CSNF Documentation - Spring 2023 Update

• 1: Cloud Security Notification Framework Specification
• 1.1: Scope
• 1.2: Use Cases
• 1.3: Provider Experience
• 1.4: Consumer Experience
• 1.5: Alerts, Controls, and Risks
• 2: Core Components
• 2.1: Canonical Data Model
• 2.2: CSNF Decorators
• 3: Contribution Guidelines
• 3.1: Next Steps: Contribute!
• 3.2: Contributor Code of Conduct
• 3.3:
• 4: CSNF Steering Committee Membership
• 5: CSNF birthday-cake
• 6: CSNF demo-service (archived)

This page contains information on the Spring 2023 Cloud Security Notification Framework Splunk Technology Add-on release.

Purpose

The purpose of the CSNF Splunk Technology Add-on is to provide a set of common attribute mappings in support of multi-cloud enterprise security SIEM and SOAR operations.

Who is this app for?

The primary audiance for this application are security detection engineering teams who wish to integrate CSNF within their multi cloud security landing zone.

How does the app work?

It works by mapping keys and values provided by your configured cloud provider to a set of CSNF common properties. The CSNF’s canonical data model standardizes alerts received from multiple cloud and SaaS providers that can be used as inputs by the SOC for common security workflows.

1 - Cloud Security Notification Framework Specification

Scope

• The focus of initial iterations is on data in the Security space. Other domains (e.g., operational monitoring) may be addressed in the future.
• Need to think of cloud services from the context of IaaS, PaaS, and SaaS and focus on data from Cloud Service Providers (CSPs).
• CSPs include not only Cloud Providers like Azure, Amazon, Google, but also security solutions / services from Symantec, Microsoft Defender for ATP, etc.
• The initial effort is scoped to documenting the common taxonomy.
• Format of the taxonomy is scoped to json or others (Syslog, CEF)? [Where do we get the broadest market adoption- can we be format agnostic?]

Out of Scope

• The specific technology as to how do these CSPs protect security perimeter.
• Security Solutions not protecting cloud workloads.
• Updating CSPs to include the common taxonomy is not in scope. [CSPs can update at their own pace as needed at least foundational elements]
• Potential future scope –Tooling for compliance certification to the published taxonomy

Approach

Each CSP today has capabilities to expose security-significant information and events to consumers. A number of 3<sup>rd</sup> party security and non-security services expose and consume this kind of information as well. However, there is no common format or standard for these events,and when consumers of these events need to receive and process eventsfrom multiple sources (for e.g., multiple CSPs or security solutions) – it becomes challenging.

Unfortunately, it is not possible nor practical to ask all CSPs and other security service providers to change their formats to align to common format and schema – each CSP and other security service providers has its own ecosystem and major format change will be highly disruptive for whole ecosystem, also it will make adoption extremely hard and slow.

In the view of that, ONUG working group decided to pursue “decorator” model - Cloud Security Notification Framework (CSNF), of adding certain key attributes to existing events, helping to map events into common model while allowing event providers to continue to use existing proprietary schemas. Drawback of this approach is added overhead of duplication of certain data elements, particularly when the CSP / solution provider has those fields defined in their schema already. These fields will be included twice, once in their original format and another in the envelope that’ll be defined.

Use Cases

Security-significant information in scope for this work falls into few major types and use cases:

1. Security detection events

   Provider: These events are produced by CSP and are flagging possible attacks or other abnormal activity that may indicate or may be related to possible security breach. For e.g., antivirus running on IaaS node may detect malicious code, or network-level security monitoring systemmay detect network-level DDoS attack.

   Primary consumer of these events: SOC and security monitoring systems.

   Key common information for this type of events:

   • Time stamp
   • Subscription(s) and Resource(s) information
   • Possible MITRE mappings [applies to detection but not controls]

2. Security audit events

   Provider: These events are produced by CSP, by app itself and/or by 3rd party services to capture security-significant events that don’t necessarily indicate an attack but may be required to understand key activities in various systems. Capturing these events is essential for investigations and incident response, for understanding of systems security posture, and for creating audit trail required for compliance and other purposes.

   Primary consumer(s) of these events:

   • SOC
   • Security team (for security state monitoring, for threat hunting etc.)
   • Compliance team (to demonstrate compliance with various certifications)

   Key common information for this type of events:

   • Time stamp
   • Subscription(s) and Resource(s) information
   • Possible NIST 800-53 mappings

3. Security State information

   Provider: Security State information describes essential security policies and configurations of the system. For e.g., which ports are open to the internet, whether AV is running on specific node(s), system lockdown applied to IaaS VM(s) etc. These are produced by security solutions that track security posture and manage configurations and policies.

   Primary consumer(s) of these events:

   • SOC (to enable incident response and analysis)
   • For compliance and for other purposes.

Security State information by itself is not in the form of events – it is more of a set of configurations and policies, however changes of security state information may generate events – for e.g., audit events, and/or detection events. For example, if an operator changed security state using LiveSite tools or via deployment, it will generate audit events, and some of these changes may generate security detection events if new configuration is causing concerns (for e.g. AV disabled on the node). [ what controls would apply to classify security state - scope controls? - outcome is policies generating events- would this overlap with above buckets?] [recognize whether the alert is the outcome from a risk / security posture change is important - somehow can we reflect this in this envelope - map state changes like change in threat protection etc.]

Provider Experience

We need to consider certain major provider types: Cloud Providers (for e.g., Azure, AWS, other clouds)

1. Cloud providers naturally is one of the major sources of the data of interest, and for many types of data cloud providers may be the only source of certain critical data.

   It is important to highlight that we should consider cloud providers of different types, covering IaaS, PaaS and SaaS. For e.g., typical enterprise may be hosting some IaaS resources on AWS and Azure, may be using PaaS resources (e.g. DynamoDB or Azure CosmosDB), at the same time also using Office 365 SaaS services for productivity apps, ADP services for paystub and employee taxes handling and PagerDuty to facilitate OnCall and LiveSite alerting. The enterprise would need to collect and process security-significant events for all services it is using.

2. 3rd party monitoring and other services

   Cloud customers are often using various 3rd party services to monitor their apps & services. A lot of monitoring is focused on Operational monitoring, but there is also security aspect of it. For e.g., application-level security and audit logs are often collected by the monitoring service.

   There are also specialized security services that may be protecting internet-facing endpoints, and/or services that are monitoring internet-facing endpoints and alert on potential security exposures.

   These services would be important producers of security events.

3. Security data enrichment and processing services

   Some of security monitoring services will also act as data processors – collecting various audit and other data from customer services, and then producing security detections and other events. For e.g., ML models may be used to detect unusual activity, or unexpected admin actions etc.

   Some of services of this type are offered by CSPs (e.g., Azure Security Center), others are offered by 3rd parties.

Consumer Experience

We need to consider certain major user types that consumes data from the CSPs for different applications.

1. SIEM and SOAR

   SIEM is one of the primary consumers of security events of all types, to facilitate SOC, Incident Response and other activities.

   For SIEM Security and Audit events are most important, also reference data (e.g., inventory) as well as security state information (policies in place etc.) are essential.

   SIEMs are typically offered as independent 3rd party services (e.g., Splunk), some of the SIEMs are also offered by CSPs (e.g., Azure Sentinel).

2. Threat Protection Services

   Endpoint protection, advanced monitoring and response capabilities, e.g., Microsoft Defender protection for endpoint, Crowdstrike.

3. Security State Assessment services/products

   Security State Assessment allows service owners to keep an eye on security state of their services, including security state of various cloud resources used as a part of (or by) the service.

   For Security State Assessment services Security State information and events indicating changes of that information are most important, although many of security products are combining Security State Assessment with Security Response or other functionality, expanding types of data required.

   Typically, CSPs these days are offering services that provide Security State Assessment (e.g., Azure Security Center), however there are also number of 3rd party services that are providing Security State and other services (e.g., cybersecurity.att.com).

4. Compliance Processes and Products

   Meeting various certifications and compliance requirements typically requires demonstrating that the service has adequate security monitoring & response, security policies/best practices and other capabilities. This assessment usually is based on collecting various information about the service(s) and how these services are being used and run.

   Information in scope of this effort will be important and useful for Compliance processes and products, especially NIST 800-53 mappings.

Proposed experience options TABLE STILL WIP (Jenn)

Providers have a stake always in all options - Relationships of the mappings are stored in a way by the service providers

Time, cost and risk implications depending on approach of tooling

Alerts, Controls and Risks

Usually, cloud platforms create events, those can be cloud resources usage events or alerts of all sorts. Many security vendors today attach MITRE tactics tags to their alerts, since an alert usually reflects a probable attack, or attack action, that can be classified to MITRE tactic.

Other security solutions, that deal with compliance (to a set of controls, such as regulation or standard) and report on vulnerabilities or control deficiencies. The connection between a control and an attack technique is not always clear. A control is aimed at mitigating a risk, and sometimes a vulnerability, but an attack can exploit many vulnerabilities, so the lack of a specific control can lead to many potential attacks, but this is dependent in the specific implementation of technology (which is not always part of the equation).

Following that – if we’re dealing with taxonomy the deal with alerts, adding MITRE tags, this can be done by the CSP or the system creating that alert. But attaching a specific control to the alert, depends on many other factors that are not known to the system creating the alert. For example: alert on a brute-force attempt on a cloud infrastructure – the relevant tactics are simple. Controls over that type of alert can be multiple, and come from multiple areas – those controls can be processes, procedures, or technological, they can be preventive or detective etc.

If we are not talking about alerts, but rather control deficiencies, such as lack of updates, firewall or antimalware not operating properly – the recommended control is clear, but the relevant attacks or risks are not easily deducted – a list of potential risks can be created, but this is dependent on many parameters (architecture, technology, accessibility etc.) so this is a complicated task that is being dealt with compliance systems.

Scenarios

As a SOC analyst, I need to be able to get contextual threat information and alerts from multiple CSPs.

1. what represents the greatest amount of risk – CSP informs part of that
2. asset that we try to protect – shared responsibility

Activity path - get alert -> validate whether false positive / true -> assess impact -> contextualize the alert -> resources and assets associated with alerts -> factors we are looking at -> high level data/functions these resources server -> categorize and prioritize -> identify the owner of the resource -> notify the owner -> determine appropriate action

Alert examples

Example 1 - (Medium severity) PREVIEW - Suspicious management session using an inactive account detected

Provider: Azure

Tactic: Persistence

Resources: Resource id, Subscription, User Principal Name (User account), Geolocation of the user associated with UPN, Client IP address / IP address associated with the UPN

Suspicious action: action points to resource on storage account ["Microsoft.Storage/storageAccounts/listKeys/action"]

Recommended actions:

More information link:

Example 2 - Activity insights security alert

Provider: IBM

Tactic:

Resources: provider resource id,

Attacker / Actor: user account

Trigger / Suspicious action:

Event time

JSON CODE BLOCK

{

"outcome": "success",

"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event",

"eventType": "activity",

"eventTime": "2021-01-28T04:50:52.51+0000",

"action": "security-advisor.findings.write",

"id": "3ac99528-bdd5-41ed-8729-68e9c37195f7",

"initiator": {

"id": "iam-ServiceId-5f4ca4ac-9a64-4bf0-ae03-4ad9a21afe42",

"name": "IBM Security Advisor",

"typeURI": "service/security/account/serviceid",

"host": {},

"credential": {

"type": "apikey"

}

},

"target": {

"id": "crn:v1::public:security-advisor:us-south:a/29104aa4ec94471284be7d33bf1b1391::occurrence:ata-1611809449329",

"name": "findingsapi",

"typeURI": "security-advisor/occurrence"

},

"observer": {

"name": "ActivityTracker",

"id": "activitytracker.ng.bluemix.net",

"typeURI": "service/security/edge/activity-tracker"

},

"reason": {

"reasonCode": 200,

"reasonType": "OK"

},

"requestData": {

"context": {

"region": "us-south",

"resource_name": "test-del",

"resource_type": "kms/secrets",

"service_crn": "crn:v1:bluemix:public:kms:us-south:a/f586c28d154d4c65a4a4a34cf75f55d0:bec392cc-97b0-45a1-9b94-e402de42e629::",

"service_name": "kms"

},

"finding": {

"certainty": "HIGH",

"next_steps": [

{

"title": "This finding was generated by an AT Event which was reported at 2021-01-28T04:32:55.46+0000 with action kms.secrets.delete"

}

]

},

"kind": "FINDING",

"id": "ata-1611809449329",

"note_name": "29104aa4ec94471284be7d33bf1b1391/providers/security-advisor/notes/ata-kms-key-deleted"

},

"responseData": {

"author": {

"account_id": "d642e8edf6b1e1b3e9de1f795f721a55",

"email": null,

"id": "iam-ServiceId-5f4ca4ac-9a64-4bf0-ae03-4ad9a21afe42",

"kind": "service-id"

},

"context": {

"account_id": "29104aa4ec94471284be7d33bf1b1391",

"region": "us-south",

"resource_name": "test-del",

"resource_type": "kms/secrets",

"service_crn": "crn:v1:bluemix:public:kms:us-south:a/f586c28d154d4c65a4a4a34cf75f55d0:bec392cc-97b0-45a1-9b94-e402de42e629::",

"service_name": "kms"

},

"create_time": "2021-01-28T04:50:52.487587Z",

"create_timestamp": 1611809452488,

"finding": {

"certainty": "HIGH",

"next_steps": [

{

"title": "This finding was generated by an AT Event which was reported at 2021-01-28T04:32:55.46+0000 with action kms.secrets.delete"

}

],

"severity": "HIGH"

},

"id": "ata-1611809449329",

"insertion_timestamp": 1611809452488,

"kind": "FINDING",

"long_description": "A change to KMS key was detected.",

"name": "29104aa4ec94471284be7d33bf1b1391/providers/security-advisor/occurrences/ata-1611809449329",

"note_name": "29104aa4ec94471284be7d33bf1b1391/providers/security-advisor/notes/ata-kms-key-deleted",

"provider_id": "security-advisor",

"provider_name": "29104aa4ec94471284be7d33bf1b1391/providers/security-advisor",

"reported_by": {

"id": "ata",

"title": "Activity insights"

},

"short_description": "KMS key change was detected.",

"update_time": "2021-01-28T04:50:52.487476Z",

"update_timestamp": 1611809452487,

"updateweekdate": "2021-W04-4",

"corelationId": "3407fe31-586e-4cf0-a123-825e43044936"

},

"severity": "normal",

"message": "Security Advisor: write findingsapi success",

"meta": {

"serviceProviderName": "security-advisor-dev",

"serviceProviderRegion": "ng",

"serviceProviderProjectId": "f781f06f-4ab3-45a3-916c-7806b3e81535",

"userAccountIds": [

"29104aa4ec94471284be7d33bf1b1391"

]

},

"logSourceCRN": "crn:v1:staging:public:security-advisor:us-south:a/29104aa4ec94471284be7d33bf1b1391:74128119-5107-5dbf-a2cf-5e9be228a243:security-advisor:",

"saveServiceCopy": true

}

[Action Item]{.ul}: Get some more examples from SOCs (Peter / Anatoliy / Janet / Preeti)

Example 3. AWS Example: Discovery:IAMUser/AnomalousBehavior

Tactics: Discovery TA0007

Resources: Access key

Attacker: Attacker UPN, Attacker geoloc, IP address

Suspicious Actions: type - AnomalousBehavior

[

{

"schemaVersion": "2.0",

"accountId": "123456789012",

"region": "us-east-1",

"partition": "aws",

"id": "0cbc8b3347ac538047fc56c2f4fe11a7",

"arn": "arn:aws:guardduty:us-east-1:123456789012:detector/3ab4a4be46389973d8f5f33bc86a29ea/finding/0cbc8b3347ac538047fc56c2f4fe11a7",

"type": "Discovery:IAMUser/AnomalousBehavior",

"resource": {

"resourceType": "AccessKey",

"accessKeyDetails": {

"accessKeyId": "ASIARZOOKWPXR24HLMYM",

"principalId": "AROAIHWLDLKQ2YARYAIIW:815945",

"userType": "AssumedRole",

"userName": "READONLYACCESS"

}

},

"service": {

"serviceName": "guardduty",

"detectorId": "3ab4a4be46389973d8f5f33bc86a29ea",

"action": {

"actionType": "AWSAPICALL",

"awsApiCallAction": {

"api": "DescribeClusters",

"serviceName": "redshift.amazonaws.com",

"callerType": "Remote IP",

"remoteIpDetails": {

"ipAddressV4": "74.80.52.132",

"organization": {

"asn": "25921",

"asnOrg": "LUS-FIBER-LCG",

"isp": "LUS Fiber",

"org": "LUS Fiber"

},

"country": {

"countryName": "United States"

},

"city": {

"cityName": "Lafayette"

},

"geoLocation": {

"lat": 30.209,

"lon": -92.0607

}

},

"affectedResources": {}

}

},

"resourceRole": "TARGET",

"additionalInfo": {

"userAgent": {

"fullUserAgent": "aws-internal/3 aws-sdk-java/1.11.965 Linux/4.9.230-0.1.ac.224.84.332.metal1.x8664 OpenJDK64-BitServerVM/25.282-b08 java/1.8.0282 vendor/OracleCorporation",

"userAgentCategory": "aws-internal/3"

},

"anomalies": {

"anomalousAPIs": "redshift.amazonaws.com:[DescribeClusters:success , DescribeClusterSubnetGroups:success , DescribeClusterSnapshots:success] , health.amazonaws.com:[DescribeEventAggregates:success]"

},

"profiledBehavior": {

"rareProfiledAPIsAccountProfiling": "",

"infrequentProfiledAPIsAccountProfiling": "",

"frequentProfiledAPIsAccountProfiling": "DescribeClusters , CreateLogStream , DescribeInstances , DescribeVolumes , DescribeNetworkInterfaces , DescribeTags , DescribeVpcs , ListAccountAliases , DescribeSecurityGroups , GetResources , DescribeSubnets , GetBucketAcl , DescribeLoadBalancers , UpdateInstanceInformation , DescribeAlarms , DescribeTable , ListFunctions20150331 , DescribeDBInstances , GetBucketLocation , ListBuckets",

"rareProfiledAPIsUserIdentityProfiling": "DescribeClusters , DescribeAccountAttributes , DescribeClusterSubnetGroups , ListSecrets , DescribeReservedNodes , DescribeAlarms , DescribeEvents , DescribeClusterSnapshots",

"infrequentProfiledAPIsUserIdentityProfiling": "GetResources",

"frequentProfiledAPIsUserIdentityProfiling": "DescribeEventAggregates",

"rareProfiledUserTypesAccountProfiling": "",

"infrequentProfiledUserTypesAccountProfiling": "",

"frequentProfiledUserTypesAccountProfiling": "ASSUMEDROLE , AWSSERVICE , ROLE",

"rareProfiledUserNamesAccountProfiling": "",

"infrequentProfiledUserNamesAccountProfiling": "",

"frequentProfiledUserNamesAccountProfiling": "READONLYACCESS , TAPDATASCIENTIST , AWSServiceRoleForAutoScaling , AWSServiceRoleForFMS , tenableio-connector , AWSServiceRoleForECS , AWSServiceRoleForComputeOptimizer , CUSTODIANEBSSNAPSHOT , eksctl-dmm-trial-cluster-ServiceRole-1L4F9KZTGGC6 , CUSTODIANSNS , TAPWorkerNode , AnalyticsAdminDMM , covid19-dynamostream-role-d4oaxatk , RESOURCETAGGING , AWSGlueDataBrewServiceRole-da-analytics , eksctl-dmm-triali-v17-cluster-ServiceRole-1V8OR5U5VMNSA , CUSTODIANIAMUSER , CUSTODIANEBS , AWSServiceRoleForTrustedAdvisor , CloudabilityRole",

"rareProfiledASNsAccountProfiling": "asnNumber: 396356 asnOrg: MAXIHOST asnNumber: 11776 asnOrg: ATLANTICBB-JOHNSTOWN asnNumber: 22773 asnOrg: ASN-CXA-ALL-CCI-22773-RDC asnNumber: 12271 asnOrg: TWC-12271-NYC asnNumber: 16591 asnOrg: GOOGLE-FIBER asnNumber: 10796 asnOrg: TWC-10796-MIDWEST",

"infrequentProfiledASNsAccountProfiling": "asnNumber: 11427 asnOrg: TWC-11427-TEXAS asnNumber: 6079 asnOrg: RCN-AS asnNumber: 26827 asnOrg: EPBTELECOM asnNumber: 20115 asnOrg: CHARTER-20115 asnNumber: 209 asnOrg: CENTURYLINK-US-LEGACY-QWEST",

"frequentProfiledASNsAccountProfiling": "asnNumber: 14618 asnOrg: AMAZON-AES asnNumber: 16509 asnOrg: AMAZON-02 asnNumber: 22616 asnOrg: ZSCALER-SJC1 asnNumber: 7922 asnOrg: COMCAST-7922 asnNumber: 7018 asnOrg: ATT-INTERNET4 asnNumber: 701 asnOrg: UUNET asnNumber: 46690 asnOrg: SNET-FCC asnNumber: 26292 asnOrg: ASN-SHREWS",

"rareProfiledASNsUserIdentityProfiling": "asnNumber: 22773 asnOrg: ASN-CXA-ALL-CCI-22773-RDC asnNumber: 701 asnOrg: UUNET asnNumber: 6079 asnOrg: RCN-AS asnNumber: 7922 asnOrg: COMCAST-7922 asnNumber: 22616 asnOrg: ZSCALER-SJC1 asnNumber: 12271 asnOrg: TWC-12271-NYC asnNumber: 16591 asnOrg: GOOGLE-FIBER",

"infrequentProfiledASNsUserIdentityProfiling": "",

"frequentProfiledASNsUserIdentityProfiling": "",

"rareProfiledUserAgentsAccountProfiling": "AWS CloudWatch Console , AWS ElasticMapReduce Console",

"infrequentProfiledUserAgentsAccountProfiling": "",

"frequentProfiledUserAgentsAccountProfiling": "AWS Service , OTHER , Botocore , aws-sdk-go , AWS Internal , aws-internal/3 , aws-sdk-java , AwsSignin , browser , aws-sdk-cloudwatchlogs , aws-sdk-nodejs , Amazon ECS Agent , aws-cli",

"rareProfiledUserAgentsUserIdentityProfiling": "aws-internal/3",

"infrequentProfiledUserAgentsUserIdentityProfiling": "AWS Service",

"frequentProfiledUserAgentsUserIdentityProfiling": "AwsSignin"

},

"unusualBehavior": {

"unusualAPIsAccountProfiling": "",

"unusualAPIsUserIdentityProfiling": "",

"unusualUserTypesAccountProfiling": "",

"unusualUserNamesAccountProfiling": "",

"unusualASNsAccountProfiling": "asnNumber: 25921 asnOrg: LUS-FIBER-LCG",

"unusualASNsUserIdentityProfiling": "asnNumber: 25921 asnOrg: LUS-FIBER-LCG",

"unusualUserAgentsAccountProfiling": "",

"unusualUserAgentsUserIdentityProfiling": "",

"isUnusualUserIdentity": "false"

}

},

"evidence": null,

"eventFirstSeen": "2021-04-28T02:41:25Z",

"eventLastSeen": "2021-04-28T02:41:25Z",

"archived": false,

"count": 1

},

"severity": 2,

"createdAt": "2021-04-28T02:54:50.712Z",

"updatedAt": "2021-04-28T02:54:50.712Z",

"title": "User AssumedRole : READONLYACCESS is anomalously invoking APIs commonly used in Discovery tactics.",

"description": "APIs commonly used in Discovery tactics were invoked by user AssumedRole : READONLYACCESS, under anomalous circumstances. Such activity is not typically seen from this user."

}

]

Example 4 - Based on SOC Feedback: AWS WAF Block - Provided by Peter Campbell, Cigna

#################### AWS WAFv2 Block ##############

{

"timestamp": 1621948354754,

"formatVersion": 1,

"webaclId": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/FMManagedWebACLV2Regional-WAFv2-Public1613136926787/b804e435-41ba-4ec3-8739-935234a522aa",

"terminatingRuleId": "PREFMManaged758ab7a6-aed4-4ae4-b688-eb7aaebf2c9f1",

"terminatingRuleType": "MANAGEDRULEGROUP",

"action": "BLOCK",

"terminatingRuleMatchDetails": [],

"httpSourceName": "APIGW",

"httpSourceId": "123456789012:ejwlrg1bkl:live",

"ruleGroupList": [{

"ruleGroupId": "arn:aws:wafv2:us-east-1:123456789012:regional/rulegroup/regional-wafv2-blocklist-public/95bd55a7-be5f-4246-bcaf-ae1456542b26",

"terminatingRule": null,

"nonTerminatingMatchingRules": [],

"excludedRules": null

},

{

"ruleGroupId": "AWS#AWSManagedRulesCommonRuleSet",

"terminatingRule": {

"ruleId": "GenericRFI_URIPATH",

"action": "BLOCK",

"ruleMatchDetails": null

},

"nonTerminatingMatchingRules": [],

"excludedRules": null

}

],

"rateBasedRuleList": [],

"nonTerminatingMatchingRules": [],

"requestHeadersInserted": null,

"responseCodeSent": null,

"httpRequest": {

"clientIp": "69.218.228.82",

"country": "US",

"headers": [{

"name": "X-Forwarded-For",

"value": "69.218.228.82"

},

{

"name": "X-Forwarded-Proto",

"value": "https"

},

{

"name": "X-Forwarded-Port",

"value": "443"

},

{

"name": "Host",

"value": "p-digital.digitaledge.XXXXXX.com"

},

{

"name": "X-Amzn-Trace-Id",

"value": "Root=1-60acf7c2-6164bd525be699a6776c15fe"

},

{

"name": "User-Agent",

"value": "Test Certificate Info"

},

{

"name": "Cache-Control",

"value": "no-cache"

}

],

"uri": "/https://p-digital.digitaledge.XXXXXX.com/",

"args": "",

"httpVersion": "HTTP/1.1",

"httpMethod": "HEAD",

"requestId": "f4umcGG7IAMFTYQ="

}

} {

"timestamp": 1621948487327,

"formatVersion": 1,

"webaclId": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/FMManagedWebACLV2Regional-WAFv2-Internal1613138918901/7ae7d539-1b0a-40ac-aeb6-c25ae8a3d4da",

"terminatingRuleId": "PREFMManagedbdf8c694-71d8-495b-a42d-deb8144d9f6d2",

"terminatingRuleType": "MANAGEDRULEGROUP",

"action": "BLOCK",

"terminatingRuleMatchDetails": [{

"conditionType": "SQL_INJECTION",

"location": "BODY",

"matchedData": [

"[BASE_64]H4sIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",

"3",

"C",

"[BASE_64]I0sDM1MTQ1MLI0szJR00tUX5ZZkpqUUQxQYm5uaGhg=="

]

}],

"httpSourceName": "APIGW",

"httpSourceId": "123456789012:t4v04bwetc:live",

"ruleGroupList": [{

"ruleGroupId": "arn:aws:wafv2:us-east-1:123456789012:regional/rulegroup/regional-wafv2-internal/03de6be1-f6d4-4bae-9c62-158e0af9785c",

"terminatingRule": null,

"nonTerminatingMatchingRules": [],

"excludedRules": null

},

{

"ruleGroupId": "AWS#AWSManagedRulesCommonRuleSet",

"terminatingRule": null,

"nonTerminatingMatchingRules": [],

"excludedRules": null

},

{

"ruleGroupId": "AWS#AWSManagedRulesSQLiRuleSet",

"terminatingRule": {

"ruleId": "SQLi_BODY",

"action": "BLOCK",

"ruleMatchDetails": null

},

"nonTerminatingMatchingRules": [],

"excludedRules": null

}

],

"rateBasedRuleList": [],

"nonTerminatingMatchingRules": [],

"requestHeadersInserted": null,

"responseCodeSent": null,

"httpRequest": {

"clientIp": "10.189.113.193",

"country": "-",

"headers": [{

"name": "Host",

"value": "p-digital.internal.digitaledge.XXXXXX.com"

},

{

"name": "Content-Length",

"value": "133"

},

{

"name": "User-Agent",

"value": "python-requests/2.24.0"

},

{

"name": "Accept-Encoding",

"value": "gzip, deflate"

},

{

"name": "Accept",

"value": "*/*"

},

{

"name": "Authorization",

"value": ""

},

{

"name": "Content-Type",

"value": "application/json"

},

{

"name": "X-Request-Id",

"value": "dea13e40-71e1-49b7-9202-719a409ae676"

},

{

"name": "Content-Encoding",

"value": "gzip"

},

{

"name": "X-Forwarded-For",

"value": "10.189.113.193"

},

{

"name": "x-amzn-tls-version",

"value": "TLSv1.2"

},

{

"name": "x-amzn-cipher-suite",

"value": "ECDHE-RSA-AES128-GCM-SHA256"

