Add asset criticality fields

We've added this functionality within the product, we should discuss and add these fields to ECS as well.
rylnd · Dec 8, 2023 · 323ed90 · 323ed90
1 parent 9cd969d
commit 323ed90
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/rfcs/text/0042-risk-score-extensions.md b/rfcs/text/0042-risk-score-extensions.md
@@ -36,7 +36,6 @@ These fields are intended to allow future extensibility of our concept of an "id
 * `id_field`
 * `id_value`
 
-
 ### Risk Category Fields
 Some of the context here was discussed in Stage 0; please read the above for that. More specifically, these fields seek to provide the category contributions to the score, and the number of risk inputs in that category, across each of the five proposed categories:
 
@@ -51,8 +50,14 @@ Some of the context here was discussed in Stage 0; please read the above for tha
 * `category_5_score`
 * `category_5_count`
 
+### Asset Criticality Fields
+Thes fields represent the designated criticality of the entity being described in the document.
+
+* `criticality_level`
+* `criticality_modifier`
+
 ### Risk Explainability
-Beyond the per-category explanations, these fields' purpose is to provide more insight/data for the analyst to further investigate the components of the risk score.
+Beyond the category and criticality explanations above, these fields' purpose is to provide more insight/data for the analyst to further investigate the components of the risk score.
 
 * `risk.inputs`
   * Generally, these objects are meant as a convenience for one investigating risk; they are the "most risky" inputs as determined by the risk engine, and serve as a shortcut to further investigation.
@@ -96,6 +101,8 @@ The following is an example risk score generated from Detection Engine Alerts, c
         "calculated_score": 150,
         "category_1_score": 150,
         "category_1_count": 4354,
+        "criticality_level": "very_important",
+        "criticality_modifier": 2.0,
         "notes": [],
         "inputs": [
           {

diff --git a/rfcs/text/0042/risk.yml b/rfcs/text/0042/risk.yml
@@ -108,6 +108,18 @@
         The number of risk input documents that contributed to the Category 5 score.
 
         Risk Categories logically group risk inputs from various domain use cases. Category 5 contains inputs from Anomalies.
+    - name: criticality_level
+      level: extended
+      type: keyword
+      example: very_important
+      description: >
+        The designated criticality level of the entity. Possible values are `not_important`, `important`, `very_important`, and `critical`.
+    - name: criticality_modifier
+      level: extended
+      type: float
+      example: 2.0
+      description: >
+        The numeric modifier corresponding to the criticality level of the entity, which is used as an input to the risk score calculation.
     - name: inputs
       level: extended
       type: object