7Security-Monitoring:_Remediation_Open_API_Specification 7.1.1Remediation API Core
This document provides a description of the available interface and presents adapters used by the Remediation Application
The remediation application allows a security operator to list all the attack paths present in a system and to select one and remediate it. More details about this process can be found in FIWARE.OpenSpecification.Security.SecurityMonitoring#Remediation. The REST API proposes identical functionalities without using the WEB UI.
7.1.2Intended Audience
This document is addressed both software architects and developers, and the operators of the Remediation Application.
This version of the Mulval Attack Path API Guide replaces and obsoletes all previous versions. The most recent changes are described in the table below:
Revision Date
|
Changes Summary
|
April, 2013
| |
Along the document, some special notations are applied to differentiate some special words or concepts. The following list summarizes these special notations:
7.1.5Additional Resources 7.2General Remediation API Information
To interact with the remediation application, a REST API has also been created. Here is a description of the features provided by this API.
7.2.1Loading of topological data from the CMDB and generate the attack graph
This function is necessary to load the attack graph and attack paths information. It is imperative to launch successfully this function before all the functions below.
-
URL: /attack_paths/initialize
-
Return format: Http code 200 if the loading has been successful else return the errors
7.2.2Get the attack graph
Function used to get the whole attack graph.
-
URL: /attack_paths/attack_graph/
-
Return format: XML : The Attack graph in MulVAL output format
7.2.3List all attack paths
Function used to get a list of all the attack paths
7.2.4Get the attack path {id}
Function used to get a chosen attack path.
-
URL: /attack_paths/{id}/
-
Return format: XML : A ranked attack path in XML
7.2.5Get the remediations for attack path {id}
Function used to get the remediation to a chosen attack path.
-
URL: /attack_paths/{id}/remediations
-
Return format: XML : Get the possible remediations for the attack path {id} sorted by estimated cost
8Security-Monitoring: Service Level SIEM Open API Specification 8.1Introduction to the Service Level SIEM Open Specifications
Please check the Legal Notice to understand the rights to use FI-WARE Open Specifications.
A Security Information and Event Management (SIEM) solution is a technology that provides real-time analysis of security events, aggregating data from many sources and providing the ability to consolidate and correlated monitored data to generate reports and alerts. OSSIM (Open Source Security Information Management - http://www.ossim.net), developed and maintained by AlientVault (http://www.alientvault.com), is one of the most widely used Open Source SIEM. The Service Level SIEM (SLS) component included in the Security Monitoring GE is build on top of the open source OSSIM SIEM v4.0. But to overcome its performance limitations and to allow the processing of more complex rules and correlate events at different layers, the Service Level SIEM integrate that OSSIM core engine so the events already normalized go to a Storm cluster where several processes has been included in a running topology for correlation in a parallel and distributed manner. The following picture summarizes the Service Level SIEM architecture:
Service Level SIEM Architecture
This page provides a description of the Service Level SIEM specifications with the collection functionality (collection methods and plugins) heritated from OSSIM and the processes included in the Storm topology that makes it possible the high-performance correlation engine.
8.1.2Intended Audience
This specification is addressed for both software developers and service providers that will need advanced monitoring features in their environments.
The Security Monitoring GE will include a Service Level SIEM component based on the open source OSSIM SIEM (Security Information and Event management) that will overcome its limitations with a high performance correlation engine.
The most recent changes are described in the table below:
Revision Date
|
Changes Summary
|
April 2012
| |
September 2012
| |
April 2013
| | 8.1.4How to Read This Document
The following list summarizes these special notations.
-
A bold, mono-spaced font is used to represent code or logical entities, e.g., HTTP method (GET, PUT, POST, DELETE).
-
An italic font is used to represent document titles or some other kind of special text, e.g., URI.
-
The variables are represented between brackets, e.g. {id} and in italic font. When the reader find it, can change it by any value.
For a description of some terms used along this document, see the Architecture Description document.
8.1.5Additional Resources
Additional information about OSSIM SIEM open source solution can be found on the official OSSIM - AlienVault Technical Documentation Web Page:
http://communities.alienvault.com/community/documentation.html
Additional information about Storm distributed and fault-tolerant realtime computation can be found on: http://storm-project.net/
Additional information about how to create your own complex rules and plugins to detect attacks can be found in Service Level SIEM User and Programmers Guide.
Share with your friends: |