The priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source. See specific usage.", + "description": "The priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source.", "type": "integer_t" }, "priority_id": { "caption": "Priority ID", - "description": "The normalized priority. See specific usage.", - "enum": {}, + "description": "The normalized priority. Priority identifies the relative importance of the finding. It is a measurement of urgency.", + "enum": { + "0": { + "description": "No priority is assigned.", + "caption": "Unknown" + }, + "1": { + "description": "Application or personal procedure unusable, where a workaround is available or a repair is possible.", + "caption": "Low" + }, + "2": { + "description": "Non-critical function or procedure, unusable or hard to use having an operational impact, but with no direct impact on services availability. A workaround is available.", + "caption": "Medium" + }, + "3": { + "description": "Critical functionality or network access interrupted, degraded or unusable, having a severe impact on services availability. No acceptable alternative is possible.", + "caption": "High" + }, + "4": { + "description": "Interruption making a critical functionality inaccessible or a complete network interruption causing a severe impact on services availability. There is no possible alternative.", + "caption": "Critical" + }, + "99": { + "description": "The priority is not normalized.", + "caption": "Other" + } + }, "sibling": "priority", "type": "integer_t" }, @@ -2794,6 +2830,43 @@ "is_array": true, "type": "string_t" }, + "resolution": { + "caption": "Resolution", + "description": "The resolution detail for closing the incident.", + "type": "string_t" + }, + "resolution_id": { + "caption": "Resolution Id", + "description": "The normalized identifier of the resolution detail, populated when closing an incident.", + "enum": { + "99": { + "caption": "Other" + }, + "0": { + "caption": "Unknown" + }, + "1": { + "caption": "Insufficient data" + }, + "2": { + "caption": "Security risk" + }, + "3": { + "caption": "False positive" + }, + "4": { + "caption": "Managed externally" + }, + "5": { + "caption": "Benign" + }, + "6": { + "caption": "Test" + } + }, + "sibling": "resolution", + "type": "integer_t" + }, "resource": { "caption": "Resource", "description": "The target resource.", @@ -3309,6 +3382,11 @@ "description": "The last or family name for the user.", "type": "string_t" }, + "is_suspected_breach": { + "caption": "Suspected Breach", + "description": "A determination based on analytics whether a potential breach was found.", + "type": "boolean_t" + }, "svc_name": { "caption": "Service Name", "description": "The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.", From 83bc26f5a4fe497d15f1b36b7356c4c592ce0a21 Mon Sep 17 00:00:00 2001 From: Rajas Date: Tue, 26 Dec 2023 10:27:24 -0500 Subject: [PATCH 2/8] initial draft of incident findings class Signed-off-by: Rajas --- events/findings/incident_finding.json | 145 ++++++++++++++++++++++++++ 1 file changed, 145 insertions(+) create mode 100644 events/findings/incident_finding.json diff --git a/events/findings/incident_finding.json b/events/findings/incident_finding.json new file mode 100644 index 000000000..015979e1a --- /dev/null +++ b/events/findings/incident_finding.json @@ -0,0 +1,145 @@ +{ + "uid": 3, + "caption": "Security Incident", + "category": "findings", + "description": "Security Incident events report the creation, update, or closure of incidents as a result of detections and/or analytics.", + "extends": "base_event", + "name": "security_incident", + "profiles": [ + "security_control" + ], + "attributes": { + "$include": [ + "profiles/security_control.json" + ], + "activity_id": { + "description": "The normalized identifier of the Incident activity.", + "enum": { + "1": { + "caption": "Create", + "description": "Reports the creation of an Incident." + }, + "2": { + "caption": "Update", + "description": "Reports updates to an Incident." + }, + "3": { + "caption": "Close", + "description": "Reports closure of an Incident ." + } + }, + "requirement": "required" + }, + "activity_name": { + "description": "The Incident activity name, as defined by the activity_id.", + "requirement": "optional" + }, + "assignee": { + "group": "context", + "requirement": "optional" + }, + "comment": { + "description": "Additional user supplied details for updating or closing the incident.", + "group": "context", + "requirement": "optional" + }, + "confidence": { + "group": "context", + "requirement": "optional" + }, + "confidence_id": { + "group": "context", + "requirement": "recommended" + }, + "confidence_score": { + "group": "context", + "requirement": "optional" + }, + "desc": { + "description": "The short description of the Incident.", + "group": "primary", + "requirement": "recommended" + }, + "end_time": { + "description": "The time of the most recent event included in the