},

{

"name": "x-amzn-vpce-id",

"value": "vpce-08ef3654f948a6153"

},

{

"name": "x-amzn-vpc-id",

"value": "vpc-01134f467b2c45ef0"

},

{

"name": "x-amzn-vpce-config",

"value": "1"

}

],

"uri": "/my/XXXXXX-reviews/v1/status",

"args": "",

"httpVersion": "HTTP/1.1",

"httpMethod": "POST",

"requestId": "f4u7KFVFoAMFXrQ="

}

Example 5 - Based on SOC feedback - Public Access to Object not Blocked - Provided by Peter Campbell, Cigna

namespace: onug.csnf.security.event.xxx

[

{

"schemaVersion": "2.0",

"accountId": "123456789012",

"region": "us-east-1",

"partition": "aws",

"id": "4cbcb3a0690db8fcac698e0bd3da65c5",

"arn": "arn:aws:guardduty:us-east-1:123456789012:detector/1BBD7aBAd3f8FfC6EF2Bb3CCE0EeBB2c/finding/4cbcb3a0690db8fcac698e0bd3da65c5",

"type": "Policy:S3/BucketBlockPublicAccessDisabled",

"resource": {

"resourceType": "AccessKey",

"accessKeyDetails": {

"accessKeyId": "ASIA46IH7B5JVYCXYB4N",

"principalId": "AROA46IH7B5J7BPCDZNTN:949237",

"userType": "AssumedRole",

"userName": "DEVELOPER"

},

"s3BucketDetails": [

{

"arn": "arn:aws:s3:::s3-medicare-reltio-json-outbound-temp",

"name": "s3-medicare-reltio-json-outbound-temp",

"defaultServerSideEncryption": null,

"createdAt": 1620934206,

"tags": [

{

"key": "AssetOwner",

"value": "dapda\@XXXXX.com"

},

{

"key": "DataOwner",

"value": "Matthew.Carroll\@XXXXX.com"

},

{

"key": "CiId",

"value": ""

},

{

"key": "DataSubjectArea",

"value": "Provider"

},

{

"key": "ResourceOwner",

"value": "Shankar.Subramani\@XXXXX.com"

},

{

"key": "ComplianceDataCategory",

"value": "phi:pii:hipaa"

},

{

"key": "DataCustodian",

"value": ""

},

{

"key": "Purpose",

"value": "Data Migration"

},

{

"key": "AppName",

"value": ""

},

{

"key": "AsaqId",

"value": ""

},

{

"key": "Project",

"value": "P"

},

{

"key": "CostCenter",

"value": "00790003"

},

{

"key": "DataClassification",

"value": "restricted"

},

{

"key": "BusinessDataCategory",

"value": "Provider"

}

],

"owner": {

"id": "5eabdf8f0a8f054c64e225b9e52b32290a8fd6163ed2a200416c2bccace4cc2e"

},

"publicAccess": {

"permissionConfiguration": {

"bucketLevelPermissions": {

"accessControlList": {

"allowsPublicReadAccess": false,

"allowsPublicWriteAccess": false

},

"bucketPolicy": {

"allowsPublicReadAccess": false,

"allowsPublicWriteAccess": false

},

"blockPublicAccess": {

"ignorePublicAcls": false,

"restrictPublicBuckets": false,

"blockPublicAcls": false,

"blockPublicPolicy": false

}

},

"accountLevelPermissions": {

"blockPublicAccess": {

"ignorePublicAcls": false,

"restrictPublicBuckets": false,

"blockPublicAcls": true,

"blockPublicPolicy": true

}

}

},

"effectivePermission": "NOT_PUBLIC"

},

"type": "Destination"

}

]

},

"service": {

"serviceName": "guardduty",

"detectorId": "1BBD7aBAd3f8FfC6EF2Bb3CCE0EeBB2c",

"action": {

"actionType": "AWSAPICALL",

"awsApiCallAction": {

"api": "PutBucketPublicAccessBlock",

"serviceName": "s3.amazonaws.com",

"callerType": "Remote IP",

"remoteIpDetails": {

"ipAddressV4": "165.225.220.243",

"organization": {

"asn": "22616",

"asnOrg": "ZSCALER-SJC1",

"isp": "Zscaler",

"org": "Zscaler"

},

"country": {

"countryName": "United States"

},

"city": {

"cityName": "Brooklyn"

},

"geoLocation": {

"lat": 40.7252,

"lon": -73.944

}

},

"affectedResources": {

"AWS::S3::Bucket": "s3-medicare-reltio-json-outbound-temp"

}

}

},

"resourceRole": "TARGET",

"additionalInfo": {},

"evidence": null,

"eventFirstSeen": "2021-05-13T19:31:48Z",

"eventLastSeen": "2021-05-13T19:31:48Z",

"archived": false,

"count": 1

},

"severity": 2,

"createdAt": "2021-05-13T19:42:51.931Z",

"updatedAt": "2021-05-13T19:42:51.931Z",

"title": "Amazon S3 Block Public Access was disabled for S3 bucket s3-medicare-reltio-json-outbound-temp.",

"description": "Amazon S3 Block Public Access was disabled for S3 bucket s3-medicare-reltio-json-outbound-temp by DEVELOPER calling PutBucketPublicAccessBlock. If this behavior is not expected, it may indicate a configuration mistake or that your credentials are compromised."

}

]

Example 6 - Based on SOC feedback - Object Exfil Unusual Object Reads - Provided by Peter Campbell, Cigna

[

{

"schemaVersion": "2.0",

"accountId": "123456789012",

"region": "us-east-1",

"partition": "aws",

"id": "f6bbe941e71df4233bb0ccf2b3c2114e",

"arn": "arn:aws:guardduty:us-east-1:123456789012:detector/30b4a4be02963c8c4af489ee69466725/finding/f6bbe941e71df4233bb0ccf2b3c2114e",

"type": "Exfiltration:S3/ObjectRead.Unusual",

"resource": {

"resourceType": "S3Bucket",

"accessKeyDetails": {

"accessKeyId": "ASIAXSC6MP3A525ZCU2A",

"principalId": "AROAISB2OBYT25RIR626O:391418",

"userType": "AssumedRole",

"userName": "DEVELOPER"

},

"s3BucketDetails": [

{

"owner": {

"id": "edb22168faa88922993a6841365882b349f44f4cd61a337959e72fc10b91af25"

},

"createdAt": 1582751796,

"publicAccess": {

"effectivePermission": "NOT_PUBLIC",

"permissionConfiguration": {

"accountLevelPermissions": {

"blockPublicAccess": {

"blockPublicPolicy": true,

"restrictPublicBuckets": false,

"blockPublicAcls": true,

"ignorePublicAcls": false

}

},

"bucketLevelPermissions": {

"accessControlList": {

"allowsPublicReadAccess": false,

"allowsPublicWriteAccess": false

},

"bucketPolicy": {

"allowsPublicReadAccess": false,

"allowsPublicWriteAccess": false

},

"blockPublicAccess": {

"blockPublicPolicy": true,

"restrictPublicBuckets": true,

"blockPublicAcls": true,

"ignorePublicAcls": true

}

}

}

},

"name": "imbigdata-dev-vendor-data-dnb-glue",

"defaultServerSideEncryption": {

"kmsMasterKeyArn": "arn:aws:kms:us-east-1:123456789012:key/2ac1cb5e-650c-4062-a0c7-80a69adba4a2",

"encryptionType": "aws:kms"

},

"arn": "arn:aws:s3:::imbigdata-dev-vendor-data-dnb-glue",

"type": "Destination",

"tags": [

{

"value": "silvio.galea\@XXXXX.com",

"key": "AssetOwner"

},

{

"value": "notAssigned",

"key": "CiId"

},

{

"value": "product",

"key": "DataSubjectArea"

},

{

"value": "DataAnalytics",

"key": "businessDataCategory"

},

{

"value": "s3",

"key": "module"

},

{

"value": "pii",

"key": "ComplianceDataCategory"

},

{

"value": "imbigdata-vendor-data-dnb ingestion pipeline",

"key": "Purpose"

},

{

"value": "Terraform",

"key": "heritage"

},

{

"value": "imbigdata-vendor-data-dnb",

"key": "AppName"

},

{

"value": "notAssigned",

"key": "AsaqId"

},

{

"value": "dev",

"key": "environment"

},

{

"value": "00007869",

"key": "CostCenter"

},

{

"value": "1.0.8",

"key": "moduleVersion"

},

{

"value": "7 years",

"key": "DataRetentionCode"

},

{

"value": "restricted",

"key": "DataClassification"

},

{

"value": "us-east-1:us-east-2:us-west-1:us-west-2:",

"key": "RegionalRestriction"

}

]

}

]

},

"service": {

"serviceName": "guardduty",

"detectorId": "30b4a4be02963c8c4af489ee69466725",

"action": {

"actionType": "AWSAPICALL",

"awsApiCallAction": {

"api": "GetObject",

"serviceName": "s3.amazonaws.com",

"callerType": "Remote IP",

"remoteIpDetails": {

"ipAddressV4": "104.129.202.52",

"organization": {

"asn": "22616",

"asnOrg": "ZSCALER-SJC1",

"isp": "Zscaler",

"org": "Zscaler"

},

"country": {

"countryName": "United States"

},

"city": {

"cityName": "Dublin"

},

"geoLocation": {

"lat": 37.7201,

"lon": -121.919

}

},

"affectedResources": {}

}

},

"resourceRole": "TARGET",

"additionalInfo": {},

"evidence": null,

"eventFirstSeen": "2021-02-24T05:22:54Z",

"eventLastSeen": "2021-02-24T22:36:28Z",

"archived": false,

"count": 9

},

"severity": 5,

"createdAt": "2021-02-24T05:29:49.379Z",

"updatedAt": "2021-02-24T22:42:10.987Z",

"title": "Unusual reads of objects in an S3 bucket.",

"description": "A principal read objects from an S3 bucket in an unusual way."

