L1 Indicators and Warnings

Introduction to L1 Indicators and Warnings

The Indicators and Warnings packages support the Level 1 Object Refinement (in Activate terms, Level 1 Indicators and Warnings). At this level, we focus on device-specific information that is independent of the environment in which they are deployed. This is a fundamental level where we are concerned with understanding the basic meaning of an event, without regard to any feature or specifics of the network surrounding it.

Package Type Detail

Package Type Name: Indicators and Warnings Packages

Package Type Prefix: "L1"

Content for L1 Activate packages consume indicators from multiple and/or different event sources and normalizes this information to assure consistency within the Activate Framework. This content also can enrich events with device specific data.

Package Directory

Creating a new package

Here is a form to use to create new package topics under Core Packages. In the box, name your package as a wikiword. It must start with either "L1". The form will create a child page according to our template, which will then appear in the tree above. Please use this box to create new packages; any other topic creation method will bypass the template.

New Package Topic Name:

Here are some brief descriptions of the packages currently defined for L1 Indicators and Warnings.

L1 Application Monitoring

L1 Application Monitoring DNS Services

The [L1 Application Monitoring DNS Services] package has been developed to detect DNS service activity (not just DNS requests), that are suspicious and or malicious in nature.

L1 Application Monitoring Web Applications

L1 Application Monitoring Web Applications some high level stuff here

L1 Application Monitoring Web Services

L1 ApplicationMonitoringWebServices package has been developed to identify anomalies and suspicious requests that are recorded in web server logs. It also can provide indicators and warnings of potential security incidents for L1 Application Web Application package.

L1 APT10 Cloud Hopper Monitoring

L1APT10CloudHopperMonitoring package is intended to provide content that identify AP10 Cloud Hopper threat.

L1 Data Security Monitoring

L1DataSecurityMonitoring. This page lists the package that handle data security monitoring issues such as data encryption or Data Loss Prevention (DLP).

L1DataSecurityEncryption. This page lists the package that provides resources to track the cryptography and policy management events.

L1 Host Monitoring

L1HostMonitoring package is designed to monitor and track system service and host accounts for events which may have a security and/or operational significance.

L1 Infrastructure Monitoring

L1InfrastructureMonitoring. This package so far focuses on swipe card activity, motion, alarm, and camera systems.

L1 Malware Monitoring

L1MalwareMonitoring package is intended to provide both simple indicators of potential malware incidents as well as a frame work to support L2 Malware content and additional development. Since Malware is a constantly moving target the intent is for the package to be as dynamic as possible.

L1 Malware Monitoring Email

L1MalwareMonitoringEmail is intended to provide both simple indicators of potential Email Malware incidents as well as a frame work to support L2 Malware Monitoring Email content and additional development.

L1 Operating System

L1OperatingSystem. This package provides resources, such as active lists and session lists to other packages. This package is obsolete and has been replaced by the L1HostMonitoring package and the L1EntityMonitoring package.

L1 Perimeter and Network Monitoring

L1PerimeterAndNetworkMonitoring provides a view on IDS and attempt events on the network.

L1 Network Monitoring

L1NetworkMonitoring provides a view on IDS and attempt events on the network.

L1 Perimeter Monitoring

L1PerimeterMonitoring provides a view on IDS and attempt events on the perimeter.

L1 Threat Intelligence

L1ThreatIntelligence. This warnings and indicators package populates, displays and monitors the Threat Model. The Threat Model is used to detect and contextualize potential malicious activiity based on intelligence derived from a site-specific mix of threat intelligence sources.

L1 Entity Monitoring

L1EntityMonitoring. This package helps to track the user account management and anomalies across the organization.

L1 Physical Security Monitoring

L1PhysicalSecurity some highlevel stuff here

L1 WannaCry Ransomware Monitoring

L1WannaCryRansomwareMonitoring content is posted here.
Topic revision: r17 - 14 Jun 2018, YunPeng


Activate Wiki

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback