1 SRS-001

As a system admin user, I want to deploy and maintain a central subsystem, called command-and-control (C&C), so that I can updated user-exposed settings of subsystems tackling data collection, intrusion detection and prevention.

  1. Set up host for C&C server.
  2. Access as root.
  3. Deploy C&C components following:

IDPS-ESCAPE decision diagram C&C deployment

  1. Configure components via respective software configuration management (SCM) mechanism.

Parent links: MRS-002

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 5
urgency 5
risk 1
type F
rationale To centralize and simplify IDPS components configuration management.
version 0.1

2 SRS-002

As a system admin user, I want access end-point monitored system via IDPS-ESCAPE C&C server/unit, so that I can check the status of end-point monitor solutions deployed if any.

  1. Access C&C server as root.
  2. Via CyFORT-Wazuh manager, list the enrolled agents and their status.
  3. If deployed, check C-CyFORT-Suricata and mirroring status
  4. If any deployed, remote connect to endpoint and check local CyFORT-Suricata status.

Parent links: MRS-002

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 5
urgency 5
risk 2
type F
rationale To centralize and simplify agent/sensor configuration management.
version 0.1

3 SRS-003

As a sys admin user, I want deploy HIDS agents on the of hosts' monitored system, so that I can enable IDPS-ESCAPE's HIDS capabilities.

  1. Access host to be monitored
  2. Install Wazuh Agent
  3. Enroll Wazuh Agent in CyFORT-Wazuh manager.
  4. Configure Wazuh Agent.

Parent links: MRS-005

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 5
urgency 5
risk 1
type F
rationale To enable a multi-node deployment of monitoring endpoints host.
version 0.1

4 SRS-004

As a sys admin user, I want to enabled/disabled HIDS agents deployed on the of hosts' monitored system.

  1. Access C&C server
  2. Enroll/unenroll Wazuh Agent from CyFORT-Wazuh manager
  3. Possibly, remove logs and config files.

Parent links: MRS-005

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 5
urgency 5
risk 2
type F
rationale To enable system hosts security posture monitoring
version 0.1

5 SRS-005

As a sys admin user, I want to enable/disable network monitoring within IDPS-ESCAPE's subsystem boundaries.

  1. Access C&C server
  2. Deploy C-CyFORT-Suricata
  3. Set up channel to be connections to be monitored
  4. Possibly, add custom rules.

Parent links: MRS-006

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 5
urgency 4
risk 2
type F
rationale To enable traffic monitoring
version 0.1

6 SRS-006

As a sys admin user, I want a centralized NIDPS in the C&C server.

  1. Access C&C server
  2. Deploy C-CyFORT-Suricata
  3. Activate prevention in the config and set up actions behavior.

Parent links: MRS-007

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 2
urgency 1
risk 4
type F
rationale To be able to take reactive corrective measures and mitigate intrusions
version 0.1

7 SRS-007

As a sys admin user, I want capture and forward raw network traffic to the C&C server, to run NIDS on such a traffic.

  1. Access C&C server.
  2. Deploy C-CyFORT-Suricata.
  3. Identify host capture interface (CI), C&C CI and IP.
  4. Run port mirroring activation script with above arguments.

Parent links: MRS-008

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 5
urgency 5
risk 2
type F
rationale To collect events for threat hunting and CTI operations, reducing the NIDS overhead and to do customized AD.
version 0.1

8 SRS-008

As a sys admin user, I want to deploy NIDS components as Docker container on system end-point's hosts, to monitor traffic and store logs locally.

  1. Access end-point (EP) host,
  2. Deploy using custom script.
  3. Update the configs file (.yml) with local configuration.

Parent links: MRS-009

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 3
urgency 2
risk 2
type F
rationale To ensure the following properties: consistent and reproducible environments, isolation, resource efficiency, scalability, portability, fast spawning and shutdown, improved CI/CD, support of micro services architecture, improved dependency management.
version 0.1

9 SRS-009

As a sys admin user, I want to enable host intrusion detection via pattern matching with known/expected threats (signature-based HIDS).

  1. Access host to be monitored.
  2. Deploy Wazuh Agent (using C&C manager ip).
  3. Enroll Agent agent.
  4. Set up local configs and logs.
  5. Possibly, define custom rules.

Parent links: MRS-011

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 5
urgency 5
risk 1
type F
rationale To build on the mature and existing rule-based detection and CTI body of knowledge and to mitigate low AD detection risk.
version 0.1

10 SRS-010

As SOC member user, I want to manage the HIDP and NIDS results and information jointly, to have a centralize overview of the system for threat detection, investigation, and response.