}

]

Example 7 - Azure ApplicationGatewayFirewall, IP Block, Peter Campbell, Cigna

{

"timeStamp": "2021-06-01T10:55:20+00:00",

"resourceId": "/SUBSCRIPTIONS/30EB8E23-D885-4F27-AEB4-123456789/RESOURCEGROUPS/INTL-XXXXX-PROD-RG/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/INTL-XXXXX-PROD_AGW",

"operationName": "ApplicationGatewayFirewall",

"category": "ApplicationGatewayFirewallLog",

"properties": {

"instanceId": "appgw_2",

"clientIp": "34.77.162.6",

"requestUri": "/",

"ruleSetType": "Custom",

"ruleId": "allowCountryList",

"message": "Found condition 0 in RemoteAddr, with value 34.77.162.6. Found condition 1 in RemoteAddr, with value 34.77.162.6. Found condition 2 in RemoteAddr, with value 34.77.162.6. Found condition 3 in RemoteAddr, with value 34.77.162.6.",

"action": "Blocked",

"hostname": "roiwt-api.XXXXX.com",

"transactionId": "47b3399b39e79848fa0b55cd22f10f97",

"policyId": "9#_subscriptions30eb8e23-d885-4f27-aeb4-123456789resourceGroupsintl-XXXXX-prod-rgprovidersMicrosoft.NetworkApplicationGatewayWebApplicationFirewallPolicies_coe-wafpolicy",

"policyScope": "Listener",

"policyScopeName": "prod-roiwt-httplstn",

"engine": "Azwaf"

}

}

Example 8 - GCP Events from Kathryn

[https://cloud.google.com/security-command-center/docs/concepts-vulnerabilities-findings]{.ul}

Example 9 - Peter to add some GCP examples from SOC

Mark - to get more examples from the consumers added to this - preferred by - 6/17 workshop

Anton - additional examples of various security events

Canonical definitions

[Define Namespace]{.ul}

Requirements:

P0 - unique and stable

P0 - needs to be expandable.

P1 - Minimal oversight and registration and lightweight

Provisions in place for private / customizations outside the public

e.g. onug.csnf.myproduct.security.event.ipaddress
onug.csnf.identity.event.xxx, onug.csnf.compliance.event.xxx

onug.csnf.identity.policy.xxx, onug.csnf.security.state.xxx, onug.csnf.identity.asset.xxx, etc.
Tracking of products customizing the namespace and publishing it for

others' usage - to avoid collisions and visibility into company using it
Protections for the namespace

idea 1 - onug.csnf.security.event.ipaddress, onug.csnf.security.monitoring.xxx,

[Action item -]{.ul} get community feedback on namespace

[Definitions]{.ul}

Provider: provider name

Event name: name of event

Event identifier: id of the event

Event start time: time when event occurred (time format set?)

Event end time (optional): time when event ended (time format

set?) - could be ambiguous as event may restart
Event type: enum of type - for e.g. Threat, WAF, etc. for

security namespace (scoping currently to security and later scale out to identity, compliance, etc. scenarios).
References (optional): attack tactics from the alert / event [-

can be used for custom enrichment - Needs further drill down]{.ul}
a. Source (MITRE/NIST/CVE)

b. Identifier

c. Name

Targeted Resources (optional):

a. Provider Resource id

b. Account Id

c. Additional labels (e.g. tags/keys, dictionary value, > compartments)

d. User Principal Name (User account)

e. Account type (e.g. service, authenticated user, etc.)

f. Geolocation - country, state, city, zip

g. Client IP address

h. Access Key

i. Agent type

Actor (optional): is the attacker

a. Provider Resource id

b. Account Id

c. Additional labels (e.g. tags/keys, dictionary value, > compartments)

d. User Principal Name (User account)

e. Account type (e.g. service, authenticated user, etc.)

f. Authentication Type

g. Geolocation

h. Client IP address

i. Access Key

j. Agent type

Trigger

a. TriggerName (optional) - could this be an enum with 'other' > as catch-all?: suspicious action that triggered the > event - do we want to tie this to owasp top10 security? Should > the trigger be generalized to a high level category with > description for details. For e.g. policy changes in a less > secure way (e.g. PII, HIPPA, improper location), violations to > security (actions that violate security like SQL > injection,...)

b. TriggerDescription (optional): do we need this (on the > fence - Peter to look at some more examples to see whether we > need this or just trigger is enough).

c. TriggerSource (e.g. product, other engine, etc.)

Recommended actions (optional): what are the next steps

More information link: links to original event on provider side

Stages

Ingest / Pre-analytic

Post analytic / Automations

Future: Saas models,

[Fall Demo]{.ul}

Vulnerable container →

Scenario #1 - Vulnerable container in image repo

Scenario #2 - Container - Vulerability scanner goes in

Deployed and multi cloud

SOC analyst → ONUGUser - Security Analyst

[Requirements]{.ul}

QA environment - needed

Roles / Personas

Security analyst

Developer - pushes piece of code

Vulnerability Management Engineer

Demo #1 - Simpler - Showcase schema from multiple CSPs and show in common schema that's standardized and enriched

decorate the alert with different info, array of decorations

Demo #2: Standardization scenario: Simple flow - generate event that generates log in multi-cloud - Generating events in a natural mode

CVE-ID kind of info and show the experience of an analyst - how it > saves time for them. SDK to leverage time savings
CVEs a bunch of those are bundled in with each resource - so how to get to actionable data from this? SOC analyst receives an alert, CVE, MITRE info is standardized and provided in canonical format across multi-cloud logs.

These can be represented as a graph - how to visualize the graph, etc. would need to be thought about. Group by resources / CVEs and based on the view have appropriate actions based on severities and policies.

Security analysts can still cross-correlate and show power of

standardization
Resource identification - enrichment from CMDb
get contextual info IaaS type services on resources etc. info, disallowed ports, identify configs across providers easily.

Demo #3 : Standardization + Enrichment scenario: SOC analyst detects vulnerability → Get the scenario complete (Anatoliy / Preeti)

Persona: SOC Analyst looks at

Multi clouds are involved

Show flow of alert from one cloud and another cloud - receives

notifications from multi clouds
SOC analyst investigates and uses metadata / SDK to get to direct

outcomes to the root cause → can even look at automated actions?
MITRE attack is key piece to
CSP scenarios for demo

GCP Security command center - API detects these security issues.

Have a design that doesn't have a log like behavior. Subscription needed for this.
May need a collector product (PAN Prisma, etc.) to showcase to pull the logs and show the use case →

Deploy malicious code - [https://davisanc.github.io/lab.aks.io/]{.ul} or we develop our own test suite

Next workshop agenda

Show products from GCP, IBM, Azure to showcase the logs emit as well > as consumption product as well. Anton/Kathryn/Preeti/Anatoliy)
Demo #2 - Developer pushes bad code and that's detected by scanner and shows up as vulnerability

Appendix

{

"feedback": null,

"recommendedActions": [],

"networkConnections": [],

"detectionIds": [],

"id": "91azzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz",

"category": "UnfamiliarLocation",

"confidence": null,

"fileStates": [],

"severity": "medium",

"title": "Unfamiliar sign-in properties",

"sourceMaterials": [],

"comments": [],

"assignedTo": "",

"eventDateTime": "2019-05-01T23:57:49.4122069Z",

"activityGroupName": null,

"status": "newAlert",

"description": "Sign-in with properties not seen recently for the given user",

"tags": [],

"lastModifiedDateTime": "2019-05-02T00:04:42.7836811Z",

"historyStates": [],

"vendorInformation": {

"providerVersion": "3.0",

"vendor": "Microsoft",

"subProvider": null,

"provider": "IPC"

},

"userStates": [

{

"userPrincipalName": "someone@.somewhere.com",

"emailRole": "unknown",

"isVpn": null,

"userAccountType": null,

"domainName": null,

"onPremisesSecurityIdentifier": null,

"aadUserId": null,

"accountName": "AccountName",

"logonIp": "123.456.789.1",

"logonDateTime": null,

"logonType": null,

"logonLocation": "Seattle, Washington, US",

"riskScore": "0",

"logonId": null

}

],

"malwareStates": [],

"processes": [],

"azureTenantId": "sanitized - GUID",

"registryKeyStates": [],

"createdDateTime": "2019-05-01T23:57:49.4122069Z",

"triggers": [],

"hostStates": [],

"cloudAppStates": [],

"closedDateTime": null,

"riskScore": "",

"azureSubscriptionId": null,

"vulnerabilityStates": []

}

1.1 - Scope

Scope

• The focus of initial iterations is on data in the Security space. Other domains (e.g., operational monitoring) may be addressed in the future.
• Need to think of cloud services from the context of IaaS, PaaS, and SaaS and focus on data from Cloud Service Providers (CSPs).
• CSPs include not only Cloud Providers like Azure, Amazon, Google, but also security solutions / services from Symantec, Microsoft Defender for ATP, etc.
• The initial effort is scoped to documenting the common taxonomy.
• Format of the taxonomy is scoped to json or others (Syslog, CEF)? [Where do we get the broadest market adoption- can we be format agnostic?]

Out of Scope

• The specific technology as to how do these CSPs protect security perimeter.
• Security Solutions not protecting cloud workloads.
• Updating CSPs to include the common taxonomy is not in scope. [CSPs can update at their own pace as needed at least foundational elements]
• Potential future scope –Tooling for compliance certification to the published taxonomy

1.2 - Use Cases

Use Cases

Security-significant information in scope for this work falls into few major types and use cases:

1. Security detection events

   Provider: These events are produced by CSP and are flagging possible attacks or other abnormal activity that may indicate or may be related to possible security breach. For e.g., antivirus running on IaaS node may detect malicious code, or network-level security monitoring systemmay detect network-level DDoS attack.

