1 SRS-001
As a system admin user, I want to deploy and maintain a central subsystem, called command-and-control (C&C), so that I can update user-exposed settings of subsystems tackling data collection, intrusion detection and prevention.
- Set up host for C&C server.
- Access as root.
- Deploy C&C components following:
- Configure components via respective software configuration management (SCM) mechanism.
Parent links: MRS-002
Child links: TST-020 Wazuh installation in a containerized environment
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| type | F |
| rationale | To centralize and simplify IDPS components configuration management. |
| version | 0.1 |
2 SRS-002
As a system admin user, I want to access the end-point monitored system via IDPS-ESCAPE C&C server/unit, so that I can check the status of end-point monitoring solutions deployed, if any.
- Access C&C server as root.
- Via CyFORT-Wazuh manager, list the enrolled agents and their status.
- If deployed, check C-CyFORT-Suricata and mirroring status
- If any deployed, remote connect to endpoint and check local CyFORT-Suricata status.
Parent links: MRS-002
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 5 |
| urgency | 5 |
| risk | 2 |
| type | F |
| rationale | To centralize and simplify agent/sensor configuration management. |
| version | 0.1 |
3 SRS-003
As a sys admin user, I want deploy HIDS agents on the hosts monitored system so that I can enable the IDPS-ESCAPE HIDS capabilities.
- Access host to be monitored
- Install Wazuh Agent
- Enroll Wazuh Agent in CyFORT-Wazuh manager.
- Configure Wazuh Agent.
Parent links: MRS-005
Child links: TST-021 Wazuh agent installation and enrollment: the local machine
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| type | F |
| rationale | To enable a multi-node deployment of monitoring endpoints host. |
| version | 0.1 |
4 SRS-004
As a sys admin user, I want to enabled/disabled HIDS agents deployed on the host monitored system.
- Access C&C server
- Enroll/unenroll Wazuh Agent from CyFORT-Wazuh manager
- Possibly, remove logs and config files.
Parent links: MRS-005
Child links: TST-023 Wazuh agent deletion and uninstallation, TST-024 Wazuh agent unenrollment
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 5 |
| urgency | 5 |
| risk | 2 |
| type | F |
| rationale | To enable system hosts security posture monitoring |
| version | 0.1 |
5 SRS-005
As a sys admin user, I want to enable/disable network monitoring within IDPS-ESCAPE subsystem boundaries.
- Access C&C server
- Deploy C-CyFORT-Suricata
- Set up channel to be connections to be monitored
- Possibly, add custom rules.
Parent links: MRS-006
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 5 |
| urgency | 4 |
| risk | 2 |
| type | F |
| rationale | To enable traffic monitoring |
| version | 0.1 |
6 SRS-006
As a sys admin user, I want a centralized NIDPS in the C&C server.
- Access C&C server
- Deploy C-CyFORT-Suricata
- Activate prevention in the config and set up actions behavior.
Parent links: MRS-007
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 2 |
| urgency | 1 |
| risk | 4 |
| type | F |
| rationale | To be able to take reactive corrective measures and mitigate intrusions |
| version | 0.1 |
7 SRS-007
As a sys admin user, I want to capture and forward raw network traffic to the C&C server, to run NIDS on such a traffic.
- Access C&C server.
- Deploy C-CyFORT-Suricata.
- Identify host capture interface (CI), C&C CI and IP.
- Run port mirroring activation script with above arguments.
Parent links: MRS-008
Child links: TST-026 Port mirroring for remote machines
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 5 |
| urgency | 5 |
| risk | 2 |
| type | F |
| rationale | To collect events for threat hunting and CTI operations, reducing the NIDS overhead and to do customized AD. |
| version | 0.1 |
8 SRS-008
As a sys admin user, I want to deploy NIDS components as a Docker container on a system end-points hosts, to monitor traffic and store logs locally.
- Access end-point (EP) host,
- Deploy using custom script.
- Update the configs file (.yml) with local configuration.
Parent links: MRS-009
Child links: TST-019 Suricata installation in a containerized environment
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 3 |
| urgency | 2 |
| risk | 2 |
| type | F |
| rationale | To ensure the following properties: consistent and reproducible environments, isolation, resource efficiency, scalability, portability, fast spawning and shutdown, improved CI/CD, support of micro services architecture, improved dependency management. |
| version | 0.1 |
9 SRS-009
As a sys admin user, I want to enable host intrusion detection via pattern matching with known/expected threats (signature-based HIDS).