  1. Access C&C server
  2. Deploy CyFORT-Wazuh and HIDS agents
  3. Deploy (C-)CyFORT-Suricata
  4. Integrate CyFORT-Suricata and CyFORT-Wazuh using custom script and procedure

Parent links: MRS-012

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 5
urgency 4
risk 1
type F
version 0.1

11 SRS-011

As SOC member, I want a graphic visualization of the network events detected in my system.

Assuming: CyFORT-Suricata integrated in CyFORT-Wazuh

  1. Access CyFORT-Wazuh Dashboard
  2. Filter security events generate by NIDS group rules

Parent links: MRS-013

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 3
urgency 3
risk 1
type F
rationale To improve accessibility and easy-of-use for IDPS-ESCAPE end-users
version 0.1

12 SRS-012

As SOC member, I want a graphic visualization of the host events detected in my system.

Assuming: CyFORT-Wazuh and HIDS agents deployed

  1. Access CyFORT-Wazuh Dashboard
  2. Filter security events generate by HIDS group rules

Parent links: MRS-013

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 3
urgency 3
risk 1
type F
rationale To improve accessibility and easy-of-use for IDPS-ESCAPE end-users
version 0.1

13 SRS-013

As SOC member, I want to check the status of HIDS agents.

Assuming: CyFORT-Wazuh and HIDS agents deployed and enrolled to C&C Manager

  1. Access CyFORT-Wazuh Dashboard.
  2. Look dedicated panel and click to the agent ID for additional info.

Parent links: MRS-013

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 3
urgency 2
risk 1
type F
rationale To improve IDPS-ESCAPE status management for the end-users
version 0.1

14 SRS-014

As SOC member, I want the detected event to be correctly decoded and transformed before usage and storage.

  1. Access C&C server
  2. Access CyFORT-Wazuh manager
  3. Run testing and verification of rules and decoders via CyFORT-Wazuh server API

Parent links: MRS-014

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 3
urgency 1
risk 1
type F
rationale To ensure avoid errors and inaccuracy
version 0.1

15 SRS-015

As a user, I want my SIEM to interpret a new type of data forwarded by agents/sensors.

  1. Access C&C server
  2. Access CyFORT-Wazuh manager
  3. Add custom rules and custom decoders.

Parent links: MRS-014

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 2
urgency 1
risk 3
type F
rationale To extend the detection capability of IDPS-ESCAPE and taylor the detection to my system
version 0.1

16 SRS-016

As an admin user, I want to modify the credentials of data indexer for a user, to improve the security level of the admin password.

  1. Access C&C server
  2. Access CyFORT-Wazuh manager
  3. Update config/wazuh_indexer/internal_users.yml file.

Parent links: MRS-015

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 3
urgency 1
risk 2
type F/S
rationale Maintain/improve the security of IDPS-ESCAPE
version 0.1

17 SRS-017

As a user, I want to define a ADBox to fetch data from an indexer at specific host address.

  1. Access C&C server
  2. Access ADBox
  3. Modify IP address in ../siem_mtad_gat/assets/secrets/wazuh_credentials.json

Parent links: MRS-015

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 5
urgency 4
risk 4
type F
rationale To connect ADBox to a specific data source containing data of interest, possibly different from the default one
version 0.1

18 SRS-018

As a user, I want to modify the default hyperparameter of ML methods used by ADBox.

  1. Access C&C server
  2. Access ADBox
  3. Modify values in siem_mtad_gat/assets/default_configs/mtad_gat_train_config_default_args.json

Parent links: MRS-015

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 3
urgency 2
risk 2
type F
rationale To globally tune ML algorithm to a specify system/scenario
version 0.1

19 SRS-019

As a user, I want to modify the datatype transformation map operated by ADBox on fetched.

  1. Access C&C server
  2. Access ADBox
  3. Modify key values ../siem_mtad_gat/assets/wazuh/wazuh_columns.json

Parent links: MRS-015

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
urgency 1
type F
rationale To maintain the consistency with SIEM solution
version 0.1

20 SRS-020

As a user, I want to update the default fields fetched at ingestion phase by ADBox.

  1. Access C&C server
  2. Access ADBox
  3. Update key and values in ../siem_mtad_gat/assets/wazuh/wazuh_columns.json

Parent links: MRS-015

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
urgency 1
type F
rationale To maintain the consistency with SIEM solution, add custom feature
version 0.1

21 SRS-021

As a user, I want to update the default use case of ADBox.

