Tags for security-related encoding issues

Let's say you have some logstash module or Ruby configuration that cleans up / parses / etc. logs, and it comes across something that would be illegal (Eg. illegal UTF-8 encoding sequence which if it were not sanitized could threaten the pipeline).

Obviously you would need to clean this up, but from a security point of a view (ie. as a SIEM) you would want to know that this has been done and that this (eg. web access log) signified something noteworthy. If I were to merely fix up the request (eg. by replacing the illegal encoding sequence with a Unicode replacement character) that would remove visibility of what was special about this request.

So what I want to know is this:

  • What is a good way of safely showing the true nature of the request?
  • How (preferably in an ECS compliant way) should I signify that this request is highly suspect? ECS doesn't seem to offer any guidance on tags, from what I can see.

I don't think it would be appropriate to use the ECS error.* fields, because I'm not saying that the log entry describes an error event... possibly the the threat.* fields might be useful, but I didn't see anything that seemed to match (tactics, techniques in the Mitre ATT&CK framework).

What I want to end up happening is that if I send this to Elasticsearch I want the SIEM product etc. to have a good chance of recognising that this log indicates something of concern and should probably boost any threat evaluation.

Cheers,
Cameron

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.