I couldn't find any field for event traffic light protocol (TLP). Is there any existing field for tlp if no, could we add them?
Can you expand on this?
Hi @webmat
TLP defines the sensitivity of information/event. So could we have add event.tlp that describe sensitivity of an event.
@weichea Can you provide any additional context or examples of the use cases you hand in mind for capturing TLP fields?
ping @shimonmodi - any thoughts on this from a threat intel perspective?
@ebeahan - first of all, apologies for not responding sooner. my notification settings were off and didn't see this. thanks @jamiehynds.
TLP is primarily used in incident/intelligence sharing and dissemination by industry specific sharing groups & government agencies. Essentially it dictates a contract between the sender and receiver - each of the 4 level of TLP dictate what privileges the receiver has with respect to the information being shared. Implicitly it also conveys level of sensitivity and criticality about the information being shared.
With our existing capabilities I can see users:
Currently we don't support an incident/intel sharing workflow (for e.g. - company x, which belongs to financial services, has just detected a phishing attack and now wants to share their incident analysis with other financial services companies) but at some point I envision us doing so.
We need to represent TLP, along with a number of other threat intelligence related fields in ECS. Just not sure if _event_ is the right parent field for it. need to think through it.
No worries and thanks for your insights @shimonmodi! 馃槃
@shimonmodi Seeing discussion about TLP over in https://github.com/elastic/ecs/pull/1037, I think we can close this one, right?
Most helpful comment
@ebeahan - first of all, apologies for not responding sooner. my notification settings were off and didn't see this. thanks @jamiehynds.
TLP is primarily used in incident/intelligence sharing and dissemination by industry specific sharing groups & government agencies. Essentially it dictates a contract between the sender and receiver - each of the 4 level of TLP dictate what privileges the receiver has with respect to the information being shared. Implicitly it also conveys level of sensitivity and criticality about the information being shared.
With our existing capabilities I can see users:
Currently we don't support an incident/intel sharing workflow (for e.g. - company x, which belongs to financial services, has just detected a phishing attack and now wants to share their incident analysis with other financial services companies) but at some point I envision us doing so.
We need to represent TLP, along with a number of other threat intelligence related fields in ECS. Just not sure if _event_ is the right parent field for it. need to think through it.