Closed ferullo closed 3 months ago
@joe-desimone @nfritts @roxana-gheorghe does @MikePaquette's suggestion work? I know one thing we discussed is the difference between whether Elastic Defend was in prevent or detect mode and whether it successfully blocked the attack or failed for some reason.
If prevent/detect is indicated by event.type : allowed|denied
then the success/failure of the prevention can be included in event.outcome : success|failure
. There's a chance Endpoint is already at least partially conforming to that behavior.
Sounds good to me 👍
This may just be antidotal; however, there is some precedence here. In cloud-defend you can fire alerts based on edge-evaluated logic. If the alert resulting in a blocking action, we would set event.type = denied
.
Thanks @MikePaquette for pointing out allowed
and denied
and @joe-desimone and @norrietaylor for weighing in. I'm closing this since there's nothing to be done.
Summary Elastic Defend, and presumably other security integrations, have a need to let users identify if an alert document comes from a detection or prevention alert. While ECS defines a way to say that a document is an alert document, it doesn't provide a way to make this important distinction.
Motivation: We've seen this feature requested a few times from Elastic Defend users.
Detailed Design: It seems most straightforward to either add
prevention
anddetection
as allowed values forevent.type
orevent.category
. Updatingevent.type
seems to make more logical sense sinceprevention
anddetection
are both subtypes to theintrustion_detection
ormalware
event categories.