Secure60 - Common Information Model (CIM):


The term Common Information Model (CIM) is used to describe what an Event should look like so that we can extract maximum value from the data.

When an Event is categorized properly inside the CIM, it means that we can extract deep context around the Event and construct Entity groupings based on this information.

An example of this context and the value might be: We capture Events that have multiple different type fields which could be email or app for example. Each of these Events could have a common operation value such as user-logon and a common field auth_username which contains the value john.doe.

Based on this information, we can then track and correlate the behavior of the user john.doe across all systems and have a much more powerful viewpoint into behavior. john.doe logging into multiple systems they have never logged into before or failed logon attempts across a range of systems are much stronger signals of malicious activity than individual events alone.

Secure60 - CIM Definition:

Fields in bold are compulsory. Filling in as many other fields as possible will ensure that the system can fully process context and perform effective correlations.

Fields that start with a type value indicate fields related to that entity type. For example, type = "http" would ideally have multiple fields such as http_status_code and http_uri submitted with the Event, otherwise, detections associated with the type = "http" will not be able to successfully match with full context.

type
  • Identifies the type of entity being targeted by an event.
  • Example values include email, user, file, process, endpoint, application, http or an alert
  • This is a broad grouping around an “entity” that will be used to help rule design and monitoring
operation
  • Identifies the type of operation that the entity (idenfied by event_type) has carried out.
  • Examples include:
    • email-send,
    • file-write,
    • process-create
    • user-password-modify
    • user-login
    • user-create
    • endpoint-login
    • alert-created
    • http-request
    • application-error
outcome
  • Identifies the result status of the event. The outcome indicates whether or not the activity had its intended effect.
  • Field value optoins are success or failure
  • Examples of things that may succeed or fail are: logon, installing an application, email send, dns resolve
vendor
  • Identifies the owner of the product that recorded the event.
  • In an email-send example, if the log data was streamed from the M365 logging service, the vendor can be identified as “microsoft”.
product
  • Identifies the service or application that recorded the event. In an email-send example, if the vendor is identified as Microsoft, and the log data was streamed from the M365 logging service, the product can be identified as the “m365 audit log”.
technology_group
  • Identifies an umbrella category for the platform. Examples include: cloud, endpoint, database, vpn
  • An example use case for this field might be: We want to detect anomalies that are relevant to files in a cloud file-sharing application (such as exfiltration from the cloud), but do not want to include data about files on an endpoint. Using the type and technology_group context elements, we can target activities that happen to a file entity (type field) in a cloud file-sharing application (technology_group field).
environment
  • The development environment that the event has come from
  • Examples values might include: "Production", "Staging" or "Test"
schema_version
  • The version of the Secure60 schema that is being used. As schema changes Secure60 will handle new schemas dynamically. Current Version: 1.0
timestamp
  • The time (in UTC) that the Event was generated on the source infrastructure
  • Example: 13/08/2023 03:05:15
  • If this field is missing the timestamp is automatically added at the ingest layer
    • A field called “event_timestamp_fixedbys60” with value “true” is also added
source_
  • This referes to the source of Event information (name of log source and can include hosts and other characteristics that are available)
  • source_name - The name of the log source eg. “windows_logs” or application123_logs
  • source_host - The server or host that is sending the logs. eg. host1.internal
  • source_type - The type of service that is sending this data. eg syslog or gcp-audit-log
  • source_severity - Severity level of the Event eg. info or "error
http_
  • This refers to any information related to an HTTP request
  • http_status_code - The HTTP status code of the event.
  • http_uri - The full URI of the request (includes path and query string).
  • http_domain - The domain name.
  • http_host - The server name where the source data has come from.
  • http_method - The HTTP Method used.
  • http_protocol - The HTTP Protocol used.
  • http_useragent - The browser user agent.
  • http_request_time - Request timing.
  • http_body_bytes_sent
  • http_request_length
  • http_bytes_sent
  • http_server_name
  • http_referer
  • http_x_forwarded_for
ip_
  • This refers to any information related to IP addresses
  • ip_src_address
  • ip_src_port
  • ip_dst_address
  • ip_dst_port
  • ip_proxy_address
    • Automatically added:
    • GEO IP / ASN: When field ip_src_address is provided and is valid the following IP Address location information will be added to the Event
      • ip_geo_autonomous_system_number - 12345
      • ip_geo_autonomous_system_organization - NetworkOperator
      • ip_geo_city_name - Sydney
      • ip_geo_continent_code - OC
      • ip_geo_country_code - AU
      • ip_geo_country_name - Australia
      • ip_geo_latitude: -33.8715
      • ip_geo_longitude: 151.2006
      • ip_geo_postal_code - 2000
      • ip_geo_region_code - NSW
      • ip_geo_region_name - New South Wales
      • ip_geo_timezone - Australia/Sydney
      • ip_src_address - 1.2.3.4
network_
  • This refers to all unclassified network traffic and protocols
  • network_protocol
  • network_src_mac
  • network_dst_mac
  • network_bytes
host_
  • This refers to any information related to a server host
  • host_name - The name of the server
  • host_os - The OS of the server
  • host_os_version - The OS version of the server
data_
  • This refers to information around data or information
  • data_risk_score
  • data_sensitive_information
event_
  • This refers to information related to various events that may happen in systems
  • event_description
  • event_result
app_
  • `This refers to information from a specific application
  • `Standards:
    • app_event - A message from an application in relation to an event that has happened
    • app_name - Name of the application
auth_
  • This refers to any information related to a user authentication process
  • auth_username - the username of the login attempt
  • auth_domain - the domain of the login attempt
  • auth_response - the response (success or fail) of the login
  • auth_uri - the uri involved in the login attempt
  • auth_message - any error or status message associated with the event
  • auth_application - The application involved in the login: eg. ssh, Secure60, win:local, signin.amazonaws.com
user_
  • This refers to information related to users
  • user_name - The text string that desribes the user (Eg “John Doe”)
  • user_id -The actual string or identifier that a user is logging in with (Eg “john.doe”)
  • user_role - The role of the user
error_
  • This refers to all error related information
  • error_message - The actual error message from the server
  • error_severity - the severity level of the error (eg WARN)
  • error_code - Any error related identifying status code
  • error_id - Any unique ID that specifically identifies this individual event error
agent_
  • This refers to information about the agent sending information to Secure60
  • agent_version
file_
  • This refers to information around file based changes
  • file_name - The name of the file
  • file_path - The path on the filesystem of the file
  • file_ext - The file extension
process_
  • A process is an endpoint structure that represents an instance of a program that was executed and is now running.
  • process_name
  • process_id
  • process_path
alert_
  • Information related to an alert entity
  • alert_severity - “low”, “medium” or “high”
  • alert_severity_id - A number associated with severity
  • alert_type
  • alert_priority
  • alert_description
  • alert_id
  • alert_link
  • alert_category
message_
  • Many Event sources include a text message, this is the general location for these (Eg. Error logs, updates or any other source)
  • message_text - A message from a system that hasnt been parsed into other fields
syslog_
  • Catch all for syslog messages that may be useful and not mapped to above fields
  • syslog_severity
  • syslog_facility

Reserved names

We reserve any field name starting with underscore _ as an internal Secure60 fieldname. Some usage of this includes:

  • _project_id - Project ID of the record
  • _timestamp - the time the item was created
  • _id - unique ID of the event
  • _processed_time: The time when Secure60 ingest processed the event (added to every event)