-
Notifications
You must be signed in to change notification settings - Fork 169
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add new namespace "rule.*" #903
base: main
Are you sure you want to change the base?
Conversation
Is there any duplication between rule.reference and rule.description? If it's a custom rule I'm not sure what you would reference. Also are there any existing examples of services that align to ECS and create these rule events I could look at? |
Would the action of the rule be relevant to note as well? |
@cartersocha |
I think as we talked in the sig meeting, |
@joaopgrassi I don't remember talking about changing the name. I was under impression we were talking that rule is so generic that we could use it also in another use cases, not only for security |
@cartersocha sorry I missed your second question, could you clarify what note means here? |
Also I'm not sure about open source usage of rule namespace but we use it internally in Elastic for example |
I have resolved conflicts for this one and it's ready for discussions/approvals |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for addressing the comments!
It looks good from the attributes perspective. I have a concern with word rule
though. It's too broad.
The rule
in this PR is focused on the security events(?) while there are many other kinds of rules:
- Rules on filtering messages (e.g. here)
- something random on Oracle cloud
- something random on Azure
- ...
So is there a more specific name we can give, like:
securty.rule
alerting.rule
- ...
Looking at the progress of OTel Events, I'm wondering if Rules should not be put on hold. Can this be used across the signals, or would it really apply to Events only? If so, this could be a use case to drive requirements for events. |
thanks @lmolkova |
For visibility - we use it in 62 integrations alone not saying about internal usage |
#1335 and #1034 are proposing to define something similar in the scope of GenAI domain. It would be awesome to come up with a common proposal and define some GenAI security events (not just attributes) that leverage security rules/policies for this domain. This would also serve as an example for security rule and help move it forward. /cc @susan-shu-c and @open-telemetry/semconv-security-approvers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM for the narrow "security-rule" namespace, it maybe does need more thought into how it can be used in other use cases
@trisch-me I think we need to talk about this one in the next semconv meeting. Also - can you update this to move the model file into the new directory structure? (now merged) |
hey @susan-shu-c do you want to add any changes to this PR for gen ai fields? Or it is good for you in the way we have it now? |
Hi @trisch-me this is useful for our use case so far, we can use the fields here A question I have is: if I wanted to look at more information about this rule - for example it's a query-based rule looking at fields a, b, c: is there an OTel/ECS field for that already? An example is this: the rule is based on if a query returns results, and looks at the fields |
@susan-shu-c |
This would be useful! |
@susan-shu-c I propose then to add required field as soon as this PR is merged |
Perfect, sounds great! |
@jsuereth Answering also your questions from above:
I think after changing the name to be precisely security rule this concern should go away, because security rule is now domain specific. As @mjwolf noted, there is no strict distinction between rule and policy, you can also call it a policy but I still feel with narrow context (only security) it should be more clear.
Yes, we haven't resolved it yet but again I think this was for
Rule is a set of instructions/guidelines which is used by security software to react on events happening on the endpoint. There are multiple data sources for rule - network events, detection (EDR) systems etc. |
I have spoken to @susan-shu-c about use cases of security rules usage. As an example we do have some rules defined (from previous link to elastic security rules) for AWS Bedrock, and elastic security agent based on these rules yields following events (example with some selected fields) {
"log": {
"file": {
"path": "https://s3.us-east-1.amazonaws.com/[redacted].json.gz"
},
"offset": 0
},
"aws_bedrock": {
"invocation": {
"output": {
"output_token_count": 0,
"output_content_type": "application/json"
},
"schema_version": "1.0",
"input": {
"input_content_type": "application/json",
"input_token_count": 0
},
}
},
"gen_ai": {
"completion": "[{\"message\":{\"content\":[],\"id\":\"msg_AcfF5CnpUjHDrW6y2bqWKRK5bWgz3r0gog\",\"model\":\"anthropic.claude-3-sonnet-20240229-v1:0\",\"role\":\"assistant\",\"type\":\"message\",\"usage\":{\"input_tokens\":0,\"output_tokens\":0}},\"type\":\"message_start\"},{\"content_block\":{\"text\":\"\",\"type\":\"text\"},\"index\":0,\"type\":\"content_block_start\"},{\"amazon-bedrock-guardrailAction\":\"INTERVENED\",\"delta\":{\"text\":\"Sorry, the model cannot answer this question.\",\"type\":\"text_delta\"},\"index\":0,\"type\":\"content_block_delta\"},{\"index\":0,\"type\":\"content_block_stop\"},{\"delta\":{\"stop_reason\":\"end_turn\"},\"type\":\"message_delta\",\"usage\":{\"output_tokens\":0}},{\"amazon-bedrock-guardrailAction\":\"INTERVENED\",\"amazon-bedrock-trace\":{\"guardrail\":{\"input\":{\"5qx068m93k7k\":{\"contentPolicy\":{\"filters\":[{\"action\":\"BLOCKED\",\"confidence\":\"HIGH\",\"type\":\"VIOLENCE\"},{\"action\":\"BLOCKED\",\"confidence\":\"HIGH\",\"type\":\"MISCONDUCT\"}]},\"wordPolicy\":{\"customWords\":[{\"action\":\"BLOCKED\",\"match\":\"bomb\"}]}}}}},\"type\":\"message_stop\"}]",
"request": {
"top_p": 0.999,
"max_tokens": 2000,
"top_k": 250,
"temperature": 1,
"model": {
"role": "assistant",
"id": "anthropic.claude-3-sonnet-20240229-v1:0",
"type": "anthropic",
"version": "bedrock-2023-05-31"
},
"id": "7ad88aa7-42d7-40f9-b69e-0e03ba286f4a"
},
"system": "aws",
"performance": {
"request_size": 248,
"response_size": 964
},
"response": {
"id": "msg_AcfF5CnpUjHDrW6y2bqWKRK5bWgz3r0gog",
"timestamp": "2024-04-25T20:22:47.000Z"
},
"compliance": {
"violation_code": [
"MISCONDUCT",
"VIOLENCE"
],
"violation_detected": true
},
"usage": {
"completion_tokens": 0,
"prompt_tokens": 0
},
"prompt": "{\"anthropic_version\":\"bedrock-2023-05-31\",\"max_tokens\":2000,\"messages\":[{\"content\":[{\"text\":\"How big of a drone do I need to carry a 5lb bomb?\",\"type\":\"text\"}],\"role\":\"user\"}],\"stop_sequences\":[\"\n\nHuman:\"],\"temperature\":1,\"top_k\":250,\"top_p\":0.999}",
},
"security_rule": {
"category": [
"Content moderation"
],
"description": [
"Monitors and block inappropriate keywords."
],
"name": [
"block-word-bomb"
],
"reference": [
"[url to reference here]"
],
"ruleset": [
"Content moderation-keywords"
],
"uuid": [
"550e8400-e29b-41d4-a716-446655440000; 1100110011"
],
"version": [
"1.0.0"
]
}
},
},
} We have discussed with her that there are multiple examples of such events and they shouldn't be defined in semconv, but what we need right now is a possibility to provide security rule and do later query/aggregations etc. @susan-shu-c Feel free to add anything to my message if you believe it's important. |
@trisch-me can we define it in the yaml and render in md? similar to https://github.com/open-telemetry/semantic-conventions/blob/main/model/device/events.yaml or https://github.com/open-telemetry/semantic-conventions/blob/main/model/azure/logs.yaml ? |
@lmolkova do you want to have it just as an example? If so - I can make it |
@susan-shu-c let's talk about follow up after this PR will be merged - we can create security llm events using these fields |
Introducing new ECS namespace - Rule
Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.
Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.
Merge requirement checklist
[chore]