incident.", + "requirement": "optional" + }, + "finding_info_list": { + "group": "primary", + "requirement": "required" + }, + "impact": { + "group": "primary", + "requirement": "optional" + }, + "impact_id": { + "group": "primary", + "requirement": "recommended" + }, + "impact_score": { + "group": "primary", + "requirement": "optional" + }, + "priority": { + "group": "context", + "requirement": "optional" + }, + "priority_id": { + "group": "context", + "requirement": "recommended" + }, + "resolution": { + "group": "context", + "requirement": "optional" + }, + "resolution_id": { + "group": "context", + "requirement": "optional" + }, + "src_url": { + "description": "A Url link used to access the original incident.", + "group": "primary", + "requirement": "recommended" + }, + "start_time": { + "description": "The time of the least recent event included in the incident.", + "requirement": "optional" + }, + "status": { + "description": "The normalized status of the Incident normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.", + "group": "primary", + "requirement": "optional" + }, + "status_id": { + "description": "The normalized status identifier of the Incident.", + "enum": { + "1": { + "caption": "New", + "description": "The service desk has received the incident but has not assigned it to an agent." + }, + "2": { + "caption": "In Progress", + "description": "The incident has been assigned to an agent but has not been resolved. The agent is actively working with the user to diagnose and resolve the incident." + }, + "3": { + "caption": "On Hold", + "description": "The incident requires some information or response from the user or from a third party." + }, + "4": { + "caption": "Resolved", + "description": "The service desk has confirmed that the incident is resolved." + }, + "5": { + "caption": "Closed", + "description": "The incident is resolved and no further action is necessary." + } + }, + "group": "primary", + "requirement": "required" + }, + "is_suspected_breach": { + "group": "context", + "requirement": "optional" + } + } +} \ No newline at end of file From fe2ac652d1ee6b7a9d2a6f236e4f98160a91f311 Mon Sep 17 00:00:00 2001 From: Rajas Date: Tue, 2 Jan 2024 13:23:47 -0500 Subject: [PATCH 3/8] adding assignee group to dictionary Signed-off-by: Rajas --- dictionary.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/dictionary.json b/dictionary.json index 869f5c635..1c85b10db 100644 --- a/dictionary.json +++ b/dictionary.json @@ -180,9 +180,14 @@ }, "assignee": { "caption": "Assignee", - "description": "The name of the user assgined to an Incident.", + "description": "The details of the user assgined to an Incident.", "type": "user" }, + "assignee_group": { + "caption": "Assignee Group", + "description": "The details of the group assgined to an Incident.", + "type": "group" + }, "attacks": { "caption": "MITRE ATT&CK® Details", "description": "An array of MITRE ATT&CK® objects describing the tactics, techniques & sub-techniques identified by a security control or finding.", @@ -1479,7 +1484,7 @@ }, "finding_info_list": { "caption": "Finding Information List", - "description": "A list of associated finding_info objects associated to an incident.", + "description": "A list of finding_info objects associated to an incident.", "is_array": true, "type": "finding_info" }, From 967a1b533c2c3f0eef8d78ba7f425e86988c5369 Mon Sep 17 00:00:00 2001 From: Rajas Date: Tue, 2 Jan 2024 13:24:12 -0500 Subject: [PATCH 4/8] general cleanup of the class definition Signed-off-by: Rajas --- events/findings/incident_finding.json | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/events/findings/incident_finding.json b/events/findings/incident_finding.json index 015979e1a..199f855c4 100644 --- a/events/findings/incident_finding.json +++ b/events/findings/incident_finding.json @@ -1,10 +1,10 @@ { - "uid": 3, - "caption": "Security Incident", + "uid": 5, + "caption": "Incident Finding", "category": "findings", - "description": "Security Incident events report the creation, update, or closure of incidents as a result of detections and/or analytics.", + "description": "An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics.", "extends": "base_event", - "name": "security_incident", + "name": "incident_finding", "profiles": [ "security_control" ], @@ -38,6 +38,10 @@ "group": "context", "requirement": "optional" }, + "assignee_group": { + "group": "context", + "requirement": "optional" + }, "comment": { "description": "Additional user supplied details for updating or closing the incident.", "group": "context", @@ -141,5 +145,11 @@ "group": "context", "requirement": "optional" } + }, + "constraints": { + "at_least_one" :[ + "assignee", + "assignee_group" + ] } } \ No newline at end of file From c4aa54a620ac99841b6972c6f79b9e0f331f2465 Mon Sep 17 00:00:00 2001 From: Rajas Date: Tue, 2 Jan 2024 14:19:01 -0500 Subject: [PATCH 5/8] removing sec_control from the class Signed-off-by: Rajas --- events/findings/incident_finding.json | 6 ------ 1 file changed, 6 deletions(-) diff --git a/events/findings/incident_finding.json b/events/findings/incident_finding.json index 199f855c4..2d3ef2f86 100644 --- a/events/findings/incident_finding.json +++ b/events/findings/incident_finding.json @@ -5,13 +5,7 @@ "description": "An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics.", "extends": "base_event", "name": "incident_finding", - "profiles": [ - "security_control" - ], "attributes": { - "$include": [ - "profiles/security_control.json" - ], "activity_id": { "description": "The normalized identifier of the Incident activity.", "enum": { From 042a3e59742f6d03ab9c36929b72fcfcf5d60df4 Mon Sep 17 00:00:00 2001 From: Rajas Date: Tue, 9 Jan 2024 16:13:00 -0500 Subject: [PATCH 6/8] Adding attacks object to the incident class Signed-off-by: Rajas --- events/findings/incident_finding.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/events/findings/incident_finding.json b/events/findings/incident_finding.json index 2d3ef2f86..cd4120da9 100644 --- a/events/findings/incident_finding.json +++ b/events/findings/incident_finding.json @@ -36,6 +36,11 @@ "group": "context", "requirement": "optional" }, + "attacks": { + "description": "An array of MITRE ATT&CK® objects describing the tactics, techniques & sub-techniques assocaited to the Incident.", + "group": "context", + "requirement": "optional" + }, "comment": { "description": "Additional user supplied details for updating or closing the incident.", "group": "context", From c1001dd93506af88c53de99949ddfaedd01320a5 Mon Sep 17 00:00:00 2001 From: Rajas Date: Tue, 9 Jan 2024 17:21:09 -0500 Subject: [PATCH 7/8] correcting spelling errors in dictionary Signed-off-by: Rajas --- dictionary.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dictionary.json b/dictionary.json index 1c85b10db..bf2948c28 100644 --- a/dictionary.json +++ b/dictionary.json @@ -180,12 +180,12 @@ }, "assignee": { "caption": "Assignee", - "description": "The details of the user assgined to an Incident.", + "description": "The details of the user assigned to an Incident.", "type": "user" }, "assignee_group": { "caption": "Assignee Group", - "description": "The details of the group assgined to an Incident.", + "description": "The details of the group assigned to an Incident.", "type": "group" }, "attacks": { From 860fd7fabc9fc6d73741832d443059f0469a6478 Mon Sep 17 00:00:00 2001 From: Rajas Date: Wed, 10 Jan 2024 10:21:07 -0500 Subject: [PATCH 8/8] gramatical simplification, formating corrections Signed-off-by: Rajas --- dictionary.json | 8 ++++---- events/findings/incident_finding.json | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/dictionary.json b/dictionary.json index bf2948c28..825e4893e 100644 --- a/dictionary.json +++ b/dictionary.json @@ -2558,15 +2558,15 @@ "caption": "Unknown" }, "1": { - "description": "Application or personal procedure unusable, where a workaround is available or a repair is possible.", + "description": "Application or personal procedure is unusable, where a workaround is available or a repair is possible.", "caption": "Low" }, "2": { - "description": "Non-critical function or procedure, unusable or hard to use having an operational impact, but with no direct impact on services availability. A workaround is available.", + "description": "Non-critical function or procedure is unusable or hard to use causing operational disruptions with no direct impact on a service's availability. A workaround is available.", "caption": "Medium" }, "3": { - "description": "Critical functionality or network access interrupted, degraded or unusable, having a severe impact on services availability. No acceptable alternative is possible.", + "description": "Critical functionality or network access is interrupted, degraded or unusable, having a severe impact on services availability. No acceptable alternative is possible.", "caption": "High" }, "4": { @@ -3389,7 +3389,7 @@ }, "is_suspected_breach": { "caption": "Suspected Breach", - "description": "A determination based on analytics whether a potential breach was found.", + "description": "A determination based on analytics as to whether a potential breach was found.", "type": "boolean_t" }, "svc_name": { diff --git a/events/findings/incident_finding.json b/events/findings/incident_finding.json index cd4120da9..28dabfa21 100644 --- a/events/findings/incident_finding.json +++ b/events/findings/incident_finding.json @@ -37,7 +37,7 @@ "requirement": "optional" }, "attacks": { - "description": "An array of MITRE ATT&CK® objects describing the tactics, techniques & sub-techniques assocaited to the Incident.", + "description": "An array of MITRE ATT&CK® objects describing the tactics, techniques & sub-techniques associated to the Incident.", "group": "context", "requirement": "optional" }, @@ -146,7 +146,7 @@ } }, "constraints": { - "at_least_one" :[ + "at_least_one": [ "assignee", "assignee_group" ]