Smart descriptions for Vectra #19
Smart descriptions for Vectra #19Cyber-Mathoune wants to merge 3 commits intoSEKOIA-IO:feat/vectra_smart_descriptionsfrom
Conversation
events/smart-descriptions.json
Outdated
| } | ||
| ], | ||
| { | ||
| "value": "{observer.ip} detected {vectra.detection.name} : {host.name} ({host.ip})", |
There was a problem hiding this comment.
| "value": "{observer.ip} detected {vectra.detection.name} : {host.name} ({host.ip})", | |
| "value": "{observer.ip} detected {vectra.detection.name} on {host.name} ({host.ip})", |
events/smart-descriptions.json
Outdated
| "relationships": [{ | ||
| "source": "host.ip", | ||
| "target": "destination.ip", | ||
| "type": "{vectra.detection.name}" |
There was a problem hiding this comment.
Using a field name / template is not supported for type at the moment. I've opened an issue to support it.
events/smart-descriptions.json
Outdated
| }] | ||
| }, | ||
| { | ||
| "value": "{observer.ip} refreshed detection {vectra.detection.last_type} : {host.name} ({host.ip})", |
There was a problem hiding this comment.
| "value": "{observer.ip} refreshed detection {vectra.detection.last_type} : {host.name} ({host.ip})", | |
| "value": "{observer.ip} refreshed detection {vectra.detection.last_type} on {host.name} ({host.ip})", |
events/smart-descriptions.json
Outdated
| }] | ||
| }, | ||
| { | ||
| "value": "[HOST SCORING] {host.name} ({host.ip}) : threat = {vectra.risk_score_norm}", |
There was a problem hiding this comment.
Smart Descriptions are supposed to abstract complexity as much as possible. Can't we create a sentence here ?
events/smart-descriptions.json
Outdated
| }], | ||
| }, | ||
| { | ||
| "value": "[LOCKDOWN] {user.name} {action.name} {vectra.account.name} ", |
There was a problem hiding this comment.
Smart Descriptions are supposed to abstract complexity as much as possible. Can't we create a sentence here ?
events/smart-descriptions.json
Outdated
| }] | ||
| }, | ||
| { | ||
| "value": "[HOST LOCKDOWN] {user.name} {action.name} {host.name} ", |
There was a problem hiding this comment.
Smart Descriptions are supposed to abstract complexity as much as possible. Can't we create a sentence here ?
events/smart-descriptions.json
Outdated
| }] | ||
| }, | ||
| { | ||
| "value": "[CAMPAIGN] event : {vectra.detection.reason} from {source.ip} to {vectra.destination.name} ({destination.ip}) ", |
There was a problem hiding this comment.
Smart Descriptions are supposed to abstract complexity as much as possible. Can't we create a sentence here ?
events/smart-descriptions.json
Outdated
| "relationships": [{ | ||
| "source": "source.ip", | ||
| "target": "destination.ip", | ||
| "type": "{vectra.detection.reason}" |
There was a problem hiding this comment.
can't use a field name / template as relationship type at the moment
gaelmuller
left a comment
gaelmuller
left a comment
There was a problem hiding this comment.
Could you also apply a formatter ?
| "relationships": [{ | ||
| "source": "source.ip", | ||
| "target": "destination.ip", | ||
| "type": "campaign" | ||
| }] |
There was a problem hiding this comment.
Not convinced this relationship really makes sense. Note that you can now use variables in relationship type
| "relationships": [{ | ||
| "source": "source.ip", | ||
| "target": "destination.ip", | ||
| "type": "campaign" | ||
| }] |
There was a problem hiding this comment.
| "relationships": [{ | |
| "source": "source.ip", | |
| "target": "destination.ip", | |
| "type": "campaign" | |
| }] |
copy paste error ?
| "relationships": [{ | ||
| "source": "source.ip", | ||
| "target": "destination.ip", | ||
| "type": "campaign" | ||
| }] |
There was a problem hiding this comment.
| "relationships": [{ | |
| "source": "source.ip", | |
| "target": "destination.ip", | |
| "type": "campaign" | |
| }] |
copy paste error ?
2 participants
Smart descriptions for the vectra cognito detect intake format