-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DRAFT: new RBA Object #263
base: contentctl_5
Are you sure you want to change the base?
Conversation
Right now, all of the RBA bits are required for every detection type. Do we want to require ALL fields for all types of detections? Or ONLY allow it (or make it optional) for certain types of detections? |
@pyth0n1c - addressed in-line
That's a good question. I want to see how easy it is to get the information we have from
That's correct- message fields don't have to be risk/threat objects (putting things like |
multiple inheritance, to StrEnum or IntEnum
However, this has not received any testing yet.
now that they have been more strictly defined as IntEnum or StrEnum. This has not yet been tested.
…StrEnum and IntEnum when writing YMLs from objects that contain them.
new_content.py
that restated it. but this is not necessary if they inherit from SecurityContentObject
Current state: This has now been fully retargeted + merge conflicts handled to work with the Will look into creating one so that testing of these changes can continue against real content (Currently, build fails out almost immediately due to the strict field changes on a lookup) |
New content testing branch: splunk/security_content#3269 Temporarily updated CI config to use that instead |
NOT YET READY FOR REVIEW
The
tags.observable
mechanism for RBA is unnecessary extra mental gymnastics, and is based on terminology that never materialized elsewhere. This PR will introduce a new top level field namedrba
that contains the RBA related fields and removetags.observable
, andtags.message
.Update:
tags.confidence
andtags.impact
will stay in place and be documented as serving the purpose they defacto do today, which is the detection author's confidence in the analytic to find true positives, and the level of impact they have today, as well as being constructed as part of the calculation of notable severity. The validation confirming a risk score is the product of those two integers will not carry forward.Example of this new object, using the bundled detection:
Things to do:
tags.observable
ORSES
contentctl init
tags.confidence
andtags.impact
contentctl new
wizard<insert next fun little surprise we left for later and need to fix here>