- Access host to be monitored.
- Deploy Wazuh Agent (using C&C manager ip).
- Enroll Agent agent.
- Set up local configs and logs.
- Possibly, define custom rules.
Parent links: MRS-011
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 5 |
| urgency | 5 |
| risk | 1 |
| type | F |
| rationale | To build on the mature and existing rule-based detection and CTI body of knowledge and to mitigate low AD detection risk. |
| version | 0.1 |
10 SRS-010
As SOC member user, I want to manage the HIDP and NIDS results and information jointly, to have a centralized overview of the system for threat detection, investigation, and response.
- Access C&C server
- Deploy CyFORT-Wazuh and HIDS agents
- Deploy (C-)CyFORT-Suricata
- Integrate CyFORT-Suricata and CyFORT-Wazuh using custom script and procedure
Parent links: MRS-012
Child links: TST-025 Suricata and Wazuh Integration
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 5 |
| urgency | 4 |
| risk | 1 |
| type | F |
| version | 0.1 |
11 SRS-011
As SOC member, I want a graphic visualization of the network events detected in my system.
Assuming: CyFORT-Suricata integrated in CyFORT-Wazuh
- Access CyFORT-Wazuh Dashboard
- Filter security events generate by NIDS group rules
Parent links: MRS-013
Child links: TST-027 Traffic monitoring on Wazuh (local), TST-028 Traffic monitoring on Wazuh (remote), TST-032 Wazuh filters using the Wazuh Dashboard
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 3 |
| urgency | 3 |
| risk | 1 |
| type | F |
| rationale | To improve accessibility and easy-of-use for IDPS-ESCAPE end-users |
| version | 0.1 |
12 SRS-012
As SOC member, I want a graphic visualization of the host events detected in my system.
Assuming: CyFORT-Wazuh and HIDS agents deployed
- Access CyFORT-Wazuh Dashboard
- Filter security events generate by HIDS group rules
Parent links: MRS-013
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 3 |
| urgency | 3 |
| risk | 1 |
| type | F |
| rationale | To improve accessibility and easy-of-use for IDPS-ESCAPE end-users |
| version | 0.1 |
13 SRS-013
As SOC member, I want to check the status of HIDS agents.
Assuming: CyFORT-Wazuh and HIDS agents deployed and enrolled to C&C Manager
- Access CyFORT-Wazuh Dashboard.
- Look dedicated panel and click to the agent ID for additional info.
Parent links: MRS-013
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 3 |
| urgency | 2 |
| risk | 1 |
| type | F |
| rationale | To improve IDPS-ESCAPE status management for the end-users |
| version | 0.1 |
14 SRS-014
As SOC member, I want the detected event to be correctly decoded and transformed before usage and storage.
- Access C&C server
- Access CyFORT-Wazuh manager
- Run testing and verification of rules and decoders via CyFORT-Wazuh server API
Parent links: MRS-014
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 3 |
| urgency | 1 |
| risk | 1 |
| type | F |
| rationale | To ensure avoid errors and inaccuracy |
| version | 0.1 |
15 SRS-015
As a user, I want my SIEM to interpret a new type of data forwarded by agents/sensors.
- Access C&C server
- Access CyFORT-Wazuh manager
- Add custom rules and custom decoders.
Parent links: MRS-014
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 2 |
| urgency | 1 |
| risk | 3 |
| type | F |
| rationale | To extend the detection capability of IDPS-ESCAPE and tailor the detection to my system |
| version | 0.1 |
16 SRS-016
As an admin user, I want to modify the credentials of data indexer for a user, to improve the security level of the admin password.
- Access C&C server
- Access CyFORT-Wazuh manager
- Update
config/wazuh_indexer/internal_users.ymlfile.
Parent links: MRS-015
Child links: TST-029 Changing password for Wazuh indexer users, TST-030 Changing password for Wazuh API users
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 3 |
| urgency | 1 |
| risk | 2 |
| type | F/S |
| rationale | Maintain/improve the security of IDPS-ESCAPE |
| version | 0.1 |
17 SRS-017
As a user, I want to define a ADBox to fetch data from an indexer at specific host address.
