tulshi
commented
3 weeks ago When talking to @iamseanodentity I realized that I think the whole notion of "session presented" is problematic. All other SSF events tell us when something changes. But with session presented, the Receiver would need to compare each new event to stored previous events to determine if things like
risk_score,ip, orfp_uahave changed. It would be much more valuable to have RiskScoreChanged, IPChanged, and FingerprintChanged events.
A few things to consider:
- The event is important to build "Identity Threat Detection" capabilities. Such a capability can help receivers understand threats that span various transmitters. Each point-observation may not represent a threat, but together it might constitute one.
- The "changed" events you mention will not convey all possible threats because if an attacker uses the different IP addresses at different applications, but retains the same IP address for each application, then nothing will have changed at an application, and they would not send such "changed" events.
- For receivers who are not interested in such presence events (including those who find them difficult to process, like you describe), they can simply not subscribe to them, so unless you feel this event is not going to help further the CAEP charter, we should keep it.
- Finally, the CAEP charter is to improve session security (paraphrasing), and since this event contributes to that charter, I believe it should be added.
When talking to @iamseanodentity I realized that I think the whole notion of "session presented" is problematic. All other SSF events tell us when something changes. But with session presented, the Receiver would need to compare each new event to stored previous events to determine if things like
risk_score,ip, orfp_uahave changed. It would be much more valuable to have RiskScoreChanged, IPChanged, and FingerprintChanged events.