Add New BOD 23-02 Attachments for CybEx Send

Question

Add New BOD 23-02 Attachments for CybEx Send

Closed this issue a year ago · 12 comments

💡 Summary

Please add 2 new attachments that accompany the weekly Cybex send that covers BOD 23-02. Similar to the cybex_open_tickets_urgent....csv that currently accompanies the weekly Cybex send.

Motivation and context

In support of BOD 23-02, the Cyber Directives team will need to see identified, tracked, and closed potentially risky services.

Implementation notes

The following should be created/added:

cybex_open_tickets_potentially_risky_services_YYYYMMDD.csv

Columns within new csv: _id, owner, ip, port, service, category, time_opened, days_since_first_detected, first_reported, days_since_first_reported, days_to_report
Services to flag within this attachment: ftp, tftp, telnet, rdp, smb (we may add others later)

cybex_closed_tickets_potentially_risky_services_YYYYMMDD.csv

Columns within new csv: _id, owner, ip, port, service, category, time_opened, time_closed, days_to_close
Services to flag within this attachment: ftp, tftp, telnet, rdp, smb (we may add others later)

Acceptance criteria

2 new csv accompanying the weekly Cybex send with the appropriate columns and services identified above accompanying each week so that Cyber Directives can track potentially risky services week after week.

Answer 1 · 2023-07-18T19:51:08.000Z

@KeithBonesJr, @climber-girl What would you like this new CSV to be called? The two other existing CSVs are currently named cybex_open_tickets_urgent_YYYYMMDD.csv and cybex_closed_tickets_urgent_YYYYMMDD.csv.

Also, it sounds like you want this new CSV to only include tickets that are open at the time of CSV creation (i.e. places where the NMI services are still being detected, as of our most-recent scans) and should only include tickets owned by Federal Executive organizations (which is what we do for the two current "urgent" CSVs). Are those all correct assumptions?

Answer 2 · 2023-07-18T20:22:11.000Z

@dav3r Yes the assumptions are correct. For this one, since it's only the open ones lets go with cybex_open_tickets_potentially_risky_services_YYYYMMDD.csv. We probably at some point want to circle back and do a cybex_closed_tickets_potentially_risky_services_YYYYMMDD.csv if CD is interested in that information.

Answer 3 · 2023-07-18T20:28:31.000Z

@dav3r Just checked with the CD team and they want both the cybex_open_tickets_potentially_risky_services_YYYYMMDD.csv and cybex_closed_tickets_potentially_risky_services_YYYYMMDD.csv attached. I'll drop the columns here in a second. I need to review what was done in the past.

Answer 4 · 2023-07-18T20:47:06.000Z

@dav3r The cybex_closed_tickets_potentially_risky_services_YYYYMMDD.csv would have the following columns:

_id, owner, ip, port, service, category, initial_detection, ticket_closed, days_to_close

Answer 5 · 2023-07-20T14:43:58.000Z

Thanks @KeithBonesJr - can you please update the issue description above so that it accurately reflects the requirements for both CSVs?

Answer 6 · 2023-07-20T14:59:41.000Z

Yes of course @dav3r

Answer 7 · 2023-07-20T21:39:29.000Z

@KeithBonesJr I'm looking at the existing "urgent" CSVs and they have a slightly different set of field names than what you specified in this PR. I'm not talking about including service and category in place of name, cve, kev, and severity (which don't make sense for these risky service tickets) - I'm talking about the time-based fields like time_opened, days_since_first_detected, etc. See below for the current field names in the "urgent" CSVs:
cybex_open_tickets_urgent_YYYYMMDD.csv:

            columns=[
                "_id",
                "owner",
                "ip",
                "port",
                "name",
                "cve",
                "kev",
                "severity",
                "time_opened",
                "days_since_first_detected",
                "first_reported",
                "days_since_first_reported",
                "days_to_report",
            ],

cybex_closed_tickets_urgent_YYYYMMDD.csv:

            columns=[
                "_id",
                "owner",
                "ip",
                "port",
                "name",
                "cve",
                "kev",
                "severity",
                "time_opened",
                "time_closed",
                "days_to_close",
            ],

Did you want to keep those same field names or did you really want to go with the different field names that you mentioned (initial_detection, latest_detection, age_days, days_to_close)? I'd expect we would want all of these CSVs to be consistent.

Answer 8 · 2023-07-21T13:54:47.000Z

@dav3r Great idea! Lets keep it consistent with the other stuff.

Answer 9 · 2023-07-21T13:56:28.000Z

@dav3r Great idea! Lets keep it consistent with the other stuff.

Excellent- this will also make the code simpler and thus a bit easier to maintain. Would you mind updating the requirements above again to mention these field names?

Answer 10 · 2023-07-21T16:36:09.000Z

Hey @dav3r updated it to be consistent with the urgent cybex scorecard as requested.

Answer 11 · 2023-07-25T13:35:04.000Z

Code changes have been completed via these PRs, but not yet deployed to Production:

Answer 12 · 2023-08-17T20:03:16.000Z

Closing this issue- these changes were deployed to Production a couple of weeks ago.