- Access C&C server
- Access ADBox
- Modify IP address in
../siem_mtad_gat/assets/secrets/wazuh_credentials.json
Parent links: MRS-015
Child links: TST-034 ADBox set up indexer host address
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 5 |
| urgency | 4 |
| risk | 4 |
| type | F |
| rationale | To connect ADBox to a specific data source containing data of interest, possibly different from the default one |
| version | 0.1 |
18 SRS-018
As a user, I want to modify the default hyperparameter of ML methods used by ADBox.
- Access C&C server
- Access ADBox
- Modify values in
siem_mtad_gat/assets/default_configs/mtad_gat_train_config_default_args.json
Parent links: MRS-015
Child links: LARC-012 ADBox ConfigManager
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 3 |
| urgency | 2 |
| risk | 2 |
| type | F |
| rationale | To globally tune ML algorithm to a specify system/scenario |
| version | 0.1 |
19 SRS-019
As a user, I want to modify the datatype transformation map operated by ADBox on fetched.
- Access C&C server
- Access ADBox
- Modify key values
../siem_mtad_gat/assets/wazuh/wazuh_columns.json
Parent links: MRS-015
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| urgency | 1 |
| type | F |
| rationale | To maintain the consistency with SIEM solution |
| version | 0.1 |
20 SRS-020
As a user, I want to update the default fields fetched at ingestion phase by ADBox.
- Access C&C server
- Access ADBox
- Update key and values in
../siem_mtad_gat/assets/wazuh/wazuh_columns.json
Parent links: MRS-015
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| urgency | 1 |
| type | F |
| rationale | To maintain the consistency with SIEM solution, add custom feature |
| version | 0.1 |
21 SRS-021
As a user, I want to update the default use case of ADBox.
- Access C&C server
- Access ADBox
- Modify
../siem_mtad_gat/assets/default_configs/default_detector_input_config.json
Parent links: MRS-015
Child links: LARC-012 ADBox ConfigManager
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 3 |
| urgency | 3 |
| risk | 1 |
| type | F |
| rationale | To adapt ADBox default behavior |
| version | 0.1 |
22 SRS-022
As a user, I want to update indexer credentials in ADBox.
- Access C&C server
- Access ADBox
- Update CyFORT-Wazuh indexer credentials in
../siem_mtad_gat/assets/secrets/wazuh_credentials.json
Parent links: MRS-015
Child links: TST-035 ADBox change indexer credentil
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 3 |
| urgency | 3 |
| risk | 2 |
| type | F |
| rationale | To adapt to local configuration |
| version | 0.1 |
23 SRS-023
As a user, I want to register a new agent in the central SIEM&XDR.
Assuming: CyFORT-Wazuh Manager running on C&C and agent on selected host
- Either:
a. Add the manager IP as an environment variable during the agent installation process.
b. Set the manager IP in the agent configuration file.
c. Requests the key from the manager API and manually imports it into the agent.
Parent links: MRS-016
Child links: TST-022 Wazuh agent installation and enrollment: remote machine
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 3 |
| urgency | 3 |
| risk | 1 |
| type | F |
| rationale | To enable a non-static configuration of monitored nodes. |
| version | 0.1 |
24 SRS-024
As a user, I want to run queries on data such as events, alerts and statistics.
Assuming: CyFORT-Wazuh running and established connection to indexer
- Formulate query as Wazuh Query Language
- Query to indexer via Wazuh API
Parent links: MRS-018
Child links: TST-031 Wazuh filters using the RESTful API
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 2 |
| urgency | 4 |
| risk | 1 |
| type | F |
| rationale | To achieve a programmatic access to security alert and event data. |
| version | 0.1 |
25 SRS-025
As a user, I want to map a detected event to the MITRE ATT&CK framework.
Assuming: CyFORT-Wazuh running
- Open the document corresponding to the event (e.g. via index query, or using the dashboard)
- Check if the following keys exist in the attributes
rule.mitre.id , rule.mitre.tactic , rule.mitre.technique
Parent links: MRS-023
Child links: TST-036 Map a detected event to MITRE ATT&CKS
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 2 |
| urgency | 2 |
| risk | 1 |
| type | F |
| rationale | To improve and speed up threat detection and classification, thereby facilitating CTI analysis. |
| version | 0.1 |
26 SRS-026
As a user, I want to export data from IDPS-ESCAPE to a TIP.
Parent links: MRS-025
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| urgency | 1 |
| type | F |
| rationale | To enable programmatic access, which would also in turn support integration with SATRAP-DL. |
| version | 0.1 |
27 SRS-027
As a system admin, I want to run a machine learning algorithm to detect anomalous behaviors within my system.
- Access C&C server
- Access ADBox
- Select a trained detector
- Run a prediction script using the chosen detection either for a selected time interval or in real time.
Parent links: MRS-030
Child links: TST-007 ADBox use case 1 with a Wazuh connection, LARC-008 ADBox batch and real-time prediction flow, TST-008 ADBox use case 1 without a Wazuh connection, TST-011 ADBox use case 3 with a Wazuh connection, TST-012 ADBox use case 3 without a Wazuh connection
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 5 |
| urgency | 4 |
| risk | 2 |
| type | F |
| version | 0.1 |
28 SRS-028
As a user, I want to compare the outcome of different anomaly detection algorithms on my data.
Assuming: Two different algorithms A1 and A2 available in ADBox, and two compatible detectors D1 and D2 based on these algorithms, respectively.
- Access C&C server
- Access ADBox
- Establish detection parameters (time interval, features, etc.)
- Select a (trained) detector D1 using algorithm A1
- Run a prediction script using D1.
- Select a (trained) detector D2 using algorithm A2
- Run a prediction script using D2.
- Compare output using dedicated Dashboard.
Parent links: MRS-031
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 2 |
| urgency | 1 |
| risk | 1 |
| type | F |
| rationale | To validate the AD capabilities. |
| version | 0.1 |
29 SRS-029
As a user, I want to ingest and transform data generated from both host and network events to feed anomaly detectors.
- Access C&C server
- Access ADBox
- Set up data ingestion and transformation of data derived from CyFORT-Wazuh and CyFORT-Suricata logs arguments.
Parent links: MRS-032
Child links: LARC-003 ADBox preprocessing flow
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 4 |
| urgency | 4 |
| risk | 1 |
| type | F |
| rationale | To enable holistic system monitoring. |
| version | 0.2 |
30 SRS-030
As a user, I want to read/plot AD results of training and test data.
Assuming: trained detector with unique identifier uuid available.
- Access C&C server
- Access ADBox
- Open the folder
siem_mtad_gat/assets/detector_models/uuid/training - Use either external tools or viz-notebooks to visualize
- train subset AD output:
train_output.pkl- test subset AD output:test_output.pkl
Parent links: MRS-034
Child links: TST-037 Open prediction file of training data
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 2 |
| urgency | 2 |
| risk | 2 |
| type | F |
| rationale | To enable programmatic use of such data to further elaborate and evaluate output of training |
| version | 0.1 |
31 SRS-031
As a user, I want to read/plot losses of training and test data.
Assuming: trained detector with unique identifier uuid available.
- Access C&C server
- Access ADBox
- Open the folder
siem_mtad_gat/assets/detector_models/uuid/training - Use either external tools or viz-notebooks to visualize
- train :
train_losses.png- test :test_losses.png
Parent links: MRS-034
Child links: TST-038 Visualize train losses
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 1 |
| urgency | 1 |
| type | F |
| rationale | To evaluate quality of output of training |
| version | 0.1 |
32 SRS-032
As a user, I want to read/plot the list of predicted anomalies .
Assuming: trained detector with unique identifier uuid available, use-case scenario uc-x given.
- Access C&C server
- Access ADBox
- Within
siem_mtad_gat/assets/detector_models/uuid/predictionfolder, open:uc-x_predicted_anomalies_data-*.json
Parent links: MRS-034
Child links: TST-039 Open prediction raw outcome
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 4 |
| urgency | 3 |
| risk | 1 |
| type | F |
| rationale | To enable programmatic use of such data to further elaborate and evaluate output of prediction |
| version | 0.1 |
33 SRS-033
As a system admin user, I want to deploy IDPS end-point monitoring solutions on a remote end-point by choosing from multiple configuration options so that I can monitor events on my system's edge/endpoints.
- Access end-point as root.
- Deploy end-point components following:
- Connect local solution to C&C sub-system.
