Cybersecurity talk: security

This site contains list of CSAF examples. More samples will be present over the time. Currently, the focus is given on CSAF in JSON, but almost any method of transfer is possible (syslog, REST API ...). Please focus on the content, any delimiter can be chosen and object can be enclosed in other ways than in {}.

The first example tries to follow the same coloring scheme and distinction as in the schema definition

Example 1 with color distinction

{

"Device": {

"vendor": "Cisco",

"product": "ASA",

"version": "5525-X",

"OS": "IOS 14",

"module": "Firepower",

"feature": "WEB protection",

"device_name": "badassfw",

"device_IP": "10.20.255.1",

"policy": "block_porn",

"rule": "24",

"action": "blocked",

"Priority": {

"severity": "High",

"credibility": "Med",

"relevance": "10",

"Alert": {

"time": "2019/06/05 13:02:14.171",

"category": ["WEB","Traffic blocked","web access blocked"],

"name": "Porn site access",

"id": "100237"

"link": "http://10.20.255.1/alerts?id=100237"

"domain": "Tenant1",

"region": "CZ",

"target": ["freevideo.cz","adm_user","10.101.24.23"],

"artifacts": {

"username": "adm_user",

"src_IP": "10.101.24.23",

"src_port": "50435",

"dst_IP": "80.188.244.72",

"dst_port": "443",

"domain": "freevideo.cz",

"url": "https://freevideo.cz/big_gang_bang_theory",

"status": "active",

"tactics": ["defense evasion","execution"],

"techniques": "Web service"

"rawData": "null",

"associated_events": [

{

"time":"2019/06/05 13:02:11.171",

"name":"blocked web traffic",

"target":["freevideo.cz"],

"artifacts": {

"username": "adm_user",

"src_IP": "10.101.24.23",

"src_port": "50435",

"dst_IP": "80.188.244.72",

"dst_port": "80",

"domain": "freevideo.cz",

"url": "freevideo.cz",

"count": 1,

"rawData": "empty"

{

"time":"2019/06/05 13:02:12.171",

"name":"blocked web traffic",

"target":["https://freevideo.cz"],

"artifacts": {

"username": "adm_user",

"src_IP": "10.101.24.23",

"src_port": "50435",

"dst_IP": "80.188.244.72",

"dst_port": "443",

"domain": "freevideo.cz",

"url": "https://freevideo.cz/",

"count": 1,

"rawData": "empty"},

{

"time":"2019/06/05 13:02:13.171",

"name":"blocked web traffic",

"target":["https://freevideo.cz/big_gang_bankg_theory"],

"artifacts": {

"username": "adm_user",

"src_IP": "10.101.24.23",

"src_port": "50435",

"dst_IP": "80.188.244.72",

"dst_port": "443",

"domain": "freevideo.cz",

"url": "https://freevideo.cz/big_gang_bang_theory",

"count": 1,

"rawData": "empty"},

]

}

Example 2

{

"Device": {

"product": "AuditVault",

"device_name": "oracleauditvault",

"device_IP": "10.20.25.101",

"policy": "select star",

"action": "alert",

"Priority": {

"severity": "Medium",

"Alert": {

"time": "2020/02/02 10:22:14.153",

"category": ["DB","access","select"],

"name": "select star",

"target": ["etl_live","sysdba","10.10.24.23"],

"artifacts": {

"username": "sysdba",

"src_IP": "10.10.24.23",

"src_port": "56449",

"dst_IP": "10.18.24.72",

"dst_port": "1514",

"database": "etl_live",

"table": "users",

"rawData": "select * from users;",

}

The CSAF schema definition is introducing the content with properties and its type. All the properties are described in detail on CSAF format description page. Examples can be seen here.
There are no mandatory fields, but it is highly recommended to follow the naming convention and fill in all the properties that can help to identify the alert and ease its investigation. Focus is given on simplifying integration between alert generating device and incident response tool/platform.

Schema with color distinction

  "title": "CSAF",

  "type": "object",

  "properties": {

    "Device": {

      "type": "object",

      "properties": {

        "vendor": {

          "type": "string"

},

        "product": {

          "type": "string"

},

        "version": {

          "type": "string"

},

        "OS": {

          "type": "string"

},

        "module": {

          "type": "string"

},

        "feature": {

          "type": "string"

},

        "device_name": {

          "type": "string"

},

        "device_IP": {

          "type": "string"

},

        "policy": {

          "type": "string"

},

        "rule": {

          "type": "string"

},

        "action": {

          "type": "string"

},

},

},

    "Priority": {

      "type": "object",

      "properties": {

        "severity": {

           "type": "string"

},

        "credibility": {

           "type": "string"

},

        "relevance": {

           "type": "string"

},

},

},

    "Alert": {

      "type": "object",

      "properties": {

        "time": {

          "type": "string"