  1. Access C&C server
  2. Access ADBox
  3. Modify ../siem_mtad_gat/assets/default_configs/default_detector_input_config.json

Parent links: MRS-015

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 3
urgency 3
risk 1
type F
rationale To adapt ADBox default behavior
version 0.1

22 SRS-022

As a user, I want to update indexer credentials in ADBox.

  1. Access C&C server
  2. Access ADBox
  3. Update CyFORT-Wazuh indexer credentials in ../siem_mtad_gat/assets/secrets/wazuh_credentials.json

Parent links: MRS-015

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 3
urgency 3
risk 2
type F
rationale To adapt to local configuration
version 0.1

23 SRS-023

As a user, I want to register a new agent in the central SIEM&XDR.

Assuming: CyFORT-Wazuh Manager running on C&C and agent on selected host

  1. Either: a. Add the manager IP as an environment variable during the agent installation process. b. Set the manager IP in the agent configuration file. c. requests the key from the manager API and manually imports it to the agent.

Parent links: MRS-016

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 3
urgency 3
risk 1
type F
rationale To enable a non-static configuration of monitored nodes.
version 0.1

24 SRS-024

As a user, I want to run queries on data such as events, alerts and statistics.

Assuming: CyFORT-Wazuh running and established connection to indexer

  1. Formulate query as Wazuh Query Language
  2. Query to indexer via Wazuh API

Parent links: MRS-018

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 2
urgency 4
risk 1
type F
rationale To achieve a programmatic access to security alert and event data.
version 0.1

25 SRS-025

As a user, I want to map a detected event to MITRE ATT&CK framework.

Assuming: CyFORT-Wazuh running

  1. Open the document corresponding to the event (e.g. via index query, or using the dashboard )
  2. Check if the following keys exist in the attributes rule.mitre.id , rule.mitre.tactic , rule.mitre.technique

Parent links: MRS-023

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 2
urgency 2
risk 1
type F
rationale To improve and speed up threat detection and classification, thereby facilitating CTI analysis.
version 0.1

26 SRS-026

As a user, I want to export data from IDPS-ESCAPE to a TIP.

Parent links: MRS-025

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
urgency 1
type F
rationale To enable programmatic access, which would also in turn support integration with SATRAP-DL.
version 0.1

27 SRS-027

As a system admin, I want to run a machine learning algorithm to detect anomalous behaviors within my system.

  1. Access C&C server
  2. Access ADBox
  3. Select a trained detector
  4. Run a prediction script using the chosen detection either on a selected time interval or in realtime.

Parent links: MRS-030

Child links: LARC-008 Batch and real-time prediction flow

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 5
urgency 4
risk 2
type F
version 0.1

28 SRS-028

As a user, I want to compare the outcome different anomaly detection algorithms on my data.

Assuming: Two different algorithms A1 and A2 available in ADBox, and two compatible detectors D1 and D2 based on these algorithms, respectively.

  1. Access C&C server
  2. Access ADBox
  3. Establish detection parameters (time interval, features, etc.)
  4. Select a (trained) detector D1 using algorithm A1
  5. Run a prediction script using D1.
  6. Select a (trained) detector D2 using algorithm A2
  7. Run a prediction script using D2.
  8. Compare output using dedicated Dashboard.

Parent links: MRS-031

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 2
urgency 1
risk 1
type F
rationale To validate the AD capabilities.
version 0.1

29 SRS-029

As a user, I want to ingest and transform data generated from both host and network events, to feed anomaly detectors.

  1. Access C&C server
  2. Access ADBox
  3. Set up data ingestion and transformation of data derived from CyFORT-Wazuh and CyFORT-Suricata logs arguments.

Parent links: MRS-032

Child links: LARC-003 Preprocessing flow

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 4
urgency 4
risk 1
type F
rationale To enable holistic system monitoring.
version 0.2

30 SRS-030

As a user, I want to read/plot AD results of training and test data.

Assuming: trained detector with unique identifier uuid available.

  1. Access C&C server
  2. Access ADBox
  3. Open the folder siem_mtad_gat/assets/detector_models/uuid/training
  4. Use either external tools or viz-notebooks to visualize - train subset AD output: train_output.pkl - test subset AD output: test_output.pkl

Parent links: MRS-034

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 2
urgency 2
risk 2
type F
rationale To enable programmatic use of such data to further elaborate and evaluate output of training
version 0.1

31 SRS-031

As a user, I want to read/plot losses of training and test data.

Assuming: trained detector with unique identifier uuid available.

