From 722db483b8dc12a947de306a629eb7aa030a368f Mon Sep 17 00:00:00 2001 From: ezzeddinemtar Date: Thu, 2 Oct 2025 14:14:47 +0200 Subject: [PATCH 1/3] MalwareProtectionEnabled metric implemented --- .../MalwareProtectionEnabled/MalwareProtectionEnabled.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/metrics/EndpointSecurity/MalwareProtectionEnabled/MalwareProtectionEnabled.yml b/metrics/EndpointSecurity/MalwareProtectionEnabled/MalwareProtectionEnabled.yml index 05011208..2fe5f5fe 100644 --- a/metrics/EndpointSecurity/MalwareProtectionEnabled/MalwareProtectionEnabled.yml +++ b/metrics/EndpointSecurity/MalwareProtectionEnabled/MalwareProtectionEnabled.yml @@ -3,9 +3,9 @@ id: MalwareProtectionEnabled description: This rule assesses whether a [VirtualMachine] that offers the property [MalwareProtection], has [p1:enabled] configured correctly. category: EndpointSecurity version: "1.0" -comments: Resources like virtual machines may be protected by a malware protection solution, which should then be enabled. +comments: Resources like virtual machines may be protected by a malware protection solution, which should then be enabled; evidence collectors can source `malwareProtection.enabled` from agents such as Wazuh, Microsoft Defender for Endpoint, or other supported telemetry providers. # ====== Configuration ====== configuration: p1: operator: "==" - targetValue: True \ No newline at end of file + targetValue: True From be2d27c3899f23f28fb18227424e2f18cf979c33 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 2 Oct 2025 12:17:11 +0000 Subject: [PATCH 2/3] Add generated proto file [skip ci] --- ontology/1.0/ontology.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ontology/1.0/ontology.proto b/ontology/1.0/ontology.proto index bb553b5a..16a459bf 100644 --- a/ontology/1.0/ontology.proto +++ b/ontology/1.0/ontology.proto @@ -33,7 +33,7 @@ import "google/protobuf/descriptor.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/timestamp.proto"; -option go_package = "confirmate.io/confirmate/v1/api/ontology"; +option go_package = "confirmate.io/core/api/ontology"; extend google.protobuf.MessageOptions { repeated string resource_type_names = 60000; From 7f60250869b3775fa426a43b9ae4cc07013df3ce Mon Sep 17 00:00:00 2001 From: ezzeddinemtar Date: Thu, 2 Oct 2025 14:42:01 +0200 Subject: [PATCH 3/3] NumberOfThreatsFound metric implemented --- README.md | 2 +- ...reat_vulnerability_management_catalog.json | 36 +++++++++++++++++++ .../NumberOfThreatsFound.yml | 11 ++++++ .../NumberOfThreatsFound/data.json | 4 +++ .../NumberOfThreatsFound/metric.rego | 17 +++++++++ 5 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 catalogs/threat_vulnerability_management_catalog.json create mode 100644 metrics/EndpointSecurity/NumberOfThreatsFound/NumberOfThreatsFound.yml create mode 100644 metrics/EndpointSecurity/NumberOfThreatsFound/data.json create mode 100644 metrics/EndpointSecurity/NumberOfThreatsFound/metric.rego diff --git a/README.md b/README.md index a64c821a..d78ba088 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ This repository collects security metrics that can be used for continuous certif The repository is structured as follows. - api: this folder is still preliminary. The idea is to define the metric data format in a programmatic way, e.g., using a protobuf file -- catalogs: the catalogs folder holds files for different certification catalogs, benchmarks, etc. These files encode the requirements of the catalogs and map them to metrics. This way, continuous certification tools that apply the metrics can map assess the degree of compliance of a given catalog later. +- catalogs: the catalogs folder holds files for different certification catalogs, benchmarks, etc. These files encode the requirements of the catalogs and map them to metrics. This way, continuous certification tools that apply the metrics can map assess the degree of compliance of a given catalog later. Example files include `demo_catalog.json`, `cryptography_roles_catalog.json`, and `threat_vulnerability_management_catalog.json`. - metrics: this folder holds the actual metrics. It is structured into domains first and each domain contains a number of metric folders. One of these metric folders in turn holds the following information. - metric.yml: This file describes the metric data, e.g., a description and its target value (see the structure explanation below) - metric.rego: This file encodes the metric data as a [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) file that can automatically be evaluated using the [OPA](https://www.openpolicyagent.org) engine. diff --git a/catalogs/threat_vulnerability_management_catalog.json b/catalogs/threat_vulnerability_management_catalog.json new file mode 100644 index 00000000..42e20076 --- /dev/null +++ b/catalogs/threat_vulnerability_management_catalog.json @@ -0,0 +1,36 @@ +[ + { + "id": "ThreatVulnerabilityManagementCatalog", + "name": "Threat & Vulnerability Management", + "description": "Catalog entries focused on malware protection policies and operational coverage.", + "metadata": { + "color": "#8E24AA" + }, + "short_name": "TVM", + "assurance_levels": [ + "baseline" + ], + "all_in_scope": true, + "categories": [ + { + "name": "Threat & Vulnerability Management", + "description": "Maintain effective malware protection controls for managed assets.", + "controls": [ + { + "id": "TVM-02", + "name": "Malware Protection Policy and Procedures", + "description": "Establish, apply, and maintain malware protection policies and procedures for managed assets, reviewing them at least annually.", + "metrics": [ + { + "id": "MalwareProtectionEnabled" + }, + { + "id": "NumberOfThreatsFound" + } + ] + } + ] + } + ] + } +] diff --git a/metrics/EndpointSecurity/NumberOfThreatsFound/NumberOfThreatsFound.yml b/metrics/EndpointSecurity/NumberOfThreatsFound/NumberOfThreatsFound.yml new file mode 100644 index 00000000..fd2c21c2 --- /dev/null +++ b/metrics/EndpointSecurity/NumberOfThreatsFound/NumberOfThreatsFound.yml @@ -0,0 +1,11 @@ +# ====== Metadata ====== +id: NumberOfThreatsFound +description: This rule evaluates whether a [VirtualMachine] reporting [MalwareProtection] exposes the property [p1:numberOfThreatsFound] indicating no malware detections. +category: EndpointSecurity +version: "1.0" +comments: Antimalware tooling should surface zero active detections on managed endpoints; evidence collectors can draw from `malwareProtection.numberOfThreatsFound` emitted by Wazuh, Microsoft Defender for Endpoint, or other supported telemetry sources. +# ====== Configuration ====== +configuration: + p1: + operator: "==" + targetValue: 0 diff --git a/metrics/EndpointSecurity/NumberOfThreatsFound/data.json b/metrics/EndpointSecurity/NumberOfThreatsFound/data.json new file mode 100644 index 00000000..ade12729 --- /dev/null +++ b/metrics/EndpointSecurity/NumberOfThreatsFound/data.json @@ -0,0 +1,4 @@ +{ + "operator": "==", + "target_value": 0 +} diff --git a/metrics/EndpointSecurity/NumberOfThreatsFound/metric.rego b/metrics/EndpointSecurity/NumberOfThreatsFound/metric.rego new file mode 100644 index 00000000..08caa638 --- /dev/null +++ b/metrics/EndpointSecurity/NumberOfThreatsFound/metric.rego @@ -0,0 +1,17 @@ +package cch.metrics.number_of_threats_found + +import data.cch.compare +import input.malwareProtection as mp + +default applicable = false + +default compliant = false + +applicable if { + mp +} + +compliant if { + detections := mp.numberOfThreatsFound + compare(data.operator, data.target_value, detections) +}