Skip to content

Commit

Permalink
Enhance parsing of severity levels
Browse files Browse the repository at this point in the history
  • Loading branch information
@TonioRyo
TonioRyo committed Jan 13, 2025
1 parent f23d74b commit 99ddc2e
Show file tree
Hide file tree
Showing 14 changed files with 45 additions and 15 deletions.
12 changes: 9 additions & 3 deletions Netskope/netskope_events/ingest/parser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,17 +150,23 @@ stages:
netskope.events.severity.level: "{{parsed_event.message.severity_level}}"
filter: "{{ parsed_event.message.severity_level|int(-1) == -1 }}"

- set:
netskope.events.severity.level: "{{parsed_event.message.severity}}"
filter: "{{ parsed_event.message.severity|int(-1) == -1 }}"

- set:
netskope.events.severity.id: "{{parsed_event.message.severity_level}}"
filter: "{{ parsed_event.message.severity_level|int(-1) >= 0 }}"

- translate:
dictionary:
3: "high"
1: "med"
1: "High"
2: "Medium"
3: "Low"
mapping:
parsed_event.message.severity_level: netskope.events.severity.level
filter: "{{ parsed_event.message.severity_level|int(-1) >= 0 }}"
fallback: "Info"
filter: '{{ parsed_event.message.severity_level|int(-1) >= 0 and parsed_event.message.type == "admin_audit_logs"}}'

- set:
netskope.dlp.action: "{{parsed_event.message.dlp_match_info[0].dlp_action}}"
Expand Down
3 changes: 2 additions & 1 deletion Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@
},
"ccl": "unknown",
"severity": {
"id": 2
"id": 2,
"level": "Medium"
}
}
},
Expand Down
2 changes: 1 addition & 1 deletion Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
"ccl": "unknown",
"severity": {
"id": 1,
"level": "med"
"level": "High"
}
}
},
Expand Down
2 changes: 1 addition & 1 deletion Netskope/netskope_events/tests/test_audit_log_login_failed.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
"ccl": "unknown",
"severity": {
"id": 1,
"level": "med"
"level": "High"
}
}
},
Expand Down
3 changes: 2 additions & 1 deletion Netskope/netskope_events/tests/test_audit_log_login_successful.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@
},
"ccl": "unknown",
"severity": {
"id": 2
"id": 2,
"level": "Medium"
}
}
},
Expand Down
3 changes: 2 additions & 1 deletion Netskope/netskope_events/tests/test_audit_log_logout_successful.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@
},
"ccl": "unknown",
"severity": {
"id": 2
"id": 2,
"level": "Medium"
}
}
},
Expand Down
2 changes: 1 addition & 1 deletion Netskope/netskope_events/tests/test_audit_log_password_change_successful.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
"ccl": "unknown",
"severity": {
"id": 1,
"level": "med"
"level": "High"
}
}
},
Expand Down
5 changes: 4 additions & 1 deletion Netskope/netskope_events/tests/test_dlp_alert.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,10 @@
"name": "LinkedIn",
"suite": "Linkedin App"
},
"ccl": "medium"
"ccl": "medium",
"severity": {
"level": "unknown"
}
}
},
"network": {
Expand Down
3 changes: 3 additions & 0 deletions Netskope/netskope_events/tests/test_dlp_incident.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,9 @@
"access_method": "Client",
"application": {
"name": "NextCloud"
},
"severity": {
"level": "Low"
}
}
},
Expand Down
5 changes: 4 additions & 1 deletion Netskope/netskope_events/tests/test_malware_alert.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,10 @@
"category": "n/a",
"name": "eicar"
},
"ccl": "unknown"
"ccl": "unknown",
"severity": {
"level": "high"
}
}
},
"network": {
Expand Down
5 changes: 4 additions & 1 deletion Netskope/netskope_events/tests/test_nspolicy_block.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,10 @@
"category": "General",
"name": "DNS Over HTTPS"
},
"ccl": "unknown"
"ccl": "unknown",
"severity": {
"level": "unknown"
}
}
},
"network": {
Expand Down
5 changes: 4 additions & 1 deletion Netskope/netskope_events/tests/test_nspolicy_log.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,10 @@
"name": "Microsoft Office 365 Sharepoint Online",
"suite": "Office365"
},
"ccl": "excellent"
"ccl": "excellent",
"severity": {
"level": "unknown"
}
}
},
"network": {
Expand Down
5 changes: 4 additions & 1 deletion Netskope/netskope_events/tests/test_nspolicy_upload.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,10 @@
"category": "Remote Access",
"name": "App"
},
"ccl": "medium"
"ccl": "medium",
"severity": {
"level": "unknown"
}
}
},
"network": {
Expand Down
5 changes: 4 additions & 1 deletion Netskope/netskope_events/tests/test_user_alert.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,10 @@
"category": "Cloud Storage",
"name": "WeTransfer"
},
"ccl": "low"
"ccl": "low",
"severity": {
"level": "unknown"
}
}
},
"network": {
Expand Down

0 comments on commit 99ddc2e

Please sign in to comment.