Netskope - add more smart descriptions

SEKOIA-IO · Jan 8, 2025 · a98e2a8 · a98e2a8
1 parent f873824
commit a98e2a8
Show file tree

Hide file tree

Showing 2 changed files with 155 additions and 0 deletions.
diff --git a/Netskope/netskope_events/_meta/smart-descriptions.json b/Netskope/netskope_events/_meta/smart-descriptions.json
@@ -214,5 +214,26 @@
         "field": "netskope.dlp.policy"
       }
     ]
+  },
+  {
+    "value": "DLP incident detected on {source.ip}: {user.name} attempted to {event.action} file {file.name}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "dlp_incident"
+      },
+      {
+        "field": "event.action"
+      },
+      {
+        "field": "source.ip"
+      },
+      {
+        "field": "user.name"
+      },
+      {
+        "field": "file.name"
+      }
+    ]
   }
 ]
diff --git a/Netskope/netskope_events/tests/test_dlp_incident_wo_policy.json b/Netskope/netskope_events/tests/test_dlp_incident_wo_policy.json
@@ -0,0 +1,134 @@
+{
+  "input": {
+    "message": "{\"_id\": \"11fc1dee8256ff3645f6d25f0\", \"access_method\": \"Client\", \"action\": \"useralert\", \"activity\": \"Download\", \"alert\": \"yes\", \"alert_type\": \"DLP\", \"app\": \"LinkedIn\", \"app_session_id\": 1111111111111111111, \"appcategory\": \"Professional Networking\", \"appsuite\": \"Linkedin App\", \"browser\": \"Chrome\", \"browser_session_id\": 222222222222222, \"browser_version\": \"131.0.0.0\", \"category\": \"Professional Networking\", \"cci\": 68, \"ccl\": \"medium\", \"connection_id\": 3333333333333, \"count\": 1, \"device\": \"Windows Device\", \"device_classification\": \"unmanaged\", \"dlp_file\": \"HighRes_QRCode_3.png\", \"dlp_incident_id\": 44444444444444, \"dlp_is_unique_count\": \"false\", \"dlp_parent_id\": 44444444444444, \"dlp_profile\": \"ML-TYOC-QRCode\", \"dlp_rule\": \"QRCode\", \"dlp_rule_count\": 0, \"dlp_rule_severity\": \"Medium\", \"dst_country\": \"US\", \"dst_latitude\": 37.775699615478516, \"dst_location\": \"San Francisco\", \"dst_longitude\": -122.39520263671875, \"dst_region\": \"California\", \"dst_timezone\": \"America/Los_Angeles\", \"dst_zipcode\": \"N/A\", \"dstip\": \"9.10.11.12\", \"dstport\": 443, \"file_lang\": \"Unknown\", \"file_size\": 1908, \"file_type\": \"image/png\", \"from_user\": \"[email protected]\", \"hostname\": \"EXAMPLE1\", \"managed_app\": \"no\", \"md5\": \"eb430691fe30d16070b5a144c3d3303c\", \"netskope_pop\": \"FR-PAR2\", \"object\": \"HighRes_QRCode_3.png\", \"object_type\": \"File\", \"organization_unit\": \"\", \"os\": \"Windows 11\", \"os_version\": \"Windows NT 11.0\", \"other_categories\": [\"All Internet\", \"Professional Networking\"], \"page\": \"www.linkedin.com\", \"page_site\": \"Linkedin\", \"policy\": \"Coach user QRCode in Social Media and IM\", \"policy_id\": \"981C1E7B3795DA18687613FBD66D4954 2024-12-11 13:39:20.625594\", \"protocol\": \"HTTPS/1.1\", \"referer\": \"https://www.linkedin.com/feed/\", \"request_id\": 2994008614773293824, \"scan_type\": \"\", \"severity\": \"unknown\", \"sha256\": \"d847acf7bab1b6f761779f3995c693e25eb899dceea61ef9043532d1ae9923a6\", \"site\": \"Linkedin\", \"src_country\": \"FR\", \"src_latitude\": 48.9247, \"src_location\": \"La Courneuve\", \"src_longitude\": 2.3975, \"src_region\": \"\\u00cele-de-France\", \"src_time\": \"Wed Dec 11 15:06:00 