Parent links: MRS-037
Child links: LARC-004 IDPS-ESCAPE end-point integrated arch., LARC-005 IDPS-ESCAPE end-point hybrid arch., LARC-006 IDPS-ESCAPE end-point host-only IDS arch., LARC-007 IDPS-ESCAPE end-point capture-only arch.
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 5 |
| urgency | 4 |
| risk | 3 |
| type | F |
| rationale | To adapt and improve performance |
| version | 0.1 |
35 SRS-035
As I user, I want to perform off-line AD on a SIEM data registered by Wazuh on date YYYY-MM-DD.
Assuming: trained detector with unique identifier uuid available.
- Access C&C server
- Access ADBox
- Add an use-case file
siem_mtad_gat/assets/drivers/uc_x.yamlincluding
yaml
prediction:
run_mode: "historical"
index_date: YYYY-MM-DD
detector_id: uuid
Parent links: MRS-039
Child links: LARC-002 ADBox historical data prediction pipeline flow, TST-009 ADBox use case 2 with a Wazuh connection, TST-010 ADBox use case 2 without a Wazuh connection
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 4 |
| urgency | 4 |
| risk | 2 |
| type | F |
| rationale | To detect anomalies without real-time obstacles and possibly after pre-selection, and to review events from the past investigating a possible threat |
| version | 0.1 |
36 SRS-036
As user, I want to add a new custom rule set signature to a specific network related event type.
- Access C&C server
- Add the file with custom rules
local.rules -
Open
/etc/suricata/suricata.yamland update:rule-files: - suricata.rules - /path/to/local.rules
Parent links: MRS-040
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 3 |
| urgency | 1 |
| risk | 3 |
| type | F |
| rationale | To extend the detection capability of IDPS-ESCAPE and tailor the detection to my system |
| version | 0.1 |
37 SRS-037
As a user, I want to find anomalies in the network traffic to detect threats not recognized by the signature-based NIDS.
Assuming: CyFORT-Suricata integrated with CyFORT-Wazuh
- Access C&C server
- Access ADBox
- Add an use-case file
siem_mtad_gat/assets/drivers/uc_x.yamlincluding as features attributes from Suricataeve.logdecoding - Run ADBox
Parent links: MRS-004
Child links: TST-015 ADBox use case 5 with a Wazuh connection, TST-016 ADBox use case 5 without a Wazuh connection
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| status | To detect deviations from an a priori normal baseline system behavior, possibly caused by malicious actors. |
| importance | 4 |
| urgency | 3 |
| risk | 1 |
| type | F |
| version | 0.1 |
38 SRS-038
As a user, I want to train a detector to detect anomaly by using both host and network events.
- Access C&C server
- Access ADBox
- Train a detector using features derived from CyFORT-Wazuh and CyFORT-Suricata logs arguments.
Parent links: MRS-030
Child links: LARC-001 ADBox training pipeline flow, TST-013 ADBox use case 4 with a Wazuh connection, TST-014 ADBox use case 4 without a Wazuh connection
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| importance | 5 |
| urgency | 4 |
| risk | 2 |
| type | F |
| version | 0.1 |
39 SRS-039
As a user, I want to be able to select the algorithm to use for AD to run AD according to the most suitable AD principle.
- Access C&C server
- Access ADBox
- Select the ML-package to be used by the training/test pipelines.
Parent links: MRS-031
Child links: LARC-009 ADBox machine learning package
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| dependence | [] |
| status | unavaliable |
| importance | 3 |
| urgency | 2 |
| risk | 2 |
| type | F |
| rationale | Adapt AD functionality to different scenarios and maximize accuracy. |
| version | 0.1 |
40 SRS-040
ADBox should include a Data Management subpackage, centralizing data storage, retrieval and all other operation concerning the management of data along the AD pipelines.
Parent links: MRS-004
Child links: LARC-010 ADBox data manager
| Attribute | Value |
|---|---|
| acceptance | Code inspection |
| dependence | [] |
| importance | 3 |
| urgency | 3 |
| risk | 3 |
| type | A |
| rationale | To consolidate the data management operation |
| version | 0.1 |
41 SRS-041
ADBox should include a Time Management package, handling various aspects of time-related operations given the time-series based approach.
