Findings category - Detection class

[irakledibm]

Starting conversation on structure of the Detection class in Findings category.

Base Event class

https://schema.ocsf.io/1.1.0-dev/base_event?extensions=

Common attributes from Finding base class:

Attribute	Type
activity_id	enum (Create, Update, Close)
comment	string
confidence	string
confidence_id	integer
confidence_score	integer
end_time	timestamp
finding_info	object https://schema.ocsf.io/1.1.0-dev/objects/finding_info?extensions=
start_time	timestamp

Remaining attributes from deprecated Security Finding class

Attribute	Type
analytic	object https://schema.ocsf.io/1.1.0-dev/objects/analytic?extensions=
cis_csc	array of objects https://schema.ocsf.io/1.1.0-dev/objects/cis_csc?extensions=
compliance	array of objects https://schema.ocsf.io/1.1.0-dev/objects/compliance?extensions=
data_sources	array of strings
evidence	json
impact	string
impact_id	integer
impact_score	integer
malware	object https://schema.ocsf.io/1.1.0-dev/objects/malware?extensions=
nist	array of strings
process	object https://schema.ocsf.io/1.1.0-dev/objects/process?extensions=
resources	array of objects https://schema.ocsf.io/1.1.0-dev/objects/resource_details?extensions=
risk_level	string
risk_level_id	integer
risk_score	integer
state	string
state_id	enum (New, In Progress, Suppressed, Resolved)
vulnerabilities	array of objects https://schema.ocsf.io/1.1.0-dev/objects/vulnerability?extensions=

The goal is to refine list of attributes for new Detection class to distinguish it from the Incident and other classes fro Findings category.

[sfriedfertig]

Sample sanitized MS Defender detection hit (pulled from alerts_v2 API):

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/alerts_v2",
  "value": [
    {
      "id": "8cca9f6a-6927-11ee-8c99-0242ac120002_1",
      "providerAlertId": "78761558-6927-11ee-8c99-0242ac120002_1",
      "incidentId": "1",
      "status": "resolved",
      "severity": "medium",
      "classification": null,
      "determination": null,
      "serviceSource": "microsoftDefenderForEndpoint",
      "detectionSource": "microsoftDefenderForEndpoint",
      "detectorId": "787611c0-6927-11ee-8c99-0242ac120002",
      "tenantId": "7876142c-6927-11ee-8c99-0242ac120002",
      "title": "A suspicious file was observed",
      "description": "This file exhibits behaviors or traits of malware. It might do one or more of the following: \n1. Give a remote attacker access to your PC. \n2. Download and install other malware. \n3. Record your keystrokes and the sites you visit. \n4. Send information about your PC, including user names, passwords and browsing history, to a remote malicious hacker. \n5. Use your computer for click-fraud, bitcoin mining, DDoS attacks and spamming.",
      "recommendedActions": "Validate the alert, collect artifacts, and determine scope\n•    Inspect the file or URL/IP for suspicious characteristics – is it digitally signed? How prevalent is it? Where is it located? Do the domain registration and hosting history look normal? \n•    Review the machine timeline for suspicious activities that may have occurred before and after the time of the alert.\n•    Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n•    Submit relevant files for deep analysis and review resulting detailed behavioral information.\n•    If alert characteristics and machine behavioral evidence constitute a true positive, consider some of the initial mitigation actions below. Then, contact your incident response team for potential forensic analysis and remediation.\n\nInitiate containment & mitigation \n•    Record all relevant artifacts to be used in mitigation rules and as new threat intel\n•    Contact the user to check if the observed behavior was intended.\n•    Update AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n•    Ensure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n•    If credential theft is suspected, reset all relevant users passwords.\n•    Disconnect the machine from the network to prevent any threat attack progression.\n•    Block communication with relevant URLs or IPs at the organization's perimeter.",
      "category": "Malware",
      "assignedTo": "[email protected],
      "alertWebUrl": "https://security.microsoft.com/alerts/8cca9f6a-6927-11ee-8c99-0242ac120002_1?tid=7876142c-6927-11ee-8c99-0242ac120002",
      "incidentWebUrl": "https://security.microsoft.com/incidents/1?tid=7876142c-6927-11ee-8c99-0242ac120002",
      "actorDisplayName": null,
      "threatDisplayName": null,
      "threatFamilyName": null,
      "mitreTechniques": [
        "T1027",
        "T1204.002"
      ],
      "createdDateTime": "2023-01-22T18:44:21.0161901Z",
      "lastUpdateDateTime": "2023-02-07T19:13:53.0433333Z",
      "resolvedDateTime": "2023-01-22T19:02:01.7343322Z",
      "firstActivityDateTime": "2023-01-22T18:42:33.2149422Z",
      "lastActivityDateTime": "2023-01-22T18:57:04.3673318Z",
      "comments": [],
      "evidence": [
        {
          "@odata.type": "#microsoft.graph.security.deviceEvidence",
          "createdDateTime": "2023-01-22T18:44:21.5466667Z",
          "verdict": "unknown",
          "remediationStatus": "none",
          "remediationStatusDetails": null,
          "roles": [],
          "tags": [],
          "firstSeenDateTime": "2023-01-06T20:28:25.477Z",
          "mdeDeviceId": "b1a6d26adc1297821c9bdb2402c5768494a94cea",
          "azureAdDeviceId": null,
          "deviceDnsName": "testDevice.test.com",
          "osPlatform": "Windows10",
          "osBuild": 19045,
          "version": "22H2",
          "healthStatus": "active",
          "riskScore": "high",
          "rbacGroupId": 0,
          "rbacGroupName": null,
          "onboardingStatus": "onboarded",
          "defenderAvStatus": "updated",
          "vmMetadata": null,
          "loggedOnUsers": [
            {
              "accountName": "jane.smith",
              "domainName": "test"
            },
            {
              "accountName": "john.smith",
              "domainName": "test"
            }
          ]
        },
        {
          "@odata.type": "#microsoft.graph.security.fileEvidence",
          "createdDateTime": "2023-01-22T18:44:21.5466667Z",
          "verdict": "noThreatsFound",
          "remediationStatus": "none",
          "remediationStatusDetails": null,
          "roles": [],
          "tags": [],
          "detectionStatus": "detected",
          "mdeDeviceId": "b1a6d26adc1297821c9bdb2402c5768494a94cea",
          "fileDetails": {
            "sha1": "bcfcdf48d616f390be476424ab5a9b696a8ef66c",
            "sha256": "6d2e038e47ad315de0694d7bff4b53ad3a076ee99c984af2f2c59a96fdabea17",
            "fileName": "test_exec.exe",
            "filePath": "C:\\Program Files\\Test\\Dir",
            "fileSize": 39385216,
            "filePublisher": null,
            "signer": null,
            "issuer": null
          }
        },
        {
          "@odata.type": "#microsoft.graph.security.fileEvidence",
          "createdDateTime": "2023-01-26T18:44:21.5466667Z",
          "verdict": "unknown",
          "remediationStatus": "none",
          "remediationStatusDetails": null,
          "roles": [],
          "tags": [],
          "detectionStatus": "detected",
          "mdeDeviceId": "d1c6d27adc1297811c9bca240bc5768499a94ceb",
          "fileDetails": {
            "sha1": "4394ad13de435c6efdecc216945ad00a3f55aa5a",
            "sha256": "cb26af2a13de6222c26a2955125341e55d68164cbe8565481c52bf816139e6f8",
            "fileName": "test.py",
            "filePath": "C:\\Program Files\\Test\\Dir",
            "fileSize": 150,
            "filePublisher": null,
            "signer": null,
            "issuer": null
          }
        },
        {
          "@odata.type": "#microsoft.graph.security.processEvidence",
          "createdDateTime": "2023-01-26T18:44:21.5466667Z",
          "verdict": "unknown",
          "remediationStatus": "none",
          "remediationStatusDetails": null,
          "roles": [],
          "tags": [],
          "processId": 11236,
          "parentProcessId": 684,
          "processCommandLine": "\"test_service.exe\" svc",
          "processCreationDateTime": "2023-01-26T18:29:56.2723811Z",
          "parentProcessCreationDateTime": "2023-01-19T21:32:41.6695921Z",
          "detectionStatus": "detected",
          "mdeDeviceId": null,
          "imageFile": {
            "sha1": "736a1f60906a153079ed59efc9b736ede42a7039",
            "sha256": "9649478dc84229335cc4b81657735c20df9813481016c66fbd54279449e424cd",
            "fileName": "ai_exec_server.exe",
            "filePath": "C:\\Program Files\\Test\\Dir",
            "fileSize": 39385220,
            "filePublisher": null,
            "signer": null,
            "issuer": null
          },
          "parentProcessImageFile": {
            "sha1": null,
            "sha256": null,
            "fileName": "services.exe",
            "filePath": "\\Device\\HarddiskVolume\\Windows\\System32",
            "fileSize": null,
            "filePublisher": null,
            "signer": null,
            "issuer": null
          },
          "userAccount": {
            "accountName": "SYSTEM",
            "domainName": "NT AUTHORITY",
            "userSid": "S-1-5-18",
            "azureAdUserId": null,
            "userPrincipalName": null
          }