  1. Access C&C server
  2. Access ADBox
  3. Open the folder siem_mtad_gat/assets/detector_models/uuid/training
  4. Use either external tools or viz-notebooks to visualize - train : train_losses.png - test : test_losses.png

Parent links: MRS-034

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 1
urgency 1
type F
rationale To evaluate quality of output of training
version 0.1

32 SRS-032

As a user, I want to read/plot the list of predicted anomalies .

Assuming: trained detector with unique identifier uuid available, use-case scenario uc-x given.

  1. Access C&C server
  2. Access ADBox
  3. Within siem_mtad_gat/assets/detector_models/uuid/prediction folder, open: uc-x_predicted_anomalies_data-*.json

Parent links: MRS-034

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 4
urgency 3
risk 1
type F
rationale To enable programmatic use of such data to further elaborate and evaluate output of prediction
version 0.1

33 SRS-033

As a system admin user, I want to deploy IDPS end-point monitoring solutions on a remote end-point by choosing from multiple configuration option, so that I can monitor events on my system's edges.

  1. Access end-point as root.
  2. Deploy end-point components following:

IDPS-ESCAPE decision diagram EP deployment

  1. Connect local solution to C&C sub-system.

Parent links: MRS-037

Child links: LARC-004 IDPS-ESCAPE end-point integrated arch., LARC-005 IDPS-ESCAPE end-point hybrid arch., LARC-006 IDPS-ESCAPE end-point host-only IDS arch., LARC-007 IDPS-ESCAPE end-point capture-only arch.

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 5
urgency 4
risk 3
type F
rationale To adapt and improve performance
version 0.1

35 SRS-035

As I user, I want to perform off-line AD on a SIEM data registered by Wazuh on date YYYY-MM-DD.

Assuming: trained detector with unique identifier uuid available.

  1. Access C&C server
  2. Access ADBox

  3. Add an use-case file siem_mtad_gat/assets/drivers/uc_x.yaml including

    ```

    prediction: run_mode: "historical" index_date: YYYY-MM-DD detector_id: uuid ```

Parent links: MRS-039

Child links: LARC-002 Historical data prediction pipeline flow

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 4
urgency 4
risk 2
type F
rationale To detect anomalies without real-time obstacles and possibly after pre-selection, and to review events from the past investigating an possible threat
version 0.1

36 SRS-036

As user, I want to add a new custom rule-set signature, to a specific network related event type.

  1. Access C&C server
  2. Add the file with custom rules local.rules

  3. Open /etc/suricata/suricata.yaml and update:

    rule-files: - suricata.rules - /path/to/local.rules

Parent links: MRS-040

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 3
urgency 1
risk 3
type F
rationale To extend the detection capability of IDPS-ESCAPE and taylor the detection to my system
version 0.1

37 SRS-037

As a user, I want to find anomalies in the network traffic, to detect threats not recognize by the signature-based NIDS.

Assuming: CyFORT-Suricata integrated with CyFORT-Wazuh

  1. Access C&C server
  2. Access ADBox
  3. Add an use-case file siem_mtad_gat/assets/drivers/uc_x.yaml including as features attributes from Suricata eve.log decoding
  4. Run ADBox

Parent links: MRS-004

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
status To detect deviations from an a priori normal baseline system behavior, possibly caused by malicious actors.
importance 4
urgency 3
risk 1
type F
version 0.1

38 SRS-038

As a user, I train a detector, to detect anomaly by using both host and network events.

  1. Access C&C server
  2. Access ADBox
  3. Train a detector using features derived from CyFORT-Wazuh and CyFORT-Suricata logs arguments.

Parent links: MRS-030

Child links: LARC-001 Training pipeline flow

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
importance 5
urgency 4
risk 2
type F
version 0.1

39 SRS-039

As a user, I want to be able to select the algorithm to use for AD, to run AD according to the most suitable AD principle.

  1. Access C&C server
  2. Access ADBox
  3. Select the ML-package to be used by the train/test pipelines.

Parent links: MRS-031

Child links: LARC-009 ADBox machine learning package

Attribute Value
acceptance Successful validation according to the corresponding test case specification
dependence []
status unavaliable
importance 3
urgency 2
risk 2
type F
rationale Adapt AD functionality to different scenarios and maximize accuracy.
version 0.1

40 SRS-040

ADBox should include a Data Management subpackage, centralizing data storage, retrieval and all other operation concerning the management of data along the AD pipelines.

Parent links: MRS-004

Child links: LARC-010 ADBox data manager

Attribute Value
acceptance Code inspection
dependence []
importance 3
urgency 3
risk 3
type A
rationale To consolidate the data management operation
version 0.1