Security-Monitoring:_Remediation_Open_API_Specification

7Security-Monitoring:_Remediation_Open_API_Specification

7.1Introduction to the Remediation API

7.1.1Remediation API Core

The remediation application allows a security operator to list all the attack paths present in a system and to select one and remediate it. More details about this process can be found in FIWARE.OpenSpecification.Security.SecurityMonitoring#Remediation. The REST API proposes identical functionalities without using the WEB UI.

7.1.2Intended Audience

This document is addressed both software architects and developers, and the operators of the Remediation Application.

7.1.3API Change History

This version of the Mulval Attack Path API Guide replaces and obsoletes all previous versions. The most recent changes are described in the table below:

Revision Date	Changes Summary
April, 2013	V1.0, first release

7.1.4How to Read This Document

Along the document, some special notations are applied to differentiate some special words or concepts. The following list summarizes these special notations:

• 
  A bold, mono-spaced font is used to represent a module.
  
• 
  An italic font is used to represent an example
  

7.1.5Additional Resources

7.2General Remediation API Information

To interact with the remediation application, a REST API has also been created. Here is a description of the features provided by this API.

7.2.1Loading of topological data from the CMDB and generate the attack graph

This function is necessary to load the attack graph and attack paths information. It is imperative to launch successfully this function before all the functions below.

• 
  URL: /attack_paths/initialize
  
• 
  Return format: Http code 200 if the loading has been successful else return the errors
  

7.2.2Get the attack graph

Function used to get the whole attack graph.

• 
  URL: /attack_paths/attack_graph/
  
• 
  Return format: XML : The Attack graph in MulVAL output format
  

7.2.3List all attack paths

Function used to get a list of all the attack paths

• 
  URL: /attack_paths/list
  
• 
  Return format: XML : The list of attack paths in XML
  

7.2.4Get the attack path {id}

Function used to get a chosen attack path.

• 
  URL: /attack_paths/{id}/
  
• 
  Return format: XML : A ranked attack path in XML
  

7.2.5Get the remediations for attack path {id}

Function used to get the remediation to a chosen attack path.

• 
  URL: /attack_paths/{id}/remediations
  
• 
  Return format: XML : Get the possible remediations for the attack path {id} sorted by estimated cost
  

8Security-Monitoring: Service Level SIEM Open API Specification

8.1Introduction to the Service Level SIEM Open Specifications

Please check the Legal Notice to understand the rights to use FI-WARE Open Specifications.

8.1.1Service Level SIEM API Core

A Security Information and Event Management (SIEM) solution is a technology that provides real-time analysis of security events, aggregating data from many sources and providing the ability to consolidate and correlated monitored data to generate reports and alerts. OSSIM (Open Source Security Information Management - http://www.ossim.net), developed and maintained by AlientVault (http://www.alientvault.com), is one of the most widely used Open Source SIEM. The Service Level SIEM (SLS) component included in the Security Monitoring GE is build on top of the open source OSSIM SIEM v4.0. But to overcome its performance limitations and to allow the processing of more complex rules and correlate events at different layers, the Service Level SIEM integrate that OSSIM core engine so the events already normalized go to a Storm cluster where several processes has been included in a running topology for correlation in a parallel and distributed manner. The following picture summarizes the Service Level SIEM architecture:



Service Level SIEM Architecture

This page provides a description of the Service Level SIEM specifications with the collection functionality (collection methods and plugins) heritated from OSSIM and the processes included in the Storm topology that makes it possible the high-performance correlation engine.

8.1.2Intended Audience

This specification is addressed for both software developers and service providers that will need advanced monitoring features in their environments.

The Security Monitoring GE will include a Service Level SIEM component based on the open source OSSIM SIEM (Security Information and Event management) that will overcome its limitations with a high performance correlation engine.

8.1.3API Change History

The most recent changes are described in the table below:

Revision Date	Changes Summary
April 2012	Initial version
September 2012	Reviewed initial version
April 2013	Second version

8.1.4How to Read This Document

The following list summarizes these special notations.

• 
  A bold, mono-spaced font is used to represent code or logical entities, e.g., HTTP method (GET, PUT, POST, DELETE).
  
• 
  An italic font is used to represent document titles or some other kind of special text, e.g., URI.
  
• 
  The variables are represented between brackets, e.g. {id} and in italic font. When the reader find it, can change it by any value.
  

For a description of some terms used along this document, see the Architecture Description document.

8.1.5Additional Resources

Additional information about OSSIM SIEM open source solution can be found on the official OSSIM - AlienVault Technical Documentation Web Page:

http://communities.alienvault.com/community/documentation.html

Additional information about Storm distributed and fault-tolerant realtime computation can be found on: http://storm-project.net/

Additional information about how to create your own complex rules and plugins to detect attacks can be found in Service Level SIEM User and Programmers Guide.

Download 1.78 Mb.

Share with your friends: