Replace Alert document with Risk Score document

I misunderstood the "source data" section; a risk score document is what actually shows the proposed fields being used.
elastic · Oct 26, 2023 · 6fc0186 · 6fc0186
1 parent 6460bab
commit 6fc0186
Showing 1 changed file with 37 additions and 95 deletions.
diff --git a/rfcs/text/0042-risk-score-extensions.md b/rfcs/text/0042-risk-score-extensions.md
@@ -77,105 +77,47 @@ We intend to leverage these new fields as part of the new implementation of the
 
 The new Risk Engine will initially use Detection Engine Alerts as inputs to its scoring mechanism. However, we intend also to allow ingestion from the other Risk Categories described here, provided that they conform to the appropriate schema. Said schema is outside of the scope of this RFC, but based on the current implementation all we will need are a `score` field and a `category` field in order to ingest any arbitrary document.
 
-### Detection Engine Alert
-The following is an example alert from Kibana's detection engine. This alert would contribute to a user risk score for `Arturo_Haley`.
+### Risk Score Document
+The following is an example risk score generated from Detection Engine Alerts, corresponding to the entity `host.name: 'siem-kibana'`
 
 ```json
 {
-  "kibana.alert.start": "2023-04-11T20:18:15.816Z",
-  "kibana.alert.last_detected": "2023-04-11T20:18:15.816Z",
-  "kibana.version": "8.7.0",
-  "kibana.alert.rule.parameters": {
-    "description": "2",
-    "risk_score": 21,
-    "severity": "low",
-    "license": "",
-    "author": [],
-    "false_positives": [],
-    "from": "now-360s",
-    "rule_id": "d5496711-5f25-4fbf-a05a-4c708157fc7f",
-    "max_signals": 100,
-    "risk_score_mapping": [],
-    "severity_mapping": [],
-    "threat": [],
-    "to": "now",
-    "references": [],
-    "version": 3,
-    "exceptions_list": [],
-    "immutable": false,
-    "related_integrations": [],
-    "required_fields": [],
-    "setup": "",
-    "type": "query",
-    "language": "kuery",
-    "index": ["my*"],
-    "query": "*",
-    "filters": []
-  },
-  "kibana.alert.rule.category": "Custom Query Rule",
-  "kibana.alert.rule.consumer": "siem",
-  "kibana.alert.rule.execution.uuid": "dda06037-a804-4217-93b6-778a2f58dc1a",
-  "kibana.alert.rule.name": "1",
-  "kibana.alert.rule.producer": "siem",
-  "kibana.alert.rule.rule_type_id": "siem.queryRule",
-  "kibana.alert.rule.uuid": "8d7edef8-ae41-4b6e-aec9-783540a5ffb8",
-  "kibana.space_ids": ["default"],
-  "kibana.alert.rule.tags": [],
-  "@timestamp": 1691056730499,
-  "host": {
-    "name": "antique-leek.org",
-    "os": {
-      "full": "server"
+  "id": "a4cf452c1e0375c3d4412cb550ad1783358468a3b3b777da4829d72c7d6fb74f",
+  "index": "risk-score.risk-score-latest-default",
+  "source": {
+    "@timestamp": "2021-03-10T14:51:05.766Z",
+    "host": {
+      "name": "siem-kibana",
+      "risk": {
+        "calculated_level": "Critical",
+        "calculated_score_norm": 90,
+        "id_field": "host.name",
+        "id_value": "siem-kibana",
+        "calculated_score": 150,
+        "category_1_score": 150,
+        "category_1_count": 1,
+        "notes": [],
+        "inputs": [
+          {
+            "id": "62895f54816047b9bf82929a61a6c571f41de9c2361670f6ef0136360e006f58",
+            "index": ".internal.alerts-security.alerts-default-000001",
+            "description": "New Rule Test",
+            "category": "category_1",
+            "risk_score": 70,
+            "timestamp": "2023-08-14T09:08:18.664Z"
+          },
+          {
+            "id": "e5bf3da3c855486ac7b40fa1aa33e19cf1380e413b79ed76bddf728f8fec4462",
+            "index": ".internal.alerts-security.alerts-default-000001",
+            "description": "New Rule Test",
+            "category": "category_1",
+            "risk_score": 70,
+            "timestamp": "2023-08-14T09:08:18.664Z"
+          }
+        ]
+      }
     }
-  },
-  "user": {
-    "name": "Arturo_Haley"
-  },
-  "event.kind": "signal",
-  "kibana.alert.original_time": "2023-04-11T20:17:14.851Z",
-  "kibana.alert.ancestors": [
-    {
-      "id": "8TD3cYcB1hicTK_CdP--",
-      "type": "event",
-      "index": "my-index",
-      "depth": 0
-    }
-  ],
-  "kibana.alert.status": "active",
-  "kibana.alert.workflow_status": "open",
-  "kibana.alert.depth": 1,
-  "kibana.alert.reason": "event on Host 4 created low alert 1.",
-  "kibana.alert.severity": "low",
-  "kibana.alert.risk_score": 21,
-  "kibana.alert.rule.actions": [],
-  "kibana.alert.rule.author": [],
-  "kibana.alert.rule.created_at": "2023-04-11T20:15:52.473Z",
-  "kibana.alert.rule.created_by": "elastic",
-  "kibana.alert.rule.description": "2",
-  "kibana.alert.rule.enabled": true,
-  "kibana.alert.rule.exceptions_list": [],
-  "kibana.alert.rule.false_positives": [],
-  "kibana.alert.rule.from": "now-360s",
-  "kibana.alert.rule.immutable": false,
-  "kibana.alert.rule.interval": "5m",
-  "kibana.alert.rule.indices": ["my*"],
-  "kibana.alert.rule.license": "",
-  "kibana.alert.rule.max_signals": 100,
-  "kibana.alert.rule.references": [],
-  "kibana.alert.rule.risk_score_mapping": [],
-  "kibana.alert.rule.rule_id": "cc066b08-b4d2-4e74-81cb-3cda5aaa612d",
-  "kibana.alert.rule.severity_mapping": [],
-  "kibana.alert.rule.threat": [],
-  "kibana.alert.rule.to": "now",
-  "kibana.alert.rule.type": "query",
-  "kibana.alert.rule.updated_at": "2023-04-11T20:18:11.024Z",
-  "kibana.alert.rule.updated_by": "elastic",
-  "kibana.alert.rule.version": 3,
-  "kibana.alert.rule.meta.from": "1m",
-  "kibana.alert.rule.meta.kibana_siem_app_url": "http://localhost:5601/app/security",
-  "kibana.alert.rule.risk_score": 21,
-  "kibana.alert.rule.severity": "low",
-  "kibana.alert.uuid": "856934e4-6d10-487e-9997-a9757b3f4927"
+  }
 }
 ```