Merge pull request #164 from CybercentreCanada/AL-3333

Append raw alert logs to service ontology
CybercentreCanada · Oct 8, 2024 · 663fb9a · 663fb9a
2 parents a693d4c + 4971783
commit 663fb9a
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/suricata_/helper.py b/suricata_/helper.py
@@ -34,6 +34,7 @@ def parse_suricata_output(
     extracted_files = {}
     temp_submission_data.setdefault("url_headers", {})
     ancestry = temp_submission_data.setdefault("ancestry", [])
+    alert_logs = []
 
     from_proxied_sandbox = (
         any(a[-1]["parent_relation"] == PARENT_RELATION.DYNAMIC for a in ancestry) and uses_proxy_in_sandbox
@@ -192,6 +193,7 @@ def attach_network_connection(data: dict):
         elif record["event_type"] == "flow":
             attach_network_connection(network_data)
         elif record["event_type"] == "alert":
+            alert_logs.append(record)
             if "signature_id" not in record["alert"] or "signature" not in record["alert"]:
                 continue
             signature_id = record["alert"]["signature_id"]
@@ -384,6 +386,10 @@ def attach_network_connection(data: dict):
             if extracted_file not in extracted_files_dedup:
                 extracted_files_dedup.append(extracted_file)
 
+    if alert_logs:
+        # Append logging to ontology in 'other' key
+        ontology.add_other_part("alerts", json.dumps(alert_logs))
+
     return {
         "alerts": alerts,
         "signatures": signatures,