Parent links: MRS-004
Child links: LARC-011 ADBox TimeManager
| Attribute | Value |
|---|---|
| acceptance | Code inspection |
| dependence | [] |
| importance | 3 |
| urgency | 2 |
| risk | 2 |
| type | A |
| rationale | To consolidate the time management operation |
| version | 0.1 |
42 SRS-042
As a user, I want the prediction of the anomaly detection subsystem to be shipped to the central indexer.
Assuming:
-
CyFORT-Wazuh and ADBox deployed
-
a use case, including training settings available.
- Build ADBox container
- Run ADBox training with the shipping flag enabled
- When using the created detector, turn the shipping on.
Parent links: MRS-018
Child links: LARC-013 ADBox RequestResponseHandler, LARC-014 ADBox Shipper, TST-018 ADBox Create detector data stream
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| importance | 2 |
| urgency | 2 |
| risk | 2 |
| type | F |
| rationale | Centralization and integration of information |
| version | 0.1 |
43 SRS-043
As a user, I want a graphic visualization of the data produced by the anomaly detection subsystem.
Assuming:
-
CyFORT-Wazuh and ADBox deployed and integrated
-
At least a detector data stream available in CyFORT-Wazuh Indexer
- Open CyFORT-Wazuh
- Add the detector's pattern to Dashboard pattern list.
- (Optional) Create an ad hoc visualization and a Dashboard.
Parent links: MRS-017
Child links: TST-033 ADBox Wazuh integration Dashboard
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| importance | 2 |
| urgency | 2 |
| risk | 2 |
| type | F |
| rationale | Accessibility of AD data for the end-users and centralise forensics |
| version | 0.1 |
44 SRS-044
As a user, I want to deploy ADBox using a platform-independent solution, and to further develop it.
Assuming:
- CyFORT-Wazuh deployed
- Deploy ADBox using dev container.
Parent links: MRS-020
Child links: TST-003 Install ADBox as dev container
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| importance | 4 |
| urgency | 4 |
| risk | 2 |
| type | F/A |
| rationale | Ensure cross-platform compatibility and portability both for usage and develpment. |
| version | 0.1 |
45 SRS-045
As a user, I want to understand IDPS-ESCAPE high level architecture.
Assuming:
- access to idps-escape docs repository
- Open the
docs\specsproject folder. - Open HARC
Parent links: MRS-026
Child links: TST-040 Visualize IDPS-ESCAPE high level architecture
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| urgency | 3 |
| risk | 1 |
| type | S |
| rationale | To follow a consistent and well-defined process, while improving development security. |
| version | 0.1 |
46 SRS-046
As a user, I want to deploy ADBox as a platform independent solution.
Assuming:
- CyFORT-Wazuh deployed
- Deploy ADBox via Docker and shell scripts.
Parent links: MRS-020
Child links: TST-001 Deploy ADBox via Docker and shell scripts
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| importance | 5 |
| urgency | 5 |
| risk | 2 |
| type | F |
| rationale | Ensure cross-platform compatibility and portability for usage. |
| version | 0.1 |
47 SRS-047
As a user, I want to interactively compile a use case, to create an anomaly detector and run predictions.
- Access C&C server
- Access ADBox
- Run interactive shell.
Parent links: MRS-030
Child links: TST-004 Run ADBox console
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| urgency | 2 |
| type | F |
| rationale | To simplify the process of preparing use-case files. |
| version | 0.1 |
48 SRS-048
As a user, I want to train a base detector using default parameters.
- Access C&C server
- Access ADBox
- ADBox with default option.
Parent links: MRS-030
Child links: TST-005 Run ADBox in default mode with a Wazuh connection, TST-006 Run ADBox in default mode without a Wazuh connection
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| importance | 2 |
| urgency | 2 |
| risk | 1 |
| type | F |
| rationale | To obtain a detector without use case specification. |
| version | 0.1 |
49 SRS-049
As a user, I want to enable the shipping of anomaly detection outcomes to the central indexer to centralize data anaysis and threat hunting.
- Access Command and Control server.
- Access ADBox.
- Run shipping installation script.
Parent links: MRS-021
Child links: TST-017 ADBox shipping install
| Attribute | Value |
|---|---|
| acceptance | Successful validation according to the corresponding test case specification |
| importance | 3 |
| urgency | 3 |
| risk | 2 |
| type | F |
| rationale | To ensure consisten integration of AD outcomes with SIEM |
| version | 0.1 |