intelmq
intelmq copied to clipboard
For discussion: define a recommended minimum requirements and (dis)allowed fields for each classification type
What?
I know there are general recommendations in the docs.
However I am proposing to create a definition of:
- required fields for each classification type
- disallowed fields for each classification type
It would be somewhat of an extension to this docs page.
The enforcement of such rules would be optional (perhaps via dedicated expert bot).
Why?
- This would make it easier to interpret what the event is actually describing. Please let me know in the comments how would you understand the following event (because technically it is a valid IntelMQ Event):
{
"classification.type": "vulnerable-system",
"time.source": "2021-06-21T06:34:53+00:00",
"source.port": 1359,
"protocol.transport": "tcp",
"source.ip": "46.13.XXX.XXX",
"destination.geolocation.cc": "US",
"destination.port": 80,
"source.geolocation.cc": "CZ",
"destination.ip": "104.42.XXX.XXX",
"classification.taxonomy": "vulnerable",
"time.observation": "2021-06-22T16:31:31+00:00"
}
- It would make it easier to interpret the event programatically for other systems consuming intelmq events.
- It would make sharing IntelMQ events more consistent across various IntelMQ instances of different organizations.
- The implementation and usage of such expert bot would prevent informationally incomplete or ambiguous events. It would also be useful as a notification that such incomplete or ambiguous event has appeared in the IntelMQ and would indicate that some kind of configuration adjustment might be needed.
Example
Events with classification type "vulnerable-system":
source.ip
: must be present
destination.*
must not be present
etc.
Events with classification type "phishing":
source.url
: must be present
destination.*
: should not be present (or have a clear definition what it means when "phishing" has some form of destination)
etc.
Events with classification type "dga-domain":
source.fqdn
: must be present
etc.
Outcome
What would be the outcome of this issue:
- rather long documentation page with the recommendations/rules
- possibly an expert bot that could be optionally used to enforce such rules
None of it would be mandatory to use, but recommended for sharing and other processing of IntelMQ events.
I am most definitely willing to put together a draft of such recommendations/rules for discussion. But first I would like to know if it is something this community would accept at all.