diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml index 611f3c079..902363