Request latest data from IDS

oasis-tcs / openc2-ap-ids

OASIS OpenC2 TC: developing a concise and extensible language to enable the command and control of cyber defense components. https://github.com/oasis-tcs/openc2-ap-ids

Other

1 stars 0 forks source link

Request latest data from IDS #4

Open alevere opened 3 years ago

alevere commented 3 years ago

I would like to propose a command to retrieve the system logs over the last hour:

{ "action": "query", "target": { "properties": ["events"] } "args": { "ids": { "type":"system", "start": "1615304941", "end":: "1615391341", "limit" : 50 } }

{ "status": 200, "results": { "events":[ "first system log here", "second event set here", "third event set here" ] }

sparrell commented 3 years ago

I agree with the query. Is it IDS specific or should we make a 'logging profile'? Would the command be very common to packet filters and EDR and ...? Then the other AP's could extend it if they have specific AP-specific details (particularly in the responses). I'm also ok with putting it in each AP but I prefer smaller profiles if there is commonality.