The policy-checked unified event was added few weeks ago to allow mapping between alerts triggered by security services based on policy engines (e.g. DLP, threat detection) to a unified event. The policy-checked event structure was focus on the policy's aspects rather then the threats detected by it. Some limitations we came across when trying to use the policy-checked event structure to describe threat that have been detected are:
- Describe a single policy checked that generated multiple alerts
- Be better aligned with the objects and entities SOC analyst expect when dealing with threats as defined by STIX .
- Some threat detection are not driven by specific policy
So we have decided to replace the policy-checked event used mostly to describe threat detection use cases with a new events called security-threat-detected that is focus and modelled for the threat detection domain an services.
Breaking change details
- The policy-checked event was introduced at SkyFormation version 2.3.84 released at
Dec 3 2018.
- Impacted connectors/endpoints
- Cisco AMP
- Office 365/Exchange
- Proofpoint ATP
- Sophos Central Cloud
The security-threat-detected event structure