-
Notifications
You must be signed in to change notification settings - Fork 421
/
Copy pathrisk.yml
161 lines (151 loc) · 5.85 KB
/
risk.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
---
- name: risk
title: Risk information
group: 2
short: Fields for describing risk score and level.
beta: >
These fields are in beta and are subject to change.
description: >
Fields for describing risk score and risk level of entities such as hosts and users.
These fields are not allowed to be nested under `event.*`. Please continue to use
`event.risk_score` and `event.risk_score_norm` for event risk.
reusable:
top_level: false
expected:
- host
- user
type: group
fields:
- name: id_field
level: extended
type: keyword
example: host.name
description: >
The name of the ECS field that identifies the entity. Typically, hosts use `host.name` and users use `user.name`.
- name: id_value
level: extended
type: keyword
example: host-001.local
description: >
The entity's identifier value that was used to calculate risk. Typically, hosts use values from `host.name` and users use values from `user.name`.
- name: category_1_score
level: extended
type: float
example: 33.0
description: >
The contribution of Category 1 to the overall risk score (`calculated_score`).
Risk Categories logically group risk inputs from various domain use cases. Category 1 includes Alerts, namely from Kibana's Detection Engine.
- name: category_1_count
level: extended
type: long
example: 3291
description: >
The number of risk input documents that contributed to the Category 1 score.
Risk Categories logically group risk inputs from various domain use cases. Category 1 includes Alerts, namely from Kibana's Detection Engine.
- name: category_2_score
level: extended
type: float
example: 35.0
description: >
The contribution of Category 2 to the overall risk score (`calculated_score`).
Risk Categories logically group risk inputs from various domain use cases. Category 2 includes inputs from Posture Management.
- name: category_2_count
level: extended
type: long
example: 1921
description: >
The number of risk input documents that contributed to the Category 2 score.
Risk Categories logically group risk inputs from various domain use cases. Category 2 includes inputs from Posture Management.
- name: category_3_score
level: extended
type: float
example: 25.0
description: >
The contribution of Category 3 to the overall risk score (`calculated_score`).
Risk Categories logically group risk inputs from various domain use cases. Category 3 includes inputs from Vulnerabilities.
- name: category_3_count
level: extended
type: long
example: 4920
description: >
The number of risk input documents that contributed to the Category 3 score.
Risk Categories logically group risk inputs from various domain use cases. Category 3 includes inputs from Vulnerabilities.
- name: category_4_score
level: extended
type: float
example: 55.0
description: >
The contribution of Category 4 to the overall risk score (`calculated_score`).
Risk Categories logically group risk inputs from various domain use cases. Category 4 includes Entity Contexts.
- name: category_4_count
level: extended
type: long
example: 1308
description: >
The number of risk input documents that contributed to the Category 4 score.
Risk Categories logically group risk inputs from various domain use cases. Category 4 includes Entity Contexts.
- name: category_5_score
level: extended
type: float
example: 75.0
description: >
The contribution of Category 5 to the overall risk score (`calculated_score`).
Risk Categories logically group risk inputs from various domain use cases. Category 5 contains inputs from Anomalies.
- name: category_5_count
level: extended
type: long
example: 14922
description: >
The number of risk input documents that contributed to the Category 5 score.
Risk Categories logically group risk inputs from various domain use cases. Category 5 contains inputs from Anomalies.
- name: inputs
level: extended
type: object
normalize: array
description: >
An array of the top risk input documents that contributed to the overall risk score.
fields:
- name: id
level: extended
type: keyword
description: >
The identifier (_id) of the risk input document.
- name: index
level: extended
type: keyword
description: >
The index (`_index`) of the risk input document.
- name: category
level: extended
type: keyword
example: category_1
description: >
The risk category of the risk input document.
- name: description
level: extended
type: keyword
example: "Generated from Detection Engine Rule: Malware Prevention Alert"
description: >
A human-readable description of the risk input document.
multi_fields:
- type: match_only_text
name: text
- name: risk_score
level: extended
type: float
example: 30.0
description: >
The weighted risk score of the risk input document.
- name: timestamp
level: extended
type: date
example: '2019-08-16T01:40:25Z'
description: >
The @timestamp of the risk input document.
- name: notes
level: extended
type: keyword
normalize: array
example: ["This score was boosted due to the entity being a host."]
description: >
Notes about the risk score and/or its calculation.