Secure60 - Common Information Model (CIM):

The term Common Information Model (CIM) is used to describe what an Event should look like so that we can extract maximum value from the data.

When an Event is categorized properly inside the CIM, it means that we can extract deep context around the Event and construct Entity groupings based on this information.

An example of this context and the value might be: We capture Events that have multiple different type fields which could be email or app for example. Each of these Events could have a common operation value such as user-logon and a common field auth_username which contains the value john.doe.

Based on this information, we can then track and correlate the behavior of the user john.doe across all systems and have a much more powerful viewpoint into behavior. john.doe logging into multiple systems they have never logged into before or failed logon attempts across a range of systems are much stronger signals of malicious activity than individual events alone.

Secure60 - CIM Definition:

Fields in bold are compulsory. Filling in as many other fields as possible will ensure that the system can fully process context and perform effective correlations.

Fields that start with a type value indicate fields related to that entity type. For example, type = "http" would ideally have multiple fields such as http_status_code and http_uri submitted with the Event, otherwise, detections associated with the type = "http" will not be able to successfully match with full context.

type

• Identifies the type of entity being targeted by an event.
• Example values include email, user, file, process, endpoint, application, http or an alert
• This is a broad grouping around an “entity” that will be used to help rule design and monitoring

operation

• Identifies the type of operation that the entity (idenfied by event_type) has carried out.
• Examples include:
  • email-send,
  • file-write,
  • process-create
  • user-password-modify
  • user-login
  • user-create
  • endpoint-login
  • alert-created
  • http-request
  • application-error

outcome

• Identifies the result status of the event. The outcome indicates whether or not the activity had its intended effect.
• Field value optoins are success or failure
• Examples of things that may succeed or fail are: logon, installing an application, email send, dns resolve

vendor

• Identifies the owner of the product that recorded the event.
• In an email-send example, if the log data was streamed from the M365 logging service, the vendor can be identified as “microsoft”.

product

• Identifies the service or application that recorded the event. In an email-send example, if the vendor is identified as Microsoft, and the log data was streamed from the M365 logging service, the product can be identified as the “m365 audit log”.

technology_group

• Identifies an umbrella category for the platform. Examples include: cloud, endpoint, database, vpn
• An example use case for this field might be: We want to detect anomalies that are relevant to files in a cloud file-sharing application (such as exfiltration from the cloud), but do not want to include data about files on an endpoint. Using the type and technology_group context elements, we can target activities that happen to a file entity (type field) in a cloud file-sharing application (technology_group field).

environment

• The development environment that the event has come from
• Examples values might include: "Production", "Staging" or "Test"

schema_version

• The version of the Secure60 schema that is being used. As schema changes Secure60 will handle new schemas dynamically. Current Version: 1.0

timestamp

• The time (in UTC) that the Event was generated on the source infrastructure
• Example: 13/08/2023 03:05:15
• If this field is missing the timestamp is automatically added at the ingest layer
  • A field called “event_timestamp_fixedbys60” with value “true” is also added

source_

• This referes to the source of Event information (name of log source and can include hosts and other characteristics that are available)
• source_name - The name of the log source eg. “windows_logs” or application123_logs
• source_host - The server or host that is sending the logs. eg. host1.internal
• source_type - The type of service that is sending this data. eg syslog or gcp-audit-log
• source_severity - Severity level of the Event eg. info or "error

http_

• This refers to any information related to an HTTP request
• http_status_code - The HTTP status code of the event.
• http_uri - The full URI of the request (includes path and query string).
• http_domain - The domain name.
• http_host - The server name where the source data has come from.
• http_method - The HTTP Method used.
• http_protocol - The HTTP Protocol used.
• http_useragent - The browser user agent.
• http_request_time - Request timing.
• http_body_bytes_sent
• http_request_length
• http_bytes_sent
• http_server_name
• http_referer
• http_x_forwarded_for

ip_

• This refers to any information related to IP addresses
• ip_src_address
• ip_src_port
• ip_dst_address
• ip_dst_port
• ip_proxy_address
• ip_client_address - The IP address of the system that connected to the device/application (not necessarily the browser or original source of the request)
  • Automatically added:
  • GEO IP / ASN: When field ip_src_address is provided and is valid the following IP Address location information will be added to the Event
    • ip_geo_autonomous_system_number - 12345
    • ip_geo_autonomous_system_organization - NetworkOperator
    • ip_geo_city_name - Sydney
    • ip_geo_continent_code - OC
    • ip_geo_country_code - AU
    • ip_geo_country_name - Australia
    • ip_geo_latitude: -33.8715
    • ip_geo_longitude: 151.2006
    • ip_geo_postal_code - 2000
    • ip_geo_region_code - NSW
    • ip_geo_region_name - New South Wales
    • ip_geo_timezone - Australia/Sydney
    • ip_src_address - 1.2.3.4

network_

• This refers to all unclassified network traffic and protocols
• network_protocol
• network_src_mac
• network_dst_mac
• network_bytes

host_

• This refers to any information related to a server host
• host_name - The name of the server
• host_os - The OS of the server
• host_os_version - The OS version of the server

data_

• This refers to information around data or information
• data_risk_score
• data_sensitive_information

event_

• This refers to information related to various events that may happen in systems
• event_description
• event_result

app_

• `This refers to information from a specific application
• `Standards:
  • app_event - A message from an application in relation to an event that has happened
  • app_name - Name of the application

auth_

• This refers to any information related to a user authentication process
• auth_username - the username of the login attempt
• auth_domain - the domain of the login attempt
• auth_response - the response (success or fail) of the login
• auth_uri - the uri involved in the login attempt
• auth_message - any error or status message associated with the event
• auth_application - The application involved in the login: eg. ssh, Secure60, win:local, signin.amazonaws.com

user_

• This refers to information related to users
• user_name - The text string that desribes the user (Eg “John Doe”)
• user_id -The actual string or identifier that a user is logging in with (Eg “john.doe”)
• user_role - The role of the user

error_

• This refers to all error related information
• error_message - The actual error message from the server
• error_severity - the severity level of the error (eg WARN)
• error_code - Any error related identifying status code
• error_id - Any unique ID that specifically identifies this individual event error

agent_

• This refers to information about the agent sending information to Secure60
• agent_version

file_

• This refers to information around file based changes
• file_name - The name of the file
• file_path - The path on the filesystem of the file
• file_ext - The file extension

email

• This refers to information around email based Events
• email_sasl_method - SASL method
• email_sasl_username - SASL user
• email_sender - Email of sender
• email_recipient - Email of recpient
• email_recipient_count - Count of recipient
• email_encryption_protocol
• email_encryption_cipher
• email_encryption_keysize

process_

• A process is an endpoint structure that represents an instance of a program that was executed and is now running.
• process_name
• process_id
• process_path

alert_

• Information related to an alert entity
• alert_severity - “low”, “medium” or “high”
• alert_severity_id - A number associated with severity
• alert_type
• alert_priority
• alert_description
• alert_id
• alert_link
• alert_category

message_

• Many Event sources include a text message, this is the general location for these (Eg. Error logs, updates or any other source)
• message_text - A message from a system that hasnt been parsed into other fields

syslog_

• Catch all for syslog messages that may be useful and not mapped to above fields
• syslog_severity
• syslog_facility

Reserved names

We reserve any field name starting with underscore _ as an internal Secure60 fieldname. Some usage of this includes:

• _project_id - Project ID of the record
• _timestamp - the time the item was created
• _id - unique ID of the event
• _processed_time: The time when Secure60 ingest processed the event (added to every event)