[RFC] Risk Score Extensions - Stage 2 #2276
Conversation
rylnd
commented
Sep 19, 2023
•
rylnd
commented
- Adds Source Data example
- Adds Scope of Impact section
- Updates Concerns section
- Adds asset criticality fields
- Updates category scores to be normalized
- Swaps definitions of Categories 2 and 4 (so that 2 is released in 8.13)
* Adds Source Data example * Adds Scope of Impact section * Updates Concerns section
| The following is an example alert from Kibana's detection engine. This alert would contribute to a user risk score for `Arturo_Haley`. | ||
|
|
||
| ```json | ||
| { |
There was a problem hiding this comment.
I'm not seeing the fields from https://github.com/elastic/ecs/blob/main/rfcs/text/0042/risk.yml included in the example alert included. Are those fields still relevant?
There was a problem hiding this comment.
This is probably my misunderstanding; I didn't quite understand what "source document" meant in this context, so this is an alert document from which a risk score document would be derived. Should this instead be a risk score document?
There was a problem hiding this comment.
The idea is to capture one or more real-world examples of how these fields are used, ideally like you'd see in the _source field of a ES document.
Should this instead be a risk score document?
I'm not familiar with what's in a risk score document. If the risk score doc provides examples using the risk.category_*_score and risk.category_*_count fields as proposed, yes, I think that's helpful.
Co-authored-by: Eric Beahan <ebeahan@gmail.com>
I misunderstood the "source data" section; a risk score document is what actually shows the proposed fields being used.
This represents the total number of alerts that were processed to create this risk score; having a larger number is both more realistic, and also highlights the fact that the number of inputs will be very small compared to this number.
We've added this functionality within the product, we should discuss and add these fields to ECS as well.
This was previously not clear from the examples/descriptions: category scores will be normalized to the 0-100 range, and only the `calculated_score` represents the "raw" score of the entity.
* category scores are within 0-100 * category scores sum to the calculated_score_norm * category 5 is present since criticality is present
| @@ -97,7 +97,7 @@ | |||
| type: float | |||
| example: 75.0 | |||
| description: > | |||
| The contribution of Category 5 to the overall risk score (`calculated_score`). | |||
| The contribution of Category 5 to the overall normalized risk score (`calculated_score_norm`). | |||
There was a problem hiding this comment.
@ebeahan @SourinPaul this was the main change I made to convey that these category scores are themselves normalized. I originally had included the phrase "normalized contribution" to be more explicit, but that seemed redundant since the contribution to a normalized score only really makes sense if they can be compared (/are normalized / exist in the same value range, etc). Let me know if you opinions/suggestions.
|
@ebeahan I just pushed some changes here, summarized as:
I think that's appropriate here, but let me know if I'm mistaken and I can amend. |
We decided to number our risk categories based on the order in which they are introduced in kibana. Since Asset Criticality is being released next, and AC corresponds to the Entity Contexts category, it's now Category 2.
This reverts commit 323ed90. Conflicts: rfcs/text/0042-risk-score-extensions.md rfcs/text/0042/risk.yml
|
This PR is stale because it has been open for 60 days with no activity. |