},

        "category": {

          "type": "array",

          "items": {

            "type": "string"

},

},

        "name": {

          "type": "string"

},

        "id": {

          "type": "string"

},

        "link": {

          "type": "string"

},

        "domain": {

          "type": "string"

},

        "region": {

          "type": "string"

},

        "target": {

          "type": "array",

          "items": {

            "type": "string"

},

},

        "artifacts": {

          "type": "object",

          "properties": {

            "username": {

              "type": "string"

},

            "src_IP": {

              "type": "string"

},

            "src_port": {

              "type": "string"

},

            "dst_IP": {

              "type": "string"

},

            "dst_port": {

              "type": "string"

},

            "domain": {

              "type": "string"

},

            "url": {

              "type": "string"

},

            "hash": {

              "type": "string"

},

            "process": {

              "type": "string"

},

            "filename": {

              "type": "string"

},

            "registry_key": {

              "type": "string"

},

            "sender": {

              "type": "string"

},

},

},

        "status": {

          "type": "string"

},

        "tactics": {

          "type": "array",

          "items": {

            "type": "string"

},

},

        "technique": {

          "type": "string"

},

        "rawData": {

          "type": "string"

},

        "associated_events": {

          "type": "array",

          "items": {

            "type": "object",

            "properties": {

              "time": {

                "type": "string"

},

              "name": {

                "type": "string"

},

              "target": {

                "type": "array",

                "items": {

                  "type": "string"

},

},

              "artifacts": {

                "type": "object",

                "properties": {

                  "username": {

                    "type": "string"

},

                  "src_IP": {

                    "type": "string"

},

                  "src_port": {

                    "type": "string"

},

                  "dst_IP": {

                    "type": "string"

},

                  "dst_port": {

                    "type": "string"

},

                  "domain": {

                    "type": "string"

},

                  "url": {

                    "type": "string"

},

                  "hash": {

                    "type": "string"

},

                  "process": {

                    "type": "string"

},

                  "filename": {

                    "type": "string"

},

                  "registry_key": {

                    "type": "string"

},

                  "sender": {

                    "type": "string"

},

},

},

              "count": {

                "type": "number"

},

              "rawData": {

                "type": "string"

Clean schema

{

"title": "CSAF",

"type": "object",

"properties": {

"Device": {

"type": "object",

"properties": {

"vendor": {

"type": "string"

"product": {

"type": "string"

"version": {

"type": "string"

"OS": {

"type": "string"

"module": {

"type": "string"

"feature": {

"type": "string"

"device_name": {

"type": "string"

"device_IP": {

"type": "string"

"policy": {

"type": "string"

"rule": {

"type": "string"

"action": {

"type": "string"

"Priority": {

"type": "object",

"properties": {

"severity": {

"type": "string"

"credibility": {

"type": "string"

"relevance": {

"type": "string"

"Alert": {

"type": "object",

"properties": {

"time": {

"type": "string"

"category": {

"type": "array",

"items": {

"type": "string"

"name": {

"type": "string"

"id": {

"type": "string"

"link": {

"type": "string"

"domain": {

"type": "string"

"region": {

"type": "string"

"target": {

"type": "array",

"items": {

"type": "string"

"artifacts": {

"type": "object",

"properties": {

"username": {

"type": "string"

"src_IP": {

"type": "string"

"src_port": {

"type": "string"

"dst_IP": {

"type": "string"

"dst_port": {

"type": "string"

"domain": {

"type": "string"

"url": {

"type": "string"

"hash": {

"type": "string"

"process": {

"type": "string"

"filename": {

"type": "string"

"registry_key": {

"type": "string"

"sender": {

"type": "string"

"status": {

"type": "string"

"tactics": {

"type": "array",

"items": {

"type": "string"

"technique": {

"type": "string"

"rawData": {

"type": "string"

"associated_events": {

"type": "array",

"items": {

"type": "object",

"properties": {

"time": {

"type": "string"

"name": {

"type": "string"

"target": {

"type": "array",

"items": {

"type": "string"

"artifacts": {

"type": "object",

"properties": {

"username": {

"type": "string"

"src_IP": {

"type": "string"

"src_port": {

"type": "string"

"dst_IP": {

"type": "string"

"dst_port": {

"type": "string"

"domain": {

"type": "string"

"url": {

"type": "string"

"hash": {

"type": "string"

"process": {

"type": "string"

"filename": {

"type": "string"

"registry_key": {

"type": "string"

"sender": {

"type": "string"

"count": {

"type": "number"

"rawData": {

"type": "string"

}

Cybersecurity talk

Stránky

středa 25. března 2020

CSAF examples

Example 1 with color distinction

Example 2

CSAF schema

Schema with color distinction

Clean schema