Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incident Finding event class definition #903

Merged
merged 8 commits into from
Jan 10, 2024
Merged

Incident Finding event class definition #903

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
639c0ad
new attributes for incident finding class
floydtree Dec 26, 2023
83bc26f
initial draft of incident findings class
floydtree Dec 26, 2023
fe2ac65
adding assignee group to dictionary
floydtree Jan 2, 2024
967a1b5
general cleanup of the class definition
floydtree Jan 2, 2024
c4aa54a
removing sec_control from the class
floydtree Jan 2, 2024
042a3e5
Adding attacks object to the incident class
floydtree Jan 9, 2024
c1001dd
correcting spelling errors in dictionary
floydtree Jan 9, 2024
860fd7f
gramatical simplification, formating corrections
floydtree Jan 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 86 additions & 3 deletions dictionary.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,16 @@
"description": "The arguments sent along with the HTTP request.",
"type": "string_t"
},
"assignee": {
"caption": "Assignee",
"description": "The details of the user assigned to an Incident.",
"type": "user"
},
"assignee_group": {
"caption": "Assignee Group",
"description": "The details of the group assigned to an Incident.",
"type": "group"
},
"attacks": {
"caption": "MITRE ATT&CK® Details",
"description": "An array of <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> objects describing the tactics, techniques & sub-techniques identified by a security control or finding.",
Expand Down Expand Up @@ -1472,6 +1482,12 @@
"description": "Describes the supporting information about a generated finding.",
"type": "finding_info"
},
"finding_info_list": {
"caption": "Finding Information List",
"description": "A list of <code>finding_info</code> objects associated to an incident.",
"is_array": true,
"type": "finding_info"
},
"fingerprint": {
"caption": "Fingerprint",
"description": "The digital fingerprint associated with an object.",
Expand Down Expand Up @@ -2530,13 +2546,38 @@
},
"priority": {
"caption": "Priority",
"description": "The priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source. See specific usage.",
"description": "The priority, normalized to the caption of the priority_id value. In the case of 'Other', it is defined by the event source.",
"type": "integer_t"
},
"priority_id": {
"caption": "Priority ID",
"description": "The normalized priority. See specific usage.",
"enum": {},
"description": "The normalized priority. Priority identifies the relative importance of the finding. It is a measurement of urgency.",
"enum": {
"0": {
"description": "No priority is assigned.",
"caption": "Unknown"
},
"1": {
"description": "Application or personal procedure is unusable, where a workaround is available or a repair is possible.",
"caption": "Low"
},
"2": {
"description": "Non-critical function or procedure is unusable or hard to use causing operational disruptions with no direct impact on a service's availability. A workaround is available.",
"caption": "Medium"
},
"3": {
"description": "Critical functionality or network access is interrupted, degraded or unusable, having a severe impact on services availability. No acceptable alternative is possible.",
"caption": "High"
},
"4": {
"description": "Interruption making a critical functionality inaccessible or a complete network interruption causing a severe impact on services availability. There is no possible alternative.",
"caption": "Critical"
},
"99": {
"description": "The priority is not normalized.",
"caption": "Other"
}
},
"sibling": "priority",
"type": "integer_t"
},
Expand Down Expand Up @@ -2794,6 +2835,43 @@
"is_array": true,
"type": "string_t"
},
"resolution": {
"caption": "Resolution",
"description": "The resolution detail for closing the incident.",
"type": "string_t"
},
"resolution_id": {
"caption": "Resolution Id",
"description": "The normalized identifier of the resolution detail, populated when closing an incident.",
"enum": {
"99": {
"caption": "Other"
},
"0": {
"caption": "Unknown"
},
"1": {
"caption": "Insufficient data"
},
"2": {
"caption": "Security risk"
},
"3": {
"caption": "False positive"
},
"4": {
"caption": "Managed externally"
},
"5": {
"caption": "Benign"
},
"6": {
"caption": "Test"
}
},
"sibling": "resolution",
