Ecs: Add event.tlp

Created on 18 Mar 2020  路  7Comments  路  Source: elastic/ecs

I couldn't find any field for event traffic light protocol (TLP). Is there any existing field for tlp if no, could we add them?

discuss

Most helpful comment

@ebeahan - first of all, apologies for not responding sooner. my notification settings were off and didn't see this. thanks @jamiehynds.

TLP is primarily used in incident/intelligence sharing and dissemination by industry specific sharing groups & government agencies. Essentially it dictates a contract between the sender and receiver - each of the 4 level of TLP dictate what privileges the receiver has with respect to the information being shared. Implicitly it also conveys level of sensitivity and criticality about the information being shared.

With our existing capabilities I can see users:

  1. wanting to know if they have received TLP:RED information, meaning its high severity and criticality and should be taken into consideration right away. this could flow into our rules, where users filter on alerts generated by TLP:RED information.
  2. wanting to know if any events from ingestion sources correlate with TLP marked information received from partners/peers.

Currently we don't support an incident/intel sharing workflow (for e.g. - company x, which belongs to financial services, has just detected a phishing attack and now wants to share their incident analysis with other financial services companies) but at some point I envision us doing so.

We need to represent TLP, along with a number of other threat intelligence related fields in ECS. Just not sure if _event_ is the right parent field for it. need to think through it.

All 7 comments

Can you expand on this?

Hi @webmat

TLP defines the sensitivity of information/event. So could we have add event.tlp that describe sensitivity of an event.

https://www.us-cert.gov/tlp

@weichea Can you provide any additional context or examples of the use cases you hand in mind for capturing TLP fields?

ping @shimonmodi - any thoughts on this from a threat intel perspective?

@ebeahan - first of all, apologies for not responding sooner. my notification settings were off and didn't see this. thanks @jamiehynds.

TLP is primarily used in incident/intelligence sharing and dissemination by industry specific sharing groups & government agencies. Essentially it dictates a contract between the sender and receiver - each of the 4 level of TLP dictate what privileges the receiver has with respect to the information being shared. Implicitly it also conveys level of sensitivity and criticality about the information being shared.

With our existing capabilities I can see users:

  1. wanting to know if they have received TLP:RED information, meaning its high severity and criticality and should be taken into consideration right away. this could flow into our rules, where users filter on alerts generated by TLP:RED information.
  2. wanting to know if any events from ingestion sources correlate with TLP marked information received from partners/peers.

Currently we don't support an incident/intel sharing workflow (for e.g. - company x, which belongs to financial services, has just detected a phishing attack and now wants to share their incident analysis with other financial services companies) but at some point I envision us doing so.

We need to represent TLP, along with a number of other threat intelligence related fields in ECS. Just not sure if _event_ is the right parent field for it. need to think through it.

No worries and thanks for your insights @shimonmodi! 馃槃

@shimonmodi Seeing discussion about TLP over in https://github.com/elastic/ecs/pull/1037, I think we can close this one, right?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

zlammers picture zlammers  路  8Comments

vbohata picture vbohata  路  5Comments

willemdh picture willemdh  路  5Comments

MikePaquette picture MikePaquette  路  3Comments

enotspe picture enotspe  路  5Comments