   Primary consumer of these events: SOC and security monitoring systems.

   Key common information for this type of events:

   • Time stamp
   • Subscription(s) and Resource(s) information
   • Possible MITRE mappings [applies to detection but not controls]

2. Security audit events

   Provider: These events are produced by CSP, by app itself and/or by 3rd party services to capture security-significant events that don’t necessarily indicate an attack but may be required to understand key activities in various systems. Capturing these events is essential for investigations and incident response, for understanding of systems security posture, and for creating audit trail required for compliance and other purposes.

   Primary consumer(s) of these events:

   • SOC
   • Security team (for security state monitoring, for threat hunting etc.)
   • Compliance team (to demonstrate compliance with various certifications)

   Key common information for this type of events:

   • Time stamp
   • Subscription(s) and Resource(s) information
   • Possible NIST 800-53 mappings

3. Security State information

   Provider: Security State information describes essential security policies and configurations of the system. For e.g., which ports are open to the internet, whether AV is running on specific node(s), system lockdown applied to IaaS VM(s) etc. These are produced by security solutions that track security posture and manage configurations and policies.

   Primary consumer(s) of these events:

   • SOC (to enable incident response and analysis)
   • For compliance and for other purposes.

Security State information by itself is not in the form of events – it is more of a set of configurations and policies, however changes of security state information may generate events – for e.g., audit events, and/or detection events. For example, if an operator changed security state using LiveSite tools or via deployment, it will generate audit events, and some of these changes may generate security detection events if new configuration is causing concerns (for e.g. AV disabled on the node). [ what controls would apply to classify security state - scope controls? - outcome is policies generating events- would this overlap with above buckets?] [recognize whether the alert is the outcome from a risk / security posture change is important - somehow can we reflect this in this envelope - map state changes like change in threat protection etc.]

1.3 - Provider Experience

Provider Experience

We need to consider certain major provider types: Cloud Providers (for e.g., Azure, AWS, other clouds)

1. Cloud providers naturally is one of the major sources of the data of interest, and for many types of data cloud providers may be the only source of certain critical data.

   It is important to highlight that we should consider cloud providers of different types, covering IaaS, PaaS and SaaS. For e.g., typical enterprise may be hosting some IaaS resources on AWS and Azure, may be using PaaS resources (e.g. DynamoDB or Azure CosmosDB), at the same time also using Office 365 SaaS services for productivity apps, ADP services for paystub and employee taxes handling and PagerDuty to facilitate OnCall and LiveSite alerting. The enterprise would need to collect and process security-significant events for all services it is using.

2. 3rd party monitoring and other services

   Cloud customers are often using various 3rd party services to monitor their apps & services. A lot of monitoring is focused on Operational monitoring, but there is also security aspect of it. For e.g., application-level security and audit logs are often collected by the monitoring service.

   There are also specialized security services that may be protecting internet-facing endpoints, and/or services that are monitoring internet-facing endpoints and alert on potential security exposures.

   These services would be important producers of security events.

3. Security data enrichment and processing services

   Some of security monitoring services will also act as data processors – collecting various audit and other data from customer services, and then producing security detections and other events. For e.g., ML models may be used to detect unusual activity, or unexpected admin actions etc.

   Some of services of this type are offered by CSPs (e.g., Azure Security Center), others are offered by 3rd parties.

1.4 - Consumer Experience

Consumer Experience

We need to consider certain major user types that consumes data from the CSPs for different applications.

1. SIEM and SOAR

   SIEM is one of the primary consumers of security events of all types, to facilitate SOC, Incident Response and other activities.

   For SIEM Security and Audit events are most important, also reference data (e.g., inventory) as well as security state information (policies in place etc.) are essential.

   SIEMs are typically offered as independent 3rd party services (e.g., Splunk), some of the SIEMs are also offered by CSPs (e.g., Azure Sentinel).

2. Threat Protection Services

   Endpoint protection, advanced monitoring and response capabilities, e.g., Microsoft Defender protection for endpoint, Crowdstrike.

3. Security State Assessment services/products

   Security State Assessment allows service owners to keep an eye on security state of their services, including security state of various cloud resources used as a part of (or by) the service.

   For Security State Assessment services Security State information and events indicating changes of that information are most important, although many of security products are combining Security State Assessment with Security Response or other functionality, expanding types of data required.

   Typically, CSPs these days are offering services that provide Security State Assessment (e.g., Azure Security Center), however there are also number of 3rd party services that are providing Security State and other services (e.g., cybersecurity.att.com).

4. Compliance Processes and Products

   Meeting various certifications and compliance requirements typically requires demonstrating that the service has adequate security monitoring & response, security policies/best practices and other capabilities. This assessment usually is based on collecting various information about the service(s) and how these services are being used and run.

   Information in scope of this effort will be important and useful for Compliance processes and products, especially NIST 800-53 mappings.

1.5 - Alerts, Controls, and Risks

Alerts, Controls and Risks

Usually, cloud platforms create events, those can be cloud resources usage events or alerts of all sorts. Many security vendors today attach MITRE tactics tags to their alerts, since an alert usually reflects a probable attack, or attack action, that can be classified to MITRE tactic.

Other security solutions, that deal with compliance (to a set of controls, such as regulation or standard) and report on vulnerabilities or control deficiencies. The connection between a control and an attack technique is not always clear. A control is aimed at mitigating a risk, and sometimes a vulnerability, but an attack can exploit many vulnerabilities, so the lack of a specific control can lead to many potential attacks, but this is dependent in the specific implementation of technology (which is not always part of the equation).

Following that – if we’re dealing with taxonomy the deal with alerts, adding MITRE tags, this can be done by the CSP or the system creating that alert. But attaching a specific control to the alert, depends on many other factors that are not known to the system creating the alert. For example: alert on a brute-force attempt on a cloud infrastructure – the relevant tactics are simple. Controls over that type of alert can be multiple, and come from multiple areas – those controls can be processes, procedures, or technological, they can be preventive or detective etc.

If we are not talking about alerts, but rather control deficiencies, such as lack of updates, firewall or antimalware not operating properly – the recommended control is clear, but the relevant attacks or risks are not easily deducted – a list of potential risks can be created, but this is dependent on many parameters (architecture, technology, accessibility etc.) so this is a complicated task that is being dealt with compliance systems.

Scenarios

As a SOC analyst, I need to be able to get contextual threat information and alerts from multiple CSPs.

1. what represents the greatest amount of risk – CSP informs part of that
2. asset that we try to protect – shared responsibility

Activity path - get alert -> validate whether false positive / true -> assess impact -> contextualize the alert -> resources and assets associated with alerts -> factors we are looking at -> high level data/functions these resources server -> categorize and prioritize -> identify the owner of the resource -> notify the owner -> determine appropriate action

Alert examples

Example 1 - (Medium severity) PREVIEW - Suspicious management session using an inactive account detected

Provider: Azure

Tactic: Persistence

Resources: Resource id, Subscription, User Principal Name (User account), Geolocation of the user associated with UPN, Client IP address / IP address associated with the UPN

Suspicious action: action points to resource on storage account ["Microsoft.Storage/storageAccounts/listKeys/action"]

Recommended actions:

More information link:

Example 2 - Activity insights security alert

Provider: IBM

Tactic:

Resources: provider resource id,

Attacker / Actor: user account

Trigger / Suspicious action:

Event time

2 - Core Components

2.1 - Canonical Data Model

​

Overview

​ What is the Cloud Security Notification Framework (CSNF)? CSNF is an Open Source initiative tackling the difficulty of providing security assurance for Cloud at scale caused by the large volume of events and security state messaging. The problem is compounded when using multiple Cloud Service Providers (CSP’s) due to the the lack of standardized events and alerts amongst CSP’s.
​ CSNF defines a common vocabulary and decorator pattern that can be used to reduce toil, drive consistency and allow enterprises to apply a context-aware approach to security by corellating and acting upon security events across multiple providers at scale. ​

CSNF Namespaces

​ The CSNF namespaces are used to help categorize and standardize events across multiple providers. The namespace provides a high level categorization for event data, so that customers can better analyze, visualize, and correlate the data represented in their events. ​ CSNF improvements are released following Semantic Versioning. ​

Provider

​ Fields related to the cloud (Iaas, SaaS or PasS) infrastructure the events are coming from. ​

Event

​ Any observable occurrence in the operations of an information technology service is an event. ​ Note: A security event is an observable occurrence that could affect your security posture. Each organization has its own threshold for designating an event as a security event ​

Resource

​ A resource types describes the resources that the finding refers to. ​

Service

​ The service type describes the service for or from which the data was collected. The cloud service name is intended to distinguish services running on different platforms within a provider ​

Threat Actor

​ The threat actor is the entity that initiated the event ​

Decorator

​ The CSNF decorator provides context awareness for security events in terms of risk, threat, compliance, asset value. The Cloud consumer can also apply a custom decorator to the event based on their own unique business context, for example a custom decoration based on asset value based on criticality, cost or sensitivity could be applied to the event in order to better contextualize and prioritize response based on business context. ​ The decorator type allows additional context to be added to an individual event from a trusted source without mutating the base event. There can be multiple decorators applied to the base event. The combination of standardized security events along with correlated knowledge and analytics processing provide new capabilities for the organizations security team to develop and apply fine-grained secuirty policy based on contextual awareness that was previously unknown. ​ ​

2.2 - CSNF Decorators

CSNF Decorator

Overview

The CSNF decorator provides context awareness for security events in terms of risk, threat, compliance, asset value. The Cloud consumer can also apply a custom decorator to the event based on their own unique business context, for example a custom decoration based on asset value based on criticality, cost or sensitivity could be applied to the event in order to better contextualize and prioritize response based on business context.

