-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Add support for structured levels of alerts, detections and logging #431
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
class Alert(object): | ||
""" | ||
An alert generated by an MVT module. | ||
""" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Making this a dataclass might be a good idea
informational: Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered by such rules because it is expected that a huge amount of events will match these rules. | ||
low: Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. Immediate reaction shouldn’t be necessary, but a regular review is recommended. | ||
medium: Relevant event that should be reviewed manually on a more frequent basis. | ||
high: Relevant event that should trigger an internal alert and requires a prompt review. | ||
critical: Highly relevant event that indicates an incident. Critical events should be reviewed immediately. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might want to tweak some of the language here around interpreting the levels for our specific case
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes definitely. I think we should include some similar descriptions in our documentation.
Currently MVT only supports one level of "detected" events. This binary choice of detected or not detected can be limited as we may want to highlight certain suspicious events requiring manual analysis or review.
We currently log warning for certain events. This however is limited as these warnings will only be visible transiently in the command log and not be stored in JSON for later parsing or analysis.
This is an early work-in-progress to test a possible design.