Add rule attribution fields #754
Conversation
MikePaquette
requested review from
webmat,
rw-access,
dainperkins and
randomuserid
schemas/rule.yml
Outdated
|
|
||
| example: Apache 2.0 | ||
|
|
||
| - name: license_reference |
There was a problem hiding this comment.
I'm not sure the reference URL of the license of the rule should be added to every single alert. That would take a whole lot of room for very little benefit, no?
There was a problem hiding this comment.
Good question. Yes, this does seem like very little benefit to most events/alerts that would be received. It would be most valuable to a rule document itself, which is not technically an ECS event.
There was a problem hiding this comment.
I've removed this field altogether for now. If we build a strong case for it later, we can add with another PR.
schemas/rule.yml
Outdated
| description: > | ||
| Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | ||
|
|
||
| example: John R. Doe, Elastic, s3cst1ltsk1n |
There was a problem hiding this comment.
Two things about the example here.
First, please only put one value in the example. The asciidoc rendering looks funny otherwise (see here). To provide multiple different examples, for now we have to do it via the description.
Second, the alphanumeric handle looks strange. I know it's supposed to represent an online handle. Perhaps we could use a known handle like "Citizenfour", or a fictional one like "Starlord"?
|
Added Star-Lord as example. Removed |
There was a problem hiding this comment.
Thanks for the adjustments, @MikePaquette.
Noticed two more things. I can do the adjustments myself and merge @MikePaquette. Are you good with this?
schemas/rule.yml
Outdated
| normalize: | ||
| - array | ||
|
|
||
| - name: license_type |
There was a problem hiding this comment.
I just noticed the field name rule.license_type here. I think we should simply name this rule.license, in order to be aligned with package.license.
schemas/rule.yml
Outdated
| description: > | ||
| Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | ||
|
|
||
| example: Start-Lord |
There was a problem hiding this comment.
| example: Start-Lord | |
| example: Star-Lord |
|
@webmat Thanks, yes, please make both changes. |
The
rules.*fieldset allows the inclusion of details about a rule used to perform some kind of detection. Detection rules are viewed by some as software, and by others as creative content. Either way, rules will commonly be made available pursuant to a license and/or requirement to provide attribution to the rule author(s.)This PR adds three new "attribution" fields to the
rule.*fieldset:rule.author: Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.rule.license_type: Name of the license under which the rule used to generate this event is made available.rule.license_reference: Reference URL to the license under which the rule used to generate this event is made available.Related question: since there are two "license" fields being proposed, should we create a
license.*sub-object?