Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DRAFT: new RBA Object - Step 3 - ESCU 5.0 #263

Merged
merged 79 commits into from
Jan 17, 2025
Merged

DRAFT: new RBA Object - Step 3 - ESCU 5.0 #263

merged 79 commits into from
Jan 17, 2025

Conversation

ljstella
Copy link
Contributor

@ljstella ljstella commented Aug 27, 2024
edited
Loading

NOT YET READY FOR REVIEW

The tags.observable mechanism for RBA is unnecessary extra mental gymnastics, and is based on terminology that never materialized elsewhere. This PR will introduce a new top level field named rba that contains the RBA related fields and remove tags.observable, and tags.message.

Update: tags.confidence and tags.impact will stay in place and be documented as serving the purpose they defacto do today, which is the detection author's confidence in the analytic to find true positives, and the level of impact they have today, as well as being constructed as part of the calculation of notable severity. The validation confirming a risk score is the product of those two integers will not carry forward.

Example of this new object, using the bundled detection:

name: Anomalous usage of 7zip
id: 9364ee8e-a39a-11eb-8f1d-acde48001122
version: 1
...
rba:
  message: An instance of $parent_process_name$ spawning $process_name$ was identified
    on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading
    of 7zip.
  risk_objects: 
    - field: user
      type: user
      score: 56
    - field: dest
      type: system
      score: 56
  threat_objects:
    - field: parent_process_name
      type: parent_process_name
    - field: process_name
      type: process_name
tags:
...

Things to do:

  • implement new RBA model
    • risk object type enum
    • port any existing risk object validation
    • threat object type enum
    • port any existing threat object validation
  • remove all code and enums related to tags.observable OR SES
  • Update packaged detection that gets generated with contentctl init
  • integrate with in-flight testing work
  • Determine the fate of tags.confidence and tags.impact
  • Determine impacts to SSE API
  • Determine migration mechanism (currently leaning towards none in-project and throwing validation errors, allowing folks to manually migrate and reconsider their RBA configs as they migrate- surely folks have pinned their dependencies, right?)
  • Draft descriptions/docs for this new mechanism that can go in the release notes for when this gets a tagged release, so that folks can be prepared for the migration.
  • Open a PR against splunk/security_content with changes to all existing content
  • Update contentctl new wizard
  • <insert next fun little surprise we left for later and need to fix here>

@ljstella ljstella added the WIP label Aug 27, 2024
@pyth0n1c
Copy link
Contributor

Right now, all of the RBA bits are required for every detection type. Do we want to require ALL fields for all types of detections? Or ONLY allow it (or make it optional) for certain types of detections?
In your example, I believe it's a coincidence that all risk/threat object fields appear in the message. This is not a requirement today and I don't think we want to start enforcing it, right?
I agree that, since this is a one-time migration, we don't need/want to build and maintain a tool to do that migration.

@ljstella
Copy link
Contributor Author

ljstella commented Aug 27, 2024
edited
Loading

@pyth0n1c - addressed in-line

Right now, all of the RBA bits are required for every detection type. Do we want to require ALL fields for all types of detections? Or ONLY allow it (or make it optional) for certain types of detections?

That's a good question. I want to see how easy it is to get the information we have from deployments at the time we are validating detections. It would be excellent in my POV if we could strip the RBA object out of analytics that won't have a risk config but require it on the ones that do. We'll see how easy that is to actually pull off. I'd like to do it that way because it allows us to change the default deployments, or for folks to layer in additional deployments, and have the "does this need RBA?" evaluation adapt as those changes are made, as opposed to a strict relationship on Detection Type.

In your example, I believe it's a coincidence that all risk/threat object fields appear in the message. This is not a requirement today and I don't think we want to start enforcing it, right?

That's correct- message fields don't have to be risk/threat objects (putting things like count into a message is a popular use, but would be silly as either a risk or threat). Likewise, you can add fields as threat or risk objects without directly referencing them in the message.

@pyth0n1c pyth0n1c mentioned this pull request Aug 30, 2024
Merged
@pyth0n1c pyth0n1c mentioned this pull request Sep 13, 2024
Closed
@pyth0n1c
Fix regex to step matching
41fab0f 
before hitting | character
which may occur WITHOUT
whitespace being present.
Ensure that any
CSV or MLMODEL file
written to the app ends in
the appropriate datetime
stamp.
@ljstella
Copy link
Contributor Author

ljstella commented Jan 6, 2025
edited
Loading

New content testing branch: splunk/security_content#3269

Temporarily updated CI config to use that instead

pyth0n1c and others added 7 commits January 6, 2025 17:07
@pyth0n1c
Progress and cleanup for
f04d92c 
outputs with better structure
and type annotations in prep for
new lookup type
@pyth0n1c
Able to build without any errors,
825beaf 
but that does not mean it is correct
yet. Outputs must be diffed against
prior versions to make sure there are
no unintended changes.
@pyth0n1c
improve api output serialization
a31d484 
for better readability
@pyth0n1c
Clean up bad imports. Give more
0f70172 
explicit error when something fails
to be written correctly to a conf file.
Otherwise, it is hard to find out which
specific object caused the failure.
@ljstella
New threat object type
285acf1
@pyth0n1c
merge latest rba target updates
a6faec5
@pyth0n1c
Fix access of variable that does
78aa05e 
not exist.
@josehelps josehelps changed the title DRAFT: new RBA Object DRAFT: new RBA Object - Step 3 - ESCU 5.0 Jan 15, 2025
@ljstella
Copy link
Contributor Author

Changed the ESCU test branch back to rba_migration here: splunk/security_content#3204

We're about to merge the strict_yml content changes into the rba_migration branch, so we'll have just one branch to work against

@cmcginley-splunk cmcginley-splunk mentioned this pull request Jan 16, 2025
Merged
10 tasks
@josehelps josehelps marked this pull request as ready for review January 17, 2025 19:24
@josehelps
Copy link
Contributor

LGTM I trust Lou!

@josehelps josehelps merged commit 4f92434 into contentctl_5 Jan 17, 2025
12 of 15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cmcginley-splunk cmcginley-splunk cmcginley-splunk left review comments

Assignees
No one assigned
Labels
WIP
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ljstella @pyth0n1c @josehelps @cmcginley-splunk