From e6a207c4cb874eac232f7f121382031860ed1ed1 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Tue, 10 Dec 2024 14:16:24 +0100
Subject: [PATCH 1/3] Fis on agent.id field for harfanglab

---
 HarfangLab/harfanglab/ingest/parser.yml          | 4 ++++
 HarfangLab/harfanglab/tests/threat_critical.json | 1 +
 HarfangLab/harfanglab/tests/threat_log.json      | 1 +
 3 files changed, 6 insertions(+)

diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index 5050c7429..96338037d 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -142,6 +142,10 @@ stages:
           organization.id: "{{json_event.message.tenant}}"
           url.original: "{{json_event.message.details_url_request.url}}"
 
+      - set:
+          agent.id: "{{json_event.message.agents[0].agent_id}}"
+        filter: "{{json_event.message.agents | length > 0}}"
+
   network_info:
     actions:
       - set:
diff --git a/HarfangLab/harfanglab/tests/threat_critical.json b/HarfangLab/harfanglab/tests/threat_critical.json
index 94e83a1fd..e9b50e3db 100644
--- a/HarfangLab/harfanglab/tests/threat_critical.json
+++ b/HarfangLab/harfanglab/tests/threat_critical.json
@@ -10,6 +10,7 @@
       "start": "2024-03-19T09:21:00Z"
     },
     "agent": {
+      "id": "af5e2f63-becd-4660-ade8-30d04c0dd044",
       "name": "harfanglab"
     },
     "harfanglab": {
diff --git a/HarfangLab/harfanglab/tests/threat_log.json b/HarfangLab/harfanglab/tests/threat_log.json
index dcab41c28..233ffd066 100644
--- a/HarfangLab/harfanglab/tests/threat_log.json
+++ b/HarfangLab/harfanglab/tests/threat_log.json
@@ -10,6 +10,7 @@
       "start": "2024-02-07T15:18:00Z"
     },
     "agent": {
+      "id": "215fe295-905f-4a8d-8347-e9d438d4e415",
       "name": "harfanglab"
     },
     "harfanglab": {

From 061e9656533eac6955dba9be73a10123daef8bdc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9na=C3=AFg?=
 <126670263+LenaigKaliou@users.noreply.github.com>
Date: Tue, 10 Dec 2024 16:50:08 +0100
Subject: [PATCH 2/3] Update HarfangLab/harfanglab/ingest/parser.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Sébastien Quioc <sebastien.quioc@sekoia.fr>
---
 HarfangLab/harfanglab/ingest/parser.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index 96338037d..c09e780c2 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -143,7 +143,7 @@ stages:
           url.original: "{{json_event.message.details_url_request.url}}"
 
       - set:
-          agent.id: "{{json_event.message.agents[0].agent_id}}"
+          harfanglab.agent_ids: "{{json_event.message.agents | map(attribute='agent_id') | list}"
         filter: "{{json_event.message.agents | length > 0}}"
 
   network_info:

From cd0a5dc4c25145de4300b3c9fcfda65fd65dcbd3 Mon Sep 17 00:00:00 2001
From: LenaigKaliou <lenaigk@protonmail.com>
Date: Tue, 10 Dec 2024 16:57:25 +0100
Subject: [PATCH 3/3] fixes on fields and typo

---
 HarfangLab/harfanglab/_meta/fields.yml           | 5 +++++
 HarfangLab/harfanglab/ingest/parser.yml          | 2 +-
 HarfangLab/harfanglab/tests/threat_critical.json | 4 +++-
 HarfangLab/harfanglab/tests/threat_log.json      | 5 ++++-
 4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml
index 611f3c079..902363c55 100644
--- a/HarfangLab/harfanglab/_meta/fields.yml
+++ b/HarfangLab/harfanglab/_meta/fields.yml
@@ -953,6 +953,11 @@ action.properties.param9:
   name: action.properties.param9
   type: keyword
 
+harfanglab.agent_ids:
+  description: ''
+  name: harfanglab.agent_ids
+  type: keyword
+
 harfanglab.aggregation_key:
   description: The key to the events aggregation
   name: harfanglab.aggregation_key
diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
index c09e780c2..34535641b 100644
--- a/HarfangLab/harfanglab/ingest/parser.yml
+++ b/HarfangLab/harfanglab/ingest/parser.yml
@@ -143,7 +143,7 @@ stages:
           url.original: "{{json_event.message.details_url_request.url}}"
 
       - set:
-          harfanglab.agent_ids: "{{json_event.message.agents | map(attribute='agent_id') | list}"
+          harfanglab.agent_ids: "{{json_event.message.agents | map(attribute='agent_id') | list}}"
         filter: "{{json_event.message.agents | length > 0}}"
 
   network_info:
diff --git a/HarfangLab/harfanglab/tests/threat_critical.json b/HarfangLab/harfanglab/tests/threat_critical.json
index e9b50e3db..ce1d2faa4 100644
--- a/HarfangLab/harfanglab/tests/threat_critical.json
+++ b/HarfangLab/harfanglab/tests/threat_critical.json
@@ -10,10 +10,12 @@
       "start": "2024-03-19T09:21:00Z"
     },
     "agent": {
-      "id": "af5e2f63-becd-4660-ade8-30d04c0dd044",
       "name": "harfanglab"
     },
     "harfanglab": {
+      "agent_ids": [
+        "af5e2f63-becd-4660-ade8-30d04c0dd044"
+      ],
       "count": {
         "rules": 1,
         "users_impacted": 0
diff --git a/HarfangLab/harfanglab/tests/threat_log.json b/HarfangLab/harfanglab/tests/threat_log.json
index 233ffd066..bed91707b 100644
--- a/HarfangLab/harfanglab/tests/threat_log.json
+++ b/HarfangLab/harfanglab/tests/threat_log.json
@@ -10,10 +10,13 @@
       "start": "2024-02-07T15:18:00Z"
     },
     "agent": {
-      "id": "215fe295-905f-4a8d-8347-e9d438d4e415",
       "name": "harfanglab"
     },
     "harfanglab": {
+      "agent_ids": [
+        "215fe295-905f-4a8d-8347-e9d438d4e415",
+        "999ba0c7-96b8-4c57-bf0e-63b24813c873"
+      ],
       "count": {
         "rules": 4,
         "users_impacted": 3