Contextual Enrichment

The decorator type allows additional context to be added to an individual event from a trusted source without mutating the base event. There can be multiple decorators applied to the base event. The combination of standardized security events along with correlated knowledge and analytics processing provide new capabilities for the organizations security team to develop and apply fine-grained secuirty policy based on contextual awareness that was previously unknown.

Decorator Detail

Threat

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc pretium accumsan lectus nec hendrerit. Nulla non mollis sapien, sed vestibulum elit. Nullam sed nibh et justo scelerisque hendrerit. Proin iaculis lorem lectus, non sodales dolor suscipit vitae. Nullam sit amet sagittis erat. Praesent nec neque rutrum, malesuada purus a, bibendum nisl. Fusce sit amet purus leo. Proin commodo semper porttitor. Morbi finibus nunc id lorem dapibus, at tristique libero vehicula. Praesent arcu nisi, faucibus sit amet efficitur egestas, ultrices eu neque. Duis vulputate ipsum quis nisi tempus, in sagittis nunc porttitor. Nullam eu nisl nec turpis posuere commodo et vel quam. Suspendisse eleifend nulla id scelerisque commodo. Praesent pulvinar pulvinar sem, non pulvinar nibh eleifend vitae. Phasellus fringilla mi sem, sit amet imperdiet libero ornare nec. Integer porta nibh sed purus dignissim, a fermentum dui tristique.

Compliance

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc pretium accumsan lectus nec hendrerit. Nulla non mollis sapien, sed vestibulum elit. Nullam sed nibh et justo scelerisque hendrerit. Proin iaculis lorem lectus, non sodales dolor suscipit vitae. Nullam sit amet sagittis erat. Praesent nec neque rutrum, malesuada purus a, bibendum nisl. Fusce sit amet purus leo. Proin commodo semper porttitor. Morbi finibus nunc id lorem dapibus, at tristique libero vehicula. Praesent arcu nisi, faucibus sit amet efficitur egestas, ultrices eu neque. Duis vulputate ipsum quis nisi tempus, in sagittis nunc porttitor. Nullam eu nisl nec turpis posuere commodo et vel quam. Suspendisse eleifend nulla id scelerisque commodo. Praesent pulvinar pulvinar sem, non pulvinar nibh eleifend vitae. Phasellus fringilla mi sem, sit amet imperdiet libero ornare nec. Integer porta nibh sed purus dignissim, a fermentum dui tristique.

Risk

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc pretium accumsan lectus nec hendrerit. Nulla non mollis sapien, sed vestibulum elit. Nullam sed nibh et justo scelerisque hendrerit. Proin iaculis lorem lectus, non sodales dolor suscipit vitae. Nullam sit amet sagittis erat. Praesent nec neque rutrum, malesuada purus a, bibendum nisl. Fusce sit amet purus leo. Proin commodo semper porttitor. Morbi finibus nunc id lorem dapibus, at tristique libero vehicula. Praesent arcu nisi, faucibus sit amet efficitur egestas, ultrices eu neque. Duis vulputate ipsum quis nisi tempus, in sagittis nunc porttitor. Nullam eu nisl nec turpis posuere commodo et vel quam. Suspendisse eleifend nulla id scelerisque commodo. Praesent pulvinar pulvinar sem, non pulvinar nibh eleifend vitae. Phasellus fringilla mi sem, sit amet imperdiet libero ornare nec. Integer porta nibh sed purus dignissim, a fermentum dui tristique.

Business Context

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc pretium accumsan lectus nec hendrerit. Nulla non mollis sapien, sed vestibulum elit. Nullam sed nibh et justo scelerisque hendrerit. Proin iaculis lorem lectus, non sodales dolor suscipit vitae. Nullam sit amet sagittis erat. Praesent nec neque rutrum, malesuada purus a, bibendum nisl. Fusce sit amet purus leo. Proin commodo semper porttitor. Morbi finibus nunc id lorem dapibus, at tristique libero vehicula. Praesent arcu nisi, faucibus sit amet efficitur egestas, ultrices eu neque. Duis vulputate ipsum quis nisi tempus, in sagittis nunc porttitor. Nullam eu nisl nec turpis posuere commodo et vel quam. Suspendisse eleifend nulla id scelerisque commodo. Praesent pulvinar pulvinar sem, non pulvinar nibh eleifend vitae. Phasellus fringilla mi sem, sit amet imperdiet libero ornare nec. Integer porta nibh sed purus dignissim, a fermentum dui tristique.

Asset Value

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc pretium accumsan lectus nec hendrerit. Nulla non mollis sapien, sed vestibulum elit. Nullam sed nibh et justo scelerisque hendrerit. Proin iaculis lorem lectus, non sodales dolor suscipit vitae. Nullam sit amet sagittis erat. Praesent nec neque rutrum, malesuada purus a, bibendum nisl. Fusce sit amet purus leo. Proin commodo semper porttitor. Morbi finibus nunc id lorem dapibus, at tristique libero vehicula. Praesent arcu nisi, faucibus sit amet efficitur egestas, ultrices eu neque. Duis vulputate ipsum quis nisi tempus, in sagittis nunc porttitor. Nullam eu nisl nec turpis posuere commodo et vel quam. Suspendisse eleifend nulla id scelerisque commodo. Praesent pulvinar pulvinar sem, non pulvinar nibh eleifend vitae. Phasellus fringilla mi sem, sit amet imperdiet libero ornare nec. Integer porta nibh sed purus dignissim, a fermentum dui tristique.

Criticaltiy

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc pretium accumsan lectus nec hendrerit. Nulla non mollis sapien, sed vestibulum elit. Nullam sed nibh et justo scelerisque hendrerit. Proin iaculis lorem lectus, non sodales dolor suscipit vitae. Nullam sit amet sagittis erat. Praesent nec neque rutrum, malesuada purus a, bibendum nisl. Fusce sit amet purus leo. Proin commodo semper porttitor. Morbi finibus nunc id lorem dapibus, at tristique libero vehicula. Praesent arcu nisi, faucibus sit amet efficitur egestas, ultrices eu neque. Duis vulputate ipsum quis nisi tempus, in sagittis nunc porttitor. Nullam eu nisl nec turpis posuere commodo et vel quam. Suspendisse eleifend nulla id scelerisque commodo. Praesent pulvinar pulvinar sem, non pulvinar nibh eleifend vitae. Phasellus fringilla mi sem, sit amet imperdiet libero ornare nec. Integer porta nibh sed purus dignissim, a fermentum dui tristique.

Identity

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc pretium accumsan lectus nec hendrerit. Nulla non mollis sapien, sed vestibulum elit. Nullam sed nibh et justo scelerisque hendrerit. Proin iaculis lorem lectus, non sodales dolor suscipit vitae. Nullam sit amet sagittis erat. Praesent nec neque rutrum, malesuada purus a, bibendum nisl. Fusce sit amet purus leo. Proin commodo semper porttitor. Morbi finibus nunc id lorem dapibus, at tristique libero vehicula. Praesent arcu nisi, faucibus sit amet efficitur egestas, ultrices eu neque. Duis vulputate ipsum quis nisi tempus, in sagittis nunc porttitor. Nullam eu nisl nec turpis posuere commodo et vel quam. Suspendisse eleifend nulla id scelerisque commodo. Praesent pulvinar pulvinar sem, non pulvinar nibh eleifend vitae. Phasellus fringilla mi sem, sit amet imperdiet libero ornare nec. Integer porta nibh sed purus dignissim, a fermentum dui tristique.

Service Profile

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc pretium accumsan lectus nec hendrerit. Nulla non mollis sapien, sed vestibulum elit. Nullam sed nibh et justo scelerisque hendrerit. Proin iaculis lorem lectus, non sodales dolor suscipit vitae. Nullam sit amet sagittis erat. Praesent nec neque rutrum, malesuada purus a, bibendum nisl. Fusce sit amet purus leo. Proin commodo semper porttitor. Morbi finibus nunc id lorem dapibus, at tristique libero vehicula. Praesent arcu nisi, faucibus sit amet efficitur egestas, ultrices eu neque. Duis vulputate ipsum quis nisi tempus, in sagittis nunc porttitor. Nullam eu nisl nec turpis posuere commodo et vel quam. Suspendisse eleifend nulla id scelerisque commodo. Praesent pulvinar pulvinar sem, non pulvinar nibh eleifend vitae. Phasellus fringilla mi sem, sit amet imperdiet libero ornare nec. Integer porta nibh sed purus dignissim, a fermentum dui tristique.

Data Classification

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc pretium accumsan lectus nec hendrerit. Nulla non mollis sapien, sed vestibulum elit. Nullam sed nibh et justo scelerisque hendrerit. Proin iaculis lorem lectus, non sodales dolor suscipit vitae. Nullam sit amet sagittis erat. Praesent nec neque rutrum, malesuada purus a, bibendum nisl. Fusce sit amet purus leo. Proin commodo semper porttitor. Morbi finibus nunc id lorem dapibus, at tristique libero vehicula. Praesent arcu nisi, faucibus sit amet efficitur egestas, ultrices eu neque. Duis vulputate ipsum quis nisi tempus, in sagittis nunc porttitor. Nullam eu nisl nec turpis posuere commodo et vel quam. Suspendisse eleifend nulla id scelerisque commodo. Praesent pulvinar pulvinar sem, non pulvinar nibh eleifend vitae. Phasellus fringilla mi sem, sit amet imperdiet libero ornare nec. Integer porta nibh sed purus dignissim, a fermentum dui tristique.