2024\", \"src_timezone\": \"Europe/Paris\", \"src_zipcode\": \"93120\", \"srcip\": \"5.6.7.8\", \"timestamp\": 1733925987, \"traffic_type\": \"CloudApp\", \"transaction_id\": 555555555555555, \"true_obj_category\": \"Image (Raster)\", \"true_obj_type\": \"Portable Network Graphics (PNG)\", \"tss_mode\": \"inline\", \"type\": \"nspolicy\", \"ur_normalized\": \"[email protected]\", \"url\": \"www.linkedin.com/dms/prv/vid/v2/abc/messaging-attachmentFile/messaging-attachmentFile/0/123\", \"user\": \"[email protected]\", \"useragent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36\", \"userip\": \"1.2.3.4\", \"userkey\": \"[email protected]\", \"ext_labels\": [], \"dlp_fail_reason\": \"\", \"workspace\": \"\", \"instance_id\": \"\", \"tss_scan_failed\": \"\", \"dlp_unique_count\": 0, \"dlp_mail_parent_id\": \"\", \"notify_template\": \"\", \"tss_fail_reason\": \"\", \"channel_id\": \"\", \"mime_type\": \"\", \"resp_cnt\": 0, \"file_path\": \"\", \"orignal_file_path\": \"\", \"suppression_end_time\": 0, \"log_file_name\": \"\", \"modified\": 0, \"user_category\": \"\", \"CononicalName\": \"\", \"suppression_key\": \"\", \"web_universal_connector\": \"\", \"owner\": \"\", \"ja3\": \"\", \"dsthost\": \"\", \"data_type\": \"\", \"loginurl\": \"\", \"workspace_id\": \"\", \"managementID\": \"\", \"telemetry_app\": \"\", \"user_confidence_index\": 0, \"parent_id\": \"\", \"ja3s\": \"\", \"userPrincipalName\": \"\", \"smtp_to\": [], \"justification_reason\": \"\", \"app_activity\": \"\", \"sanctioned_instance\": \"\", \"user_id\": \"\", \"title\": \"\", \"audit_category\": \"\", \"internal_collaborator_count\": 0, \"shared_with\": \"\", \"dst_geoip_src\": 0, \"serial\": \"\", \"numbytes\": 0, \"sAMAccountName\": \"\", \"dlp_scan_failed\": \"\", \"server_bytes\": 0, \"sessionid\": \"\", \"to_user\": \"\", \"src_geoip_src\": 0, \"total_collaborator_count\": 0, \"custom_attr\": {}, \"logintype\": \"\", \"instance\": \"\", \"fromlogs\": \"\", \"retro_scan_name\": \"\", \"justification_type\": \"\", \"from_user_category\": \"\", \"data_center\": \"\", \"custom_connector\": \"\", \"audit_type\": \"\", \"suppression_start_time\": 0, \"req_cnt\": 0, \"exposure\": \"\", \"object_id\": \"\", \"conn_duration\": 0, \"nsdeviceuid\": \"\", \"universal_connector\": \"\", \"org\": \"\", \"netskope_activity\": \"\", \"client_bytes\": 0}"
+  },
+  "expected": {
+    "message": "{\"_id\": \"11fc1dee8256ff3645f6d25f0\", \"access_method\": \"Client\", \"action\": \"useralert\", \"activity\": \"Download\", \"alert\": \"yes\", \"alert_type\": \"DLP\", \"app\": \"LinkedIn\", \"app_session_id\": 1111111111111111111, \"appcategory\": \"Professional Networking\", \"appsuite\": \"Linkedin App\", \"browser\": \"Chrome\", \"browser_session_id\": 222222222222222, \"browser_version\": \"131.0.0.0\", \"category\": \"Professional Networking\", \"cci\": 68, \"ccl\": \"medium\", \"connection_id\": 3333333333333, \"count\": 1, \"device\": \"Windows Device\", \"device_classification\": \"unmanaged\", \"dlp_file\": \"HighRes_QRCode_3.png\", \"dlp_incident_id\": 44444444444444, \"dlp_is_unique_count\": \"false\", \"dlp_parent_id\": 44444444444444, \"dlp_profile\": \"ML-TYOC-QRCode\", \"dlp_rule\": \"QRCode\", \"dlp_rule_count\": 0, \"dlp_rule_severity\": \"Medium\", \"dst_country\": \"US\", \"dst_latitude\": 37.775699615478516, \"dst_location\": \"San Francisco\", \"dst_longitude\": -122.39520263671875, \"dst_region\": \"California\", \"dst_timezone\": \"America/Los_Angeles\", \"dst_zipcode\": \"N/A\", \"dstip\": \"9.10.11.12\", \"dstport\": 443, \"file_lang\": \"Unknown\", \"file_size\": 1908, \"file_type\": \"image/png\", \"from_user\": \"[email protected]\", \"hostname\": \"EXAMPLE1\", \"managed_app\": \"no\", \"md5\": \"eb430691fe30d16070b5a144c3d3303c\", \"netskope_pop\": \"FR-PAR2\", \"object\": \"HighRes_QRCode_3.png\", \"object_type\": \"File\", \"organization_unit\": \"\", \"os\": \"Windows 11\", \"os_version\": \"Windows NT 11.0\", \"other_categories\": [\"All Internet\", \"Professional Networking\"], \"page\": \"www.linkedin.com\", \"page_site\": \"Linkedin\", \"policy\": \"Coach user QRCode in Social Media and IM\", \"policy_id\": \"981C1E7B3795DA18687613FBD66D4954 2024-12-11 13:39:20.625594\", \"protocol\": \"HTTPS/1.1\", \"referer\": \"https://www.linkedin.com/feed/\", \"request_id\": 2994008614773293824, \"scan_type\": \"\", \"severity\": \"unknown\", \"sha256\": \"d847acf7bab1b6f761779f3995c693e25eb899dceea61ef9043532d1ae9923a6\", \"site\": \"Linkedin\", \"src_country\": \"FR\", \"src_latitude\": 48.9247, \"src_location\": \"La Courneuve\", \"src_longitude\": 2.3975, \"src_region\": \"\\u00cele-de-France\", \"src_time\": \"Wed Dec 11 15:06:00 2024\", \"src_timezone\": \"Europe/Paris\", \"src_zipcode\": \"93120\", \"srcip\": \"5.6.7.8\", \"timestamp\": 1733925987, \"traffic_type\": \"CloudApp\", \"transaction_id\": 555555555555555, \"true_obj_category\": \"Image (Raster)\", \"true_obj_type\": \"Portable Network Graphics (PNG)\", \"tss_mode\": \"inline\", \"type\": \"nspolicy\", \"ur_normalized\": \"[email protected]\", \"url\": \"www.linkedin.com/dms/prv/vid/v2/abc/messaging-attachmentFile/messaging-attachmentFile/0/123\", \"user\": \"[email protected]\", \"useragent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36\", \"userip\": \"1.2.3.4\", \"userkey\": \"[email protected]\", \"ext_labels\": [], \"dlp_fail_reason\": \"\", \"workspace\": \"\", \"instance_id\": \"\", \"tss_scan_failed\": \"\", \"dlp_unique_count\": 0, \"dlp_mail_parent_id\": \"\", \"notify_template\": \"\", \"tss_fail_reason\": \"\", \"channel_id\": \"\", \"mime_type\": \"\", \"resp_cnt\": 0, \"file_path\": \"\", \"orignal_file_path\": \"\", \"suppression_end_time\": 0, \"log_file_name\": \"\", \"modified\": 0, \"user_category\": \"\", \"CononicalName\": \"\", \"suppression_key\": \"\", \"web_universal_connector\": \"\", \"owner\": \"\", \"ja3\": \"\", \"dsthost\": \"\", \"data_type\": \"\", \"loginurl\": \"\", \"workspace_id\": \"\", \"managementID\": \"\", \"telemetry_app\": \"\", \"user_confidence_index\": 0, \"parent_id\": \"\", \"ja3s\": \"\", \"userPrincipalName\": \"\", \"smtp_to\": [], \"justification_reason\": \"\", \"app_activity\": \"\", \"sanctioned_instance\": \"\", \"user_id\": \"\", \"title\": \"\", \"audit_category\": \"\", \"internal_collaborator_count\": 0, \"shared_with\": \"\", \"dst_geoip_src\": 0, \"serial\": \"\", \"numbytes\": 0, \"sAMAccountName\": \"\", \"dlp_scan_failed\": \"\", \"server_bytes\": 0, \"sessionid\": \"\", \"to_user\": \"\", \"src_geoip_src\": 0, \"total_collaborator_count\": 0, \"custom_attr\": {}, \"logintype\": \"\", \"instance\": \"\", \"fromlogs\": \"\", \"retro_scan_name\": \"\", \"justification_type\": \"\", \"from_user_category\": \"\", \"data_center\": \"\", \"custom_connector\": \"\", \"audit_type\": \"\", \"suppression_start_time\": 0, \"req_cnt\": 0, \"exposure\": \"\", \"object_id\": \"\", \"conn_duration\": 0, \"nsdeviceuid\": \"\", \"universal_connector\": \"\", \"org\": \"\", \"netskope_activity\": \"\", \"client_bytes\": 0}",
+    "event": {
+      "action": "Download",
+      "category": [
+        "file"
+      ],
+      "dataset": "dlp_incident",
+      "duration": 0,
+      "kind": "alert",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-12-11T14:06:27Z",
+    "action": {
+      "name": "useralert"
+    },
+    "destination": {
+      "address": "9.10.11.12",
+      "bytes": 0,
+      "geo": {
+        "city_name": "San Francisco",
+        "country_iso_code": "US",
+        "location": {
+          "lat": 37.775699615478516,
+          "lon": -122.39520263671875
+        },
+        "postal_code": "N/A",
+        "region_name": "California",
+        "timezone": "America/Los_Angeles"
+      },
+      "ip": "9.10.11.12"
+    },
+    "file": {
+      "hash": {
+        "md5": "eb430691fe30d16070b5a144c3d3303c",
+        "sha256": "d847acf7bab1b6f761779f3995c693e25eb899dceea61ef9043532d1ae9923a6"
+      },
+      "mime_type": "image/png",
+      "name": "HighRes_QRCode_3.png",
+      "size": 1908
+    },
+    "host": {
+      "name": "EXAMPLE1",
+      "os": {
+        "name": "Windows 11",
+        "platform": "windows",
+        "type": "windows",
+        "version": "Windows NT 11.0"
+      }
+    },
+    "http": {
+      "request": {
+        "referrer": "https://www.linkedin.com/feed/"
+      }
+    },
+    "netskope": {
+      "alerts": {
+        "type": "DLP"
+      },
+      "dlp": {
+        "incident": {
+          "id": "44444444444444"
+        }
+      },
+      "events": {
+        "access_method": "Client",
+        "application": {
+          "category": "Professional Networking",
+          "name": "LinkedIn",
+          "suite": "Linkedin App"
+        },
+        "ccl": "medium"
+      }
+    },
+    "network": {
+      "bytes": 0
+    },
+    "observer": {
+      "vendor": "Netskope"
+    },
+    "related": {
+      "hash": [
+        "d847acf7bab1b6f761779f3995c693e25eb899dceea61ef9043532d1ae9923a6",
+        "eb430691fe30d16070b5a144c3d3303c"
+      ],
+      "ip": [
+        "5.6.7.8",
+        "9.10.11.12"
+      ],
+      "user": [
+        "johndoe"
+      ]
+    },
+    "rule": {
+      "id": "981C1E7B3795DA18687613FBD66D4954 2024-12-11 13:39:20.625594",
+      "name": "Coach user QRCode in Social Media and IM"
+    },
+    "source": {
+      "address": "5.6.7.8",
+      "bytes": 0,
+      "geo": {
+        "city_name": "La Courneuve",
+        "country_iso_code": "FR",
+        "location": {
+          "lat": 48.9247,
+          "lon": 2.3975
+        },
+        "postal_code": "93120",
+        "region_name": "\u00cele-de-France",
+        "timezone": "Europe/Paris"
+      },
+      "ip": "5.6.7.8"
+    },
+    "url": {
+      "original": "www.linkedin.com/dms/prv/vid/v2/abc/messaging-attachmentFile/messaging-attachmentFile/0/123",
+      "path": "www.linkedin.com/dms/prv/vid/v2/abc/messaging-attachmentFile/messaging-attachmentFile/0/123"
+    },
+    "user": {
+      "domain": "example.com",
+      "email": "[email protected]",
+      "name": "johndoe"
+    },
+    "user_agent": {
+      "name": "Chrome",
+      "version": "131.0.0.0"
+    }
+  }
+}