7.9 KiB
FY24Q3-iroh-team
- Intro
- XDR Program Q3FY24 Engineering Plans
- Notes
- tags
- source
Intro
Document trying to keep track of current state.
Big Topic <=> People
XDR Program Q3FY24 Engineering Plans
Topic | People | Size |
PM Prios | ||
SCA Integration | Matt | XS conf change |
PIAM Universal Brownfield | Wanderson | L |
JAMF Integration | Matt | XS ask for merge? |
MITRE | GE + Olivier | XL |
Design (on prem iroh proxy) | Matt | S |
new modules (x7) | Shafiq | L (Ransomware) |
Notifications | Kirill | settings (webex) (XL) |
new auth (x7) | Shafiq | L (Checkpoint) |
Integration Admins | Matt | (SOAR, Palo Alto, CheckPoint) |
Meraki (1-click) | Yann/Jyoti | XS (maintenance, help, client creation) |
Default Modules for SMA | Matt | S (conf) |
IOPS | Matt | help @Garima |
AO webhook dependency | Matt/Yann? | help @Lisa |
IROH Multi Tenancy APIs | Yann | M (design) |
#8579 | Shafiq | S |
SUSTAINING | ||
Push logs to datadog | ? | |
ES Performance | Mario + Ambrose | |
ES Perf ops | Jerome + Patrick | |
PG Perf ops | Jerome + Patrick | |
Alerting + Monitoring ops | Jerome + Patrick | |
Kafka | Jerome | auth kafka |
Module type doc patch | ? | |
Impersonation | Yann |
- Multi tenancy: https://ciscosecurity.aha.io/epics/XDR-E-85
Notes
- Open DBs for IOPS
Q2 Rollovers?
[…] Incident Summary related work
- spikes in incident summary generation failures
- summarize incident at bundle import
- fix missing attack pattern in incident summary
- add status_disposition to search filter on incident summaries and incidents
[…] Rescoring (Incident / Incident Summary )
Maribelle Questions Capacity Planning Q3
Commits:
Incident Enhancement DevNet Compliance:
TODO: follow-up https://ciscosecurity.aha.io/features/XDR-89 ; ping Guy
Sustaining items
Hi Jyoti here is a list of sustainable items: edited with design items
- Design: IROH proxy working with on-prem devices
- https://github.com/advthreat/iroh/issues/8700 Push our log to datadog
-
ES Performance issues
- https://github.com/advthreat/iroh/issues/8501 NGFW spikes
-
Ops
- ES perf
- Postgres perf (indexes)
- https://github.com/advthreat/iroh-ops/issues/23 Alerting Improvement & documentation
- https://github.com/advthreat/iroh-ops/issues/104 Authenticated Kafka
- https://github.com/advthreat/iroh/issues/8280 ModuleType Admin API: Add a dedicated route to patch documentation
- https://github.com/advthreat/iroh/issues/7324 Impersonation (TAC)
Unexpected tasks
Performance Issue
- SE Pused too many incidents
Align Priorities Q3 meetings Notes
@Namrata: look all priorities, on the table. Update to everybody around Oort. Being planned for Q3, chalenges from PM.
Top Priorities
-
Breach Suite outcomes
- AI related initiative, SOC assistant
- MITRE Visualisation
- Ooort Implementation
- Support other suites
- XDR
List the priorities from Airtable
@Lisa what is rolling over from Q2
- Geo pushed out of Q3
-
SCA Integration - configuration
- @Jyoti: pb with existing one?
- @Paul: I think only changing the configuration
- @Jyoti: integrations from SCA
-
PIAM Universal Flow - Brownfield
- @Jyoti require us to support also PIAM token (later with Travis)
-
JAMF:
- @Garima: config changes from IROH team
- @Matt: already has the change, need to check if this could be merged
-
Oort Integration
- @Namrata: the ask is and timeframe. User context from Insight in Incident and in investigation and response action by using API from Oort. User context be part of incident scoring.
- @Jyoti: things we need to do. Like with devices we need to do something similar for the users. Only then we can consider those users-assets for scoring. Mia was involved in that along with GE I think. We need to know how that will change the algorithm. On the UI side, I don't know if there are designs for showing the user value.
- @Rob: I don't think something involve IROH team.
- @Matt: not sure we need to work on a specific module authorization.
- @Jyoti: not going throught the IROH Proxy.
- @Paul: I confirm
- @Namrata: no work for IROH
Next Day: List the priorities from Airtable
@Namrata: asked to bump up MITRE and SOC assistant
- …
- SOAR: @Namrata not occur probably
- Infra XDR: we can skip
- Incident: we can skip
-
- INT Guided response, auto-target, on prem device (some work from Matt)
-
- no iroh impact
-
- no iroh impact
-
- Vulnerability Management: @Paul blocked, only discovery, platform
involvemetn unknown
-
- no iroh impact @rob
-
- no iroh impact @rob
-
- no @Prerna
-
- @rob turning of umbrella, so maybe iroh work, but minor, no iroh impact
(quality check)
-
- MITRE @Prerna; @Yann GE & Olivier @Namrata: add value, it can be beta quality, show this for RSA, but maybe not delivered. Ship something in Q3.
-
- Impersonation (XDR Efficacy) @Prerna, also impersonating from TAC @Namrata: better understanding
-
- @Prerna; big effort. @Namrata: Why? Email + Webex notifications. @Namrata;
perhaps split the tasks.
-
- @rob: no iroh requirement for delivery
-
- @rob: xdr analytics, no iroh impact
-
- no iroh impact
-
- no iroh impact @Garima
-
- Threat Intel enhanacement no iroh impact
-
- Admin work for Matt
-
- @rob design only, minor iroh impact. potentially some capacity, but not commit.
-
-
- Multi-tenancy @Prerna design only for Yann
-
- IM/AUT incident : no iroh impact
- 37: SCA no iroh impact
- 38: RBAC @Prerna not Q4
- 39: RBAC @Prerna not Q4
-
- no iroh impact @rob
- 41: @rob no iroh impact
- 42+: no impact
Discussion
@Lisa: discussion about adding a new @garima: IOPS ask for iroh team. @Lisa: question, when we will know when your team
@GE: rollover? @Namrata: we shouldn't fill our bucket at 100%. Fill it at 80%.