"type": "integer_t"
},
"resource": {
"caption": "Resource",
"description": "The target resource.",
Expand Down Expand Up @@ -3309,6 +3387,11 @@
"description": "The last or family name for the user.",
"type": "string_t"
},
"is_suspected_breach": {
"caption": "Suspected Breach",
"description": "A determination based on analytics as to whether a potential breach was found.",
"type": "boolean_t"
},
"svc_name": {
"caption": "Service Name",
"description": "The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service.",
Expand Down
154 changes: 154 additions & 0 deletions events/findings/incident_finding.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
{
"uid": 5,
"caption": "Incident Finding",
"category": "findings",
"description": "An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics.",
"extends": "base_event",
"name": "incident_finding",
"attributes": {
"activity_id": {
"description": "The normalized identifier of the Incident activity.",
"enum": {
"1": {
"caption": "Create",
"description": "Reports the creation of an Incident."
},
"2": {
"caption": "Update",
"description": "Reports updates to an Incident."
},
"3": {
"caption": "Close",
"description": "Reports closure of an Incident ."
}
},
"requirement": "required"
},
"activity_name": {
"description": "The Incident activity name, as defined by the <code>activity_id</code>.",
"requirement": "optional"
},
"assignee": {
"group": "context",
"requirement": "optional"
},
"assignee_group": {
"group": "context",
"requirement": "optional"
},
"attacks": {
"description": "An array of <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK®</a> objects describing the tactics, techniques & sub-techniques associated to the Incident.",
"group": "context",
"requirement": "optional"
},
"comment": {
"description": "Additional user supplied details for updating or closing the incident.",
"group": "context",
"requirement": "optional"
},
"confidence": {
"group": "context",
"requirement": "optional"
},
"confidence_id": {
"group": "context",
"requirement": "recommended"
},
"confidence_score": {
"group": "context",
"requirement": "optional"
},
"desc": {
"description": "The short description of the Incident.",
"group": "primary",
"requirement": "recommended"
},
"end_time": {
"description": "The time of the most recent event included in the incident.",
"requirement": "optional"
},
"finding_info_list": {
"group": "primary",
"requirement": "required"
},
"impact": {
"group": "primary",
"requirement": "optional"
},
"impact_id": {
"group": "primary",
"requirement": "recommended"
},
"impact_score": {
"group": "primary",
"requirement": "optional"
},
"priority": {
"group": "context",
"requirement": "optional"
},
"priority_id": {
"group": "context",
"requirement": "recommended"
},
"resolution": {
"group": "context",
"requirement": "optional"
},
"resolution_id": {
"group": "context",
"requirement": "optional"
},
"src_url": {
"description": "A Url link used to access the original incident.",
"group": "primary",
"requirement": "recommended"
},
"start_time": {
"description": "The time of the least recent event included in the incident.",
"requirement": "optional"
},
"status": {
"description": "The normalized status of the Incident normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.",
"group": "primary",
"requirement": "optional"
},
"status_id": {
"description": "The normalized status identifier of the Incident.",
"enum": {
"1": {
"caption": "New",
"description": "The service desk has received the incident but has not assigned it to an agent."
},
"2": {
"caption": "In Progress",
"description": "The incident has been assigned to an agent but has not been resolved. The agent is actively working with the user to diagnose and resolve the incident."
},
"3": {
"caption": "On Hold",
"description": "The incident requires some information or response from the user or from a third party."
},
"4": {
"caption": "Resolved",
"description": "The service desk has confirmed that the incident is resolved."
},
"5": {
"caption": "Closed",
"description": "The incident is resolved and no further action is necessary."
}
},
"group": "primary",
"requirement": "required"
},
"is_suspected_breach": {
"group": "context",
"requirement": "optional"
}
},
"constraints": {
"at_least_one": [
"assignee",
"assignee_group"
]
}
}
Loading