Define a standard way to identify prevention and detection security alerts

[ferullo]

Summary Elastic Defend, and presumably other security integrations, have a need to let users identify if an alert document comes from a detection or prevention alert. While ECS defines a way to say that a document is an alert document, it doesn't provide a way to make this important distinction.

Motivation: We've seen this feature requested a few times from Elastic Defend users.

Detailed Design: It seems most straightforward to either add prevention and detection as allowed values for event.type or event.category. Updating event.type seems to make more logical sense since prevention and detection are both subtypes to the intrustion_detection or malware event categories.

[MikePaquette]

Hi Dan, please consider using the existing values of event.type as they were defined to accommodate this use case.

• allowed
• denied

[ferullo]

@joe-desimone @nfritts @roxana-gheorghe does @MikePaquette's suggestion work? I know one thing we discussed is the difference between whether Elastic Defend was in prevent or detect mode and whether it successfully blocked the attack or failed for some reason.

If prevent/detect is indicated by event.type : allowed|denied then the success/failure of the prevention can be included in event.outcome : success|failure. There's a chance Endpoint is already at least partially conforming to that behavior.

[joe-desimone]

Sounds good to me 👍

[norrietaylor]

This may just be antidotal; however, there is some precedence here. In cloud-defend you can fire alerts based on edge-evaluated logic. If the alert resulting in a blocking action, we would set event.type = denied.

[ferullo]

Thanks @MikePaquette for pointing out allowed and denied and @joe-desimone and @norrietaylor for weighing in. I'm closing this since there's nothing to be done.