search

onug / csnf

ONUG Cloud Security Notification Framework (CSNF)
Apache License 2.0
18 stars 8 forks source link
cloud decorator onug security

readme

CSNF Cloud Security Notifications Framework

Unit Testing

Table of Contents

  1. Overview
  2. Getting Started
    1. Splunk Plugin
  3. Canonical Data Model
  4. Contributing Mappings to CSNF
    1. Event Producers
    2. Producers Getting Started
  5. Contributing
  6. License

Overview

Tired of the mental gymnastics of understanding bespoke security log message formats? CSNF provides a common data model for security notifications from all cloud providers and related vendor tools.

Ideal for incident response teams, where every second counts in an investigation, but flexible enough to help all security engineering teams working across multiple clouds and platforms to better understand and build automation around observability data.

Our goal is to produce a standardized mapping of security log fields that simplifies the numerous systems present in a modern organization.

Getting Started

Splunk

If you or your organization uses Splunk, getting started with CSNF should be as easy as installing the CSNF Splunk Technology Add-on (TA).

With the installation of the Splunk TA, your organization will be able to access and visualize the existing mappings as metadata fields across your cloud indices.

Contributing Mappings to CSNF

Event Providers

If you manage a tool or product expected to output logs ingested by security teams, check out the CSNF Schema and leverage our fields for your log outputs.

To learn what fields are available and their meaning please see the Canonical Data Model.

Producer – Getting started

Producers can get started to connect their information with CSNF with the following steps:

  1. Map security findings and alerts to CSNF CDM: Provider CSV Readme is a for mapping Cloud Service Providers (CSPs) or security provider alerts to the ONUG CSF format. Map your security findings to Provider CSV. Map your common properties across your findings using the __default__ in Alert Id column. For additional information see the Provider CSV Readme.

  2. Add Sample Finding(s): Place one or more unmapped sample findings in the sample_findings/ directory. Name convention - <producer_name>_<product_name>_<finding_number>.json ex. microsoft_defender_1.json

  3. Validate outcomes. Run the provider_csv_to_provider_json_script to ensure it generates an output JSON file.

  4. Contribute to the CSNF GitHub repository. Create a pull request (PR) using following the process defined in CONTRIBUTING.md.

Contributing

Please read the CONTRIBUTING.md page to learn more about how you can contribute to the CSNF demo-service.

Please also read the CSNF Contributor Code Of Conduct.

License

Distributed under the Apache-2.0 License, see LICENSE.txt