...

• Determine if there is a standard terminology regarding logging architecture terms.  Eg., Are the categories in the above table industry accepted?

  • **There probably a body of work we can reference that spells this out.  ACTION: Literature review for that

Notes

At a high level there are 4 5 broad categories in regards to Security Event Management (Or is this a Security Event Lifecycle?)**There probably a body of work we can reference that spells this out.  ACTION: Literature review for that

Generation

• Within ONAP both containers and infrastructure generate raw data that have security concerns.
  • Containers (xNFs)
    • That is documented here: https://wiki.onap.org/download/attachments/100895473/2021-02-22_LoggingRequirementEvents_v9.pptx?version=1&modificationDate=1619018452000&api=v2
  • Infrastructure (Docker and K8S)
    • There are a set of logs that both Docker and K8S generate that relate to security monitoring.
    •  That That is documented here: https://wiki.onap.org/download/attachments/103419713/Logging%20-%20ATTACK%20to%20SECCOM_v3.pptx?version=1&modificationDate=1622560207000&api=v2

Collection

• There currently is a SECCOM proposal that specifies what type of data should be logged where it should be logged to.  
  • [REQ-374] ONAP shall use STDOUT for logs collection - ONAP JIRA
• How these logs would be collected and aggregated is specified by the ONAP NextGen Presentation by Byung.
  • ONAP Next Generation Security & Logging Architecture#ONAPLogging  
  • old presentation slide deck (see the above link for the latest on) https://wiki.onap.org/download/attachments/103416997/ONAP-Next-Generation-Security-Logging-2021-5-25-v1.pptx?version=1&modificationDate=1621953519000&api=v2

Monitoring

• Includes Enrichment, Analysis, and Reporting.
• It is expected that this function out of scope for ONAP.  A CSP / MNO will make used of a SIEM.  ONAP's role is to provide a means to export security event data.  This is where analytics are stored and applied to the data the is ingested from ONAP.
• Presentation by Fabian pertaining to Analysis: ONAP Logs Security Managment1.pptx

 Alerting

• Possibly to include mitigation and actions.   
• If we expect ONAP to respond to security events in a closed loop manner, then there needs to be a way for events generated by the SIEM to be ingested back into ONAP.

Response

Comments from Chakar, paraphrased, (7/20/2021 SECCOM Meeting)

...