Behaviour

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc pretium accumsan lectus nec hendrerit. Nulla non mollis sapien, sed vestibulum elit. Nullam sed nibh et justo scelerisque hendrerit. Proin iaculis lorem lectus, non sodales dolor suscipit vitae. Nullam sit amet sagittis erat. Praesent nec neque rutrum, malesuada purus a, bibendum nisl. Fusce sit amet purus leo. Proin commodo semper porttitor. Morbi finibus nunc id lorem dapibus, at tristique libero vehicula. Praesent arcu nisi, faucibus sit amet efficitur egestas, ultrices eu neque. Duis vulputate ipsum quis nisi tempus, in sagittis nunc porttitor. Nullam eu nisl nec turpis posuere commodo et vel quam. Suspendisse eleifend nulla id scelerisque commodo. Praesent pulvinar pulvinar sem, non pulvinar nibh eleifend vitae. Phasellus fringilla mi sem, sit amet imperdiet libero ornare nec. Integer porta nibh sed purus dignissim, a fermentum dui tristique.

Vunlerability

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc pretium accumsan lectus nec hendrerit. Nulla non mollis sapien, sed vestibulum elit. Nullam sed nibh et justo scelerisque hendrerit. Proin iaculis lorem lectus, non sodales dolor suscipit vitae. Nullam sit amet sagittis erat. Praesent nec neque rutrum, malesuada purus a, bibendum nisl. Fusce sit amet purus leo. Proin commodo semper porttitor. Morbi finibus nunc id lorem dapibus, at tristique libero vehicula. Praesent arcu nisi, faucibus sit amet efficitur egestas, ultrices eu neque. Duis vulputate ipsum quis nisi tempus, in sagittis nunc porttitor. Nullam eu nisl nec turpis posuere commodo et vel quam. Suspendisse eleifend nulla id scelerisque commodo. Praesent pulvinar pulvinar sem, non pulvinar nibh eleifend vitae. Phasellus fringilla mi sem, sit amet imperdiet libero ornare nec. Integer porta nibh sed purus dignissim, a fermentum dui tristique.

Custom Decorators

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc pretium accumsan lectus nec hendrerit. Nulla non mollis sapien, sed vestibulum elit. Nullam sed nibh et justo scelerisque hendrerit. Proin iaculis lorem lectus, non sodales dolor suscipit vitae. Nullam sit amet sagittis erat. Praesent nec neque rutrum, malesuada purus a, bibendum nisl. Fusce sit amet purus leo. Proin commodo semper porttitor. Morbi finibus nunc id lorem dapibus, at tristique libero vehicula. Praesent arcu nisi, faucibus sit amet efficitur egestas, ultrices eu neque. Duis vulputate ipsum quis nisi tempus, in sagittis nunc porttitor. Nullam eu nisl nec turpis posuere commodo et vel quam. Suspendisse eleifend nulla id scelerisque commodo. Praesent pulvinar pulvinar sem, non pulvinar nibh eleifend vitae. Phasellus fringilla mi sem, sit amet imperdiet libero ornare nec. Integer porta nibh sed purus dignissim, a fermentum dui tristique.

3 - Contribution Guidelines

Contributing to the CSNF Decorator

If you want to contribute to the repo, see the CONTRIBUTING.md file.

3.1 - Next Steps: Contribute!

ONUG Contributor License Agreement

In order to clarify the intellectual property license granted with Contributions (defined below in Section 1 ) from any person or entity, ONUG must have a Contributor License Agreement (this “Agreement”) on file that has been signed by each Contributor, indicating agreement to the license terms below. This license is for your protection as a Contributor as well as the protection of ONUG and its users; it does not change your rights to use your own Contributions for any other purpose.

This Agreement allows an entity (the “Corporation”) to submit Contributions to ONUG, to authorize Contributions submitted by its designated employees to ONUG, and to grant copyright and patent licenses thereto.

Please complete and sign this Agreement and then email a pdf file of this Agreement to Scott Kargman at scott@onug.net. Please read this document carefully before signing and keep a copy for your records.

Corporation name: _______________________________________________________

Corporation address: _______________________________________________________

Point of Contact: _______________________________________________________

E-Mail: _______________________________________________________

Telephone: _______________________________________________________

You accept and agree to the following terms and conditions for Your present and future Contributions submitted to ONUG. Except for the license granted herein to ONUG and recipients of software distributed by ONUG, You reserve all right, title, and interest in and to Your Contributions.

1. Definitions.

“You” (or “Your”) shall mean the copyright owner or legal entity authorized by the copyright owner that is making this Agreement with ONUG. For legal entities, the entity making a Contribution and all other entities that control, are controlled by, or are under common control with that entity are considered to be a single Contributor. For the purposes of this definition, “control” means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.

“Contribution” shall mean the code, documentation or other original works of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to ONUG for inclusion in, or documentation of, any of the products owned or managed by the ONUG (the “Work”). For the purposes of this definition, “submitted” means any form of electronic, verbal, or written communication sent to ONUG or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, ONUG

for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as “Not a Contribution.”

2. Grant of Copyright License.

Subject to the terms and conditions of this Agreement, You hereby grant to ONUG and to recipients of software distributed by ONUG a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.

3. Grant of Patent License.

Subject to the terms and conditions of this Agreement, You hereby grant to ONUG and to recipients of software distributed by ONUG a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are necessarily infringed by Your Contribution(s)alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) were submitted. If any entity institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.

4. Authorizations.

You represent that You are legally entitled to grant the above license. You represent further that each employee of the Corporation designated on Schedule A below (or in a subsequent written modification to that Schedule) is authorized to submit Contributions on behalf of the Corporation.

5. Original Work.

You represent that each of Your Contributions is Your original creation (see section 7 for submissions on behalf of others).

6. No Support; Warranty Disclaimer.

You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.

7. Contributions of Others.

Should You wish to submit work that is not Your original creation, You may submit it to ONUG separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as “Submitted on behalf of a third-party: [named here]”.

8. Designated Employees.

It is your responsibility to notify ONUG when any change is required to the list of designated employees authorized to submit Contributions on behalf of the Corporation, or to the Corporation’s Point of Contact with ONUG.

Corporation: _____________________________________________

Please sign: ______________________________________________

Title: ___________________________________________________

Date: ___________________________________________________

Schedule A
Designated Employees

[Please include the initial list of designated employees.]

3.2 - Contributor Code of Conduct

3.3 -

Contributor Covenant Code of Conduct

Our Pledge

We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.

We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.

Our Standards

Examples of behavior that contributes to a positive environment for our community include:

• Demonstrating empathy and kindness toward other people
• Being respectful of differing opinions, viewpoints, and experiences
• Giving and gracefully accepting constructive feedback
• Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
• Focusing on what is best not just for us as individuals, but for the overall community

Examples of unacceptable behavior include:

• The use of sexualized language or imagery, and sexual attention or advances of any kind
• Trolling, insulting or derogatory comments, and personal or political attacks
• Public or private harassment
• Publishing others' private information, such as a physical or email address, without their explicit permission
• Other conduct which could reasonably be considered inappropriate in a professional setting

Enforcement Responsibilities

Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.

Community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.

Scope

This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.

Enforcement

Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at [INSERT CONTACT METHOD]. All complaints will be reviewed and investigated promptly and fairly.

All community leaders are obligated to respect the privacy and security of the reporter of any incident.

Enforcement Guidelines

Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct:

1. Correction

Community Impact: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.

Consequence: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested.

2. Warning

Community Impact: A violation through a single incident or series of actions.

Consequence: A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban.

3. Temporary Ban

Community Impact: A serious violation of community standards, including sustained inappropriate behavior.

Consequence: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.

4. Permanent Ban

Community Impact: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals.

Consequence: A permanent ban from any sort of public interaction within the community.

Attribution

This Code of Conduct is adapted from the Contributor Covenant, version 2.0, available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.

Community Impact Guidelines were inspired by Mozilla’s code of conduct enforcement ladder.

For answers to common questions about this code of conduct, see the FAQ at https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations.

4 - CSNF Steering Committee Membership

Heading

The CSNF open source initiative benefits from the guidance and participation of over a dozen enterprises and their technology leadership. Current Steering Committee membership (September 2022) is as follows:

5 - CSNF birthday-cake

What is the purpose/what are we trying to convey

Let’s demonstrate how the CSNF can be used to standardize and decorate alerts from multiple clouds to accelerate SOC decision making through automation, eliminating false positives and enabling the SOC to focus attention on what is most important in terms of risk, leading to improved security outcomes for the long haul

Assuming an adversary is able to access a Cloud account, how would we prevent them from moving laterally in the cloud and pivoting and attempting to access more high value assets?

What you will see in this demonstration is one way that the CSNF canonical model and decorator can be implemented to address the key challenge creating a scalable and unified alerting pipeline that can be used to send alerts from any cloud source to the SOC.

Once the SOC receives the alert they will need to use automation to determine how to respond to the alert. That’s where the CSNF decorator comes in.

Finally we need to be ready to take action according to our playbook. What will we do to protect the organization?

6 - CSNF demo-service (archived)

Join our growing Slack community to participate in the CSNF Conversation

CSNF demo environment

About the demo-service application

The csnf demo-service now runs in docker. The best place to go for information on how to configure and run the CSNF demo environment would be to the github repo. To make use of the repo, you’ll need to clone it locally - if you don’t know how to do that, gee the Github Cloning a repository documentation.

Pre-requisites for the demo-service

The demo service requires access to a Splunk environment, specifically an http event collector, or HEC, to catch events from the CSNF dispatcher. In order to run the demo-service you will need to provide the access token that can be used by the Splunk HEC.

The demo service also requires access to an http client, like Postman or Insomnia that can be used to send http requests containing JSON payloads.

How to configure the demo-service on your laptop

The CSNF demo-service README.md goes into greater detail on how to configure the demo environment.

Contributing to the CSNF demo-service

If you want to contribute to the repo, see the CONTRIBUTING.md file.

CSNF demo-service Change History

To see what’s changed in the current version, see CHANGES.md