# Persona: Network-centric MSSP customer
# ------------------------------------------------------------------
# A regional manufacturer outsourcing detection to an MSSP that only
# has access to network-edge telemetry: firewalls, Zeek on egress,
# DNS resolver, proxy, IDS/IPS. No host telemetry, no AD log shipping.
# Use this to demonstrate where pure-network coverage falls down: tons
# of Discovery / Lateral Movement / Persistence techniques can't be
# detected without endpoint visibility.
# ------------------------------------------------------------------
version: 1.3
file_type: data-source-administration
name: Network-centric MSSP
systems:
  - applicable_to: all
    description: Manufacturing OT/IT, perimeter-only telemetry

log_sources:
  # ---- Network: Zeek + NetFlow + IDS at egress ----
  - { name: zeek,     channel: conn,  score: 5, comment: "Full conn.log shipped from every egress sensor" }
  - { name: zeek,     channel: http,  score: 4, comment: "Zeek http.log" }
  - { name: zeek,     channel: ssl,   score: 4, comment: "Zeek ssl.log + JA3 enrichment" }
  - { name: zeek,     channel: dns,   score: 4, comment: "Zeek dns.log shipped" }
  - { name: suricata, channel: alert, score: 4, comment: "ET + Talos rules at edge" }
  - { name: netflow,  channel: v9,    score: 5, comment: "NetFlow on edge + core" }

  # ---- Firewall (Palo Alto + checkpoint) ----
  - { name: windows-security, channel: "4946", score: 5, comment: "Firewall rule add (where Windows hosts log)" }
  - { name: windows-security, channel: "4954", score: 5, comment: "Firewall enable / disable / metadata changes" }

  # ---- External / passive ----
  - { name: public-data, channel: dns,   score: 4, comment: "PassiveTotal + DNSDB feeds" }
  - { name: public-data, channel: scan,  score: 3, comment: "Censys / Shodan integration" }
  - { name: public-data, channel: whois, score: 1, comment: "Manual via threat-intel feeds" }

  # ---- Web proxy / WAF / VPN auth ----
  - { name: application-log, channel: generic, score: 3, comment: "Web proxy + WAF logs" }
  - { name: okta,            channel: system,  score: 2, comment: "VPN AAA forwards to Okta system log (no other ID)" }