search

ocsf / ocsf-schema

OCSF Schema
Apache License 2.0
625 stars 132 forks source link

Proposal: Extend Security Control Profile for Authentication Class in OCSF #1235

Open pladamgregory opened 1 day ago

pladamgregory commented 1 day ago

Proposal: Extend Security Control Profile for Authentication Class in OCSF

Summary

This proposal aims to extend the OCSF (Open Cybersecurity Schema Framework) security control profile to support the authentication class. Specifically, it introduces an access_control object within the auth_factors structure, which includes various attributes related to access restrictions, policy rule matching, identity stores, and authentication results.

Motivation

Currently, the OCSF schema lacks detailed coverage of authentication-related attributes within the security control profile, limiting its use in monitoring, auditing, and managing authentication flows and policy application in a granular way. This extension will enable better tracking of authentication attempts, associated policies, and the effectiveness of access restrictions, enhancing overall security visibility.

Proposal Details

New Structure

Within the authentication class, we will add an access_control object under auth_factors, which will contain the following attributes:

Example JSON

An example JSON structure illustrating the new auth_factors object with access_control:


{
  "class": "authentication",
  "auth_factors": [
    {
      "factor_type": "RADIUS",
      "factor_result": "success",
      "access_control": {
        "access_restricted": true,
        "matched_group_policy_rule_name": "VPNAccessPolicy",
        "matched_auth_policy_rule_name": "RADIUSAuthPolicy",
        "matched_identity_policy_rule_name": "NetworkUserPolicy",
        "matched_service_policy_rule_name": "VPNServicePolicy",
        "auth_identity_store": "Cisco ISE",
        "query_identity_store": "LDAP",
        "auth_status": "authenticated",
        "auth_method": "radius",
        "auth_method_type": "single_factor",
        "auth_result": "success",
        "auth_type": "network_authentication"
      }
    },
    {
      "factor_type": "otp",
      "factor_result": "success",
      "access_control": {
        "access_restricted": true,
        "matched_group_policy_rule_name": "VPNAccessPolicy",
        "matched_auth_policy_rule_name": "RADIUSAuthPolicy",
        "matched_identity_policy_rule_name": "NetworkUserPolicy",
        "matched_service_policy_rule_name": "VPNServicePolicy",
        "auth_identity_store": "RSA SecurID",
        "query_identity_store": "LDAP",
        "auth_status": "authenticated",
        "auth_method": "otp",
        "auth_method_type": "multi_factor",
        "auth_result": "success",
        "auth_type": "network_authentication"
      }
    }
  ]
}
floydtree commented 15 hours ago

It appears there's a lot of scope to create duplication and conflict with the existing attributes in the Authentication event class. I would recommend, taking a deeper at the existing class and all it's attributes and only add missing pieces. The core reasoning it to be more prescriptive for the users of OCSF.

Quick observations:

  1. Is radius appropriate as an auth_factor type? It's better suited for auth type, check out auth_protocol
  2. Why is access_control being nested inside auth_factors? Don't see a clear value of this nesting.
  3. Within the proposed access_control it appears you are duplicating attributes that are already a part of the class elsewhere in the structure. auth_result -> status, auth_method -> auth_protocol, auth_type -> logon_type
  4. Look at utilizing and augmenting existing entities before creating a new ones, can the policy object be used with augementations to represent all the policy attributes that you have?