|
| 1 | +# Notes |
| 2 | + |
| 3 | +* We have connections with the Otel working group (TODO) |
| 4 | +* OASF |
| 5 | + * More about classifying Agent skills than agentic events |
| 6 | + * Maybe not an immediate connection |
| 7 | +* OCSF |
| 8 | + * Captures events for security practitioners |
| 9 | + * Might need more agentic |
| 10 | +* What are looking for in this working group? |
| 11 | + * Customers frustrated with too many standards they need to adopt |
| 12 | + * Example: accounting firm, RAG on tax docs. Only these specific people should respond to it. But don’t know the best practices, and would find guidance helpful. |
| 13 | + * Lots of startups around deploy-stack for management of MCP servers, LLMs, etc., but what are the blind spots? |
| 14 | + * Example: customer wrapping APIs with an internal MCP server. Reason: before, they needed to train their support team on how to read audit logs, now, they have them ask the chatbot. |
| 15 | + * Guidance vs a specification? |
| 16 | + * Proposal: we should build out an SDK |
| 17 | + * Contribute it back to Otel? |
| 18 | + * Challenge: making something overly broad vs narrow and specific to start with |
| 19 | + * Easier exercise: what vs how? |
| 20 | + * But — we might close the door on certain paths on what we want to audit |
| 21 | +* Observe Discussion |
| 22 | + * SDK: pure SDK for traces and spans for Otel |
| 23 | + * Poirot: creates metrics around traces |
| 24 | + * Integrations with LangChain, e.g. as well as MCP servers |
| 25 | +* Personas |
| 26 | + * Higher priority - Identity |
| 27 | + * Compliance Professionals |
| 28 | + * Security Professionals |
| 29 | + * Support Teams (audit-logs-as-training-data) |
| 30 | + * Lower priority (not a part of the identity working group) |
| 31 | + * Agent and Agentic Resource Developers |
| 32 | + * How are personas going to be consuming this? |
| 33 | + * Example: how can they use LLMs to cut down event noise |
| 34 | + * Will it be these human personas consuming audit logs or their agents? |
| 35 | +* Standards |
| 36 | + * SET (security event tokens) |
| 37 | + * CADF (cloud auditing data federation) |
| 38 | + * CEF (common event format) |
| 39 | + * SSF (shared signals framework) — RISC / CAEP |
| 40 | + * Microsoft extension to SCIM |
| 41 | + * Be wary of https://xkcd.com/927/ |
| 42 | + |
| 43 | +# Action Items |
| 44 | + |
| 45 | +1. Nailing down persona / use cases |
| 46 | +2. What are the data points that we need recorded |
| 47 | +3. Look at existing standards & frameworks, compare to 2. above |
| 48 | +4. Converge: pursue these tracks |
| 49 | + |
| 50 | +# Logistics |
| 51 | + |
| 52 | +Next meeting will be 2025-01-13 because of the holidays. See everyone in the new year! |
0 commit comments