opencybersecurityalliance / documentation

OCA-wide documentation shared by all sub-projects and repositories
Other
33 stars 16 forks source link

Posture Collection System #18

Open warrenrjwc opened 4 years ago

warrenrjwc commented 4 years ago

For this diagram, https://github.com/opencybersecurityalliance/documentation/blob/dee00b859dd2d1255fa22c05a0817420f6902518/Architecture%20Documents/SACM-context.pdf

Would the endpoints be a component that would be depicted with an arrow to the posture collection system? I would like to see what ties to the posture collection system so we have a end-to-end view.

adammontville commented 4 years ago

That's a good suggestion. Then, as we drill down into containers and components, we could consider depicting different deployment models as well (the SCAM architecture supports remote and agent-based collection).

warrenrjwc commented 4 years ago

For the SACM OCA diagram (https://github.com/MitchellJThomas/documentation/blob/initial-c4-diagrams/README.md) I have some questions (love the diagram!) (1) Should Queries be two way arrows? (perhaps not all boxes but some), as SIEMs, SOARS, etc query for information as well as receive queries. (2) I am a bit confused on the multiple endpoint boxes (2 down the bottom and an EDR box above). Why are these multiples? (3) Does Data Fabric represent STIX-Shifter (per original diagram)? If so, it currently supports specific queries only (for observable objects). Perhaps we need to denote this? (4) Does Integration Service represent OpenDXL (per original diagram)? If so, perhaps a more descriptive name would be appropriate (like Communications service/common message bus/...). I do not think Integration Service clearly represents OpenDXL. (5) For the SOAR box, is O and A - operations and automation? Should the SOAR box have a query/response arrow? (6 For the SIEM box, the arrow has logs and network data. This seems only partially true (they can collect asset info, vulnerability data, risk info and much more). Perhaps we should label it more generically (like you did for the threat intelligence box)?