From 6fc01863462f449762482a4237cb2a321f4a3e49 Mon Sep 17 00:00:00 2001
From: Ryland Herrick <ryalnd@gmail.com>
Date: Thu, 26 Oct 2023 13:21:46 -0500
Subject: [PATCH] Replace Alert document with Risk Score document

I misunderstood the "source data" section; a risk score document is what
actually shows the proposed fields being used.
---
 rfcs/text/0042-risk-score-extensions.md | 132 +++++++-----------------
 1 file changed, 37 insertions(+), 95 deletions(-)

diff --git a/rfcs/text/0042-risk-score-extensions.md b/rfcs/text/0042-risk-score-extensions.md
index ee3d72839..c13123fc1 100644
--- a/rfcs/text/0042-risk-score-extensions.md
+++ b/rfcs/text/0042-risk-score-extensions.md
@@ -77,105 +77,47 @@ We intend to leverage these new fields as part of the new implementation of the
 
 The new Risk Engine will initially use Detection Engine Alerts as inputs to its scoring mechanism. However, we intend also to allow ingestion from the other Risk Categories described here, provided that they conform to the appropriate schema. Said schema is outside of the scope of this RFC, but based on the current implementation all we will need are a `score` field and a `category` field in order to ingest any arbitrary document.
 
-### Detection Engine Alert
-The following is an example alert from Kibana's detection engine. This alert would contribute to a user risk score for `Arturo_Haley`.
+### Risk Score Document
+The following is an example risk score generated from Detection Engine Alerts, corresponding to the entity `host.name: 'siem-kibana'`
 
 ```json
 {
-  "kibana.alert.start": "2023-04-11T20:18:15.816Z",
-  "kibana.alert.last_detected": "2023-04-11T20:18:15.816Z",
-  "kibana.version": "8.7.0",
-  "kibana.alert.rule.parameters": {
-    "description": "2",
-    "risk_score": 21,
-    "severity": "low",
-    "license": "",
-    "author": [],
-    "false_positives": [],
-    "from": "now-360s",
-    "rule_id": "d5496711-5f25-4fbf-a05a-4c708157fc7f",
-    "max_signals": 100,
-    "risk_score_mapping": [],
-    "severity_mapping": [],
-    "threat": [],
-    "to": "now",
-    "references": [],
-    "version": 3,
-    "exceptions_list": [],
-    "immutable": false,
-    "related_integrations": [],
-    "required_fields": [],
-    "setup": "",
-    "type": "query",
-    "language": "kuery",
-    "index": ["my*"],
-    "query": "*",
-    "filters": []
-  },
-  "kibana.alert.rule.category": "Custom Query Rule",
-  "kibana.alert.rule.consumer": "siem",
-  "kibana.alert.rule.execution.uuid": "dda06037-a804-4217-93b6-778a2f58dc1a",
-  "kibana.alert.rule.name": "1",
-  "kibana.alert.rule.producer": "siem",
-  "kibana.alert.rule.rule_type_id": "siem.queryRule",
-  "kibana.alert.rule.uuid": "8d7edef8-ae41-4b6e-aec9-783540a5ffb8",
-  "kibana.space_ids": ["default"],
-  "kibana.alert.rule.tags": [],
-  "@timestamp": 1691056730499,
-  "host": {
-    "name": "antique-leek.org",
-    "os": {
-      "full": "server"
+  "id": "a4cf452c1e0375c3d4412cb550ad1783358468a3b3b777da4829d72c7d6fb74f",
+  "index": "risk-score.risk-score-latest-default",
+  "source": {
+    "@timestamp": "2021-03-10T14:51:05.766Z",
+    "host": {
+      "name": "siem-kibana",
+      "risk": {
+        "calculated_level": "Critical",
+        "calculated_score_norm": 90,
+        "id_field": "host.name",
+        "id_value": "siem-kibana",
+        "calculated_score": 150,
+        "category_1_score": 150,
+        "category_1_count": 1,
+        "notes": [],
+        "inputs": [
+          {
+            "id": "62895f54816047b9bf82929a61a6c571f41de9c2361670f6ef0136360e006f58",
+            "index": ".internal.alerts-security.alerts-default-000001",
+            "description": "New Rule Test",
+            "category": "category_1",
+            "risk_score": 70,
+            "timestamp": "2023-08-14T09:08:18.664Z"
+          },
+          {
+            "id": "e5bf3da3c855486ac7b40fa1aa33e19cf1380e413b79ed76bddf728f8fec4462",
+            "index": ".internal.alerts-security.alerts-default-000001",
+            "description": "New Rule Test",
+            "category": "category_1",
+            "risk_score": 70,
+            "timestamp": "2023-08-14T09:08:18.664Z"
+          }
+        ]
+      }
     }
-  },
-  "user": {
-    "name": "Arturo_Haley"
-  },
-  "event.kind": "signal",
-  "kibana.alert.original_time": "2023-04-11T20:17:14.851Z",
-  "kibana.alert.ancestors": [
-    {
-      "id": "8TD3cYcB1hicTK_CdP--",
-      "type": "event",
-      "index": "my-index",
-      "depth": 0
-    }
-  ],
-  "kibana.alert.status": "active",
-  "kibana.alert.workflow_status": "open",
-  "kibana.alert.depth": 1,
-  "kibana.alert.reason": "event on Host 4 created low alert 1.",
-  "kibana.alert.severity": "low",
-  "kibana.alert.risk_score": 21,
-  "kibana.alert.rule.actions": [],
-  "kibana.alert.rule.author": [],
-  "kibana.alert.rule.created_at": "2023-04-11T20:15:52.473Z",
-  "kibana.alert.rule.created_by": "elastic",
-  "kibana.alert.rule.description": "2",
-  "kibana.alert.rule.enabled": true,
-  "kibana.alert.rule.exceptions_list": [],
-  "kibana.alert.rule.false_positives": [],
-  "kibana.alert.rule.from": "now-360s",
-  "kibana.alert.rule.immutable": false,
-  "kibana.alert.rule.interval": "5m",
-  "kibana.alert.rule.indices": ["my*"],
-  "kibana.alert.rule.license": "",
-  "kibana.alert.rule.max_signals": 100,
-  "kibana.alert.rule.references": [],
-  "kibana.alert.rule.risk_score_mapping": [],
-  "kibana.alert.rule.rule_id": "cc066b08-b4d2-4e74-81cb-3cda5aaa612d",
-  "kibana.alert.rule.severity_mapping": [],
-  "kibana.alert.rule.threat": [],
-  "kibana.alert.rule.to": "now",
-  "kibana.alert.rule.type": "query",
-  "kibana.alert.rule.updated_at": "2023-04-11T20:18:11.024Z",
-  "kibana.alert.rule.updated_by": "elastic",
-  "kibana.alert.rule.version": 3,
-  "kibana.alert.rule.meta.from": "1m",
-  "kibana.alert.rule.meta.kibana_siem_app_url": "http://localhost:5601/app/security",
-  "kibana.alert.rule.risk_score": 21,
-  "kibana.alert.rule.severity": "low",
-  "kibana.alert.uuid": "856934e4-6d10-487e-9997-a9757b3f4927"
+  }
 }
 ```