Note that this sample has 2 separate file "evidence" pieces, a process "evidence" piece, a user and device info, and could have even more/other combos of system/network activity "evidence" pieces that we should try to capture in the detection finding object

[sfriedfertig]

As per 10/12 call, should add detection_sources and analytic (with IOC and Signature enums) into detection finding

[irakledibm]

Based on 10/12 call, some of the requested changes:

1. Add IOC and IDS Signature to Analytics.TypeId enum.
2. Remove compliance
3. Add references to contributing events (requires more discussion)
4. Add clear descriptions to impact and risk related attributes.
5. Need more discussion regarding evidence, what and how it should be representing.

[sfriedfertig]

Based on 10/19 call, some of the requested changes:

1. Remove nist
2. (Mentioned above) add clearer descriptions for risk-related and impact-related attributes
3. Remove state-related attributes

Clarifications for next week (I don't recall the final verdict for these):

1. Remove Process? (This should be captured by Evidence activities)
2. What are we doing with resources?
3. Can we rename activity fields to status fields, since "activity" might be confusing from a detection standpoint? (I'm assuming no but want to double-check)

Next considerations:

1. Defining and implementing Evidence
2. Actor/target resource and user relationships in Evidence
3. Evidence -> Observables pipeline

[lukas-krecan-s1]

In SentinelOne extension (so far internal) we are adding the following to Security Alert:

1. Attack surfaces = array of (Endpoint, Network, Email, Identity) enums
2. Classification enum

0 | Unknown
1 | Application Control
2 | Backdoor
3 | Benign
4 | Browser
5 | Coinminer
6 | Command and Control
7 | Cryptominer
...

[floydtree]

Leaving the draft of this class here for folks to refer as we build this one out - https://github.com/floydtree/ocsf-schema/tree/detections