Extract alert severity in dedicated field

SEKOIA-IO · Jan 14, 2025 · cf7a303 · cf7a303
1 parent db0dfff
commit cf7a303
Show file tree

Hide file tree

Showing 10 changed files with 32 additions and 33 deletions.
diff --git a/Netskope/netskope_events/_meta/fields.yml b/Netskope/netskope_events/_meta/fields.yml
@@ -1,3 +1,8 @@
+netskope.alerts.severity:
+  description: ''
+  name: netskope.alerts.severity
+  type: keyword
+
 netskope.alerts.name:
   description: The name of the alert
   name: netskope.alerts.name

diff --git a/Netskope/netskope_events/ingest/parser.yml b/Netskope/netskope_events/ingest/parser.yml
@@ -151,8 +151,8 @@ stages:
         filter: "{{ parsed_event.message.severity_level|int(-1) == -1 }}"
 
       - set:
-          netskope.events.severity.level: "{{parsed_event.message.severity}}"
-        filter: "{{ parsed_event.message.severity|int(-1) == -1 }}"
+          netskope.alerts.severity: "{{parsed_event.message.severity}}"
+        filter: "{{ parsed_event.message.severity|int(-1) == -1}}"
 
       - set:
           netskope.events.severity.id: "{{parsed_event.message.severity_level}}"

diff --git a/Netskope/netskope_events/tests/test_dlp_alert.json b/Netskope/netskope_events/tests/test_dlp_alert.json
@@ -61,6 +61,7 @@
     },
     "netskope": {
       "alerts": {
+        "severity": "unknown",
         "type": "DLP"
       },
       "dlp": {
@@ -85,10 +86,7 @@
           "name": "LinkedIn",
           "suite": "Linkedin App"
         },
-        "ccl": "medium",
-        "severity": {
-          "level": "unknown"
-        }
+        "ccl": "medium"
       }
     },
     "network": {

diff --git a/Netskope/netskope_events/tests/test_dlp_incident.json b/Netskope/netskope_events/tests/test_dlp_incident.json
@@ -42,6 +42,9 @@
       }
     },
     "netskope": {
+      "alerts": {
+        "severity": "Low"
+      },
       "dlp": {
         "action": "useralert",
         "forensic_id": "2222222222222222222",
@@ -68,9 +71,6 @@
         "access_method": "Client",
         "application": {
           "name": "NextCloud"
-        },
-        "severity": {
-          "level": "Low"
         }
       }
     },

diff --git a/Netskope/netskope_events/tests/test_dlp_incident_wo_policy.json b/Netskope/netskope_events/tests/test_dlp_incident_wo_policy.json
@@ -61,6 +61,7 @@
     },
     "netskope": {
       "alerts": {
+        "severity": "unknown",
         "type": "DLP"
       },
       "dlp": {
@@ -85,10 +86,7 @@
           "name": "LinkedIn",
           "suite": "Linkedin App"
         },
-        "ccl": "medium",
-        "severity": {
-          "level": "unknown"
-        }
+        "ccl": "medium"
       }
     },
     "network": {

diff --git a/Netskope/netskope_events/tests/test_malware_alert.json b/Netskope/netskope_events/tests/test_malware_alert.json
@@ -57,6 +57,7 @@
     },
     "netskope": {
       "alerts": {
+        "severity": "high",
         "type": "Malware"
       },
       "events": {
@@ -65,10 +66,7 @@
           "category": "n/a",
           "name": "eicar"
         },
-        "ccl": "unknown",
-        "severity": {
-          "level": "high"
-        }
+        "ccl": "unknown"
       }
     },
     "network": {

diff --git a/Netskope/netskope_events/tests/test_nspolicy_block.json b/Netskope/netskope_events/tests/test_nspolicy_block.json
@@ -52,16 +52,16 @@
       }
     },
     "netskope": {
+      "alerts": {
+        "severity": "unknown"
+      },
       "events": {
         "access_method": "Client",
         "application": {
           "category": "General",
           "name": "DNS Over HTTPS"
         },
-        "ccl": "unknown",
-        "severity": {
-          "level": "unknown"
-        }
+        "ccl": "unknown"
       }
     },
     "network": {

diff --git a/Netskope/netskope_events/tests/test_nspolicy_log.json b/Netskope/netskope_events/tests/test_nspolicy_log.json
@@ -64,17 +64,17 @@
       }
     },
     "netskope": {
+      "alerts": {
+        "severity": "unknown"
+      },
       "events": {
         "access_method": "Client",
         "application": {
           "category": "Collaboration",
           "name": "Microsoft Office 365 Sharepoint Online",
           "suite": "Office365"
         },
-        "ccl": "excellent",
-        "severity": {
-          "level": "unknown"
-        }
+        "ccl": "excellent"
       }
     },
     "network": {

diff --git a/Netskope/netskope_events/tests/test_nspolicy_upload.json b/Netskope/netskope_events/tests/test_nspolicy_upload.json
@@ -60,16 +60,16 @@
       }
     },
     "netskope": {
+      "alerts": {
+        "severity": "unknown"
+      },
       "events": {
         "access_method": "Client",
         "application": {
           "category": "Remote Access",
           "name": "App"
         },
-        "ccl": "medium",
-        "severity": {
-          "level": "unknown"
-        }
+        "ccl": "medium"
       }
     },
     "network": {

diff --git a/Netskope/netskope_events/tests/test_user_alert.json b/Netskope/netskope_events/tests/test_user_alert.json
@@ -54,16 +54,16 @@
       }
     },
     "netskope": {
+      "alerts": {
+        "severity": "unknown"
+      },
       "events": {
         "access_method": "Client",
         "application": {
           "category": "Cloud Storage",
           "name": "WeTransfer"
         },
-        "ccl": "low",
-        "severity": {
-          "level": "unknown"
-        }
+        "ccl": "low"
       }
     },
     "network": {