Decide on and document the difference between IAM and Application events

[alanisaac]

Proposal

There are multiple ideas about the difference between the Identity & Access Management events and the Application Activity events. Depending on the perspective of the person mapping events, they may come away with different conclusions about which event to use in specific situations. This could lead to multiple contributors or vendors mapping events in different ways, which would be confusing to event consumers.

In order to avoid this situation, we should clarify the difference between these events, and document it, including examples of situations that may be confusing as guidance for event mappers.

Ideas

• IAM:
  • Represents "Defining"
  • Target is always an identity
  • Policy Decision
• Application:
  • Represents "Using"
  • Target is always a resource
  • Policy Enforcement

Additional Concerns

Tangentially, the API Activity event could also use clarification. Many of the above IAM and Application Activity events can happen as the result of API calls. Which event is appropriate to use in that situation?

Examples

Suppose an administrator for a security-related application creates another user with specific permissions assigned. What should be logged?

• Should the user creation be logged as Entity Management because it is an IAM entity?
• Should the user creation be represented as Web Resource Activity, because the user is a resource available on the web?
• Should the user creation be represented as API Activity if the action was taken as a result of calling an API?
• Should the initial permissions assigned to the user be logged as a separate User Access Management event, even though it occurred with user creation?

Suppose an application utilizes an ABAC system for access where attributes of the subject and object are used for access control rather than direct permissions. In this application, suppose an administrator modifies something used in policy enforcement. What should be logged:

• Would modifying an access policy result in an Entity Management log because it is part of access management or a Web Resource Activity log because it is not an identity specifically?

[netfl0]

Why not log all that apply?

[k2niner]

Agree that IAM actions could often be logged as a web resource activity, but that is certainly not the intent. Do we better define "web resource" by saying what it isn't? If at all possible, I feel should try to align with the D3FEND taxonomy.

[alanisaac]

Why not log all that apply?

It's a good question. I might think about two separate aspects of this:

• Often, existing data from vendors are being mapped into OCSF schemas. In this situation, is mapping one vendor event to multiple OCSF events recommended or not?
  • Would an analyst prefer this because it can provide more information or be confused by this because it might look like something happened twice that actually only happened once?
  • If we do log multiple events is there a standard a way to encode that they are the representative of the same event in the OCSF schema?
• Even if the stance is that mappers should log all that apply, "all that apply" is still up for interpretation. I think the need to decide on and document what event(s) to log in what circumstances would still be applicable, as not all mappers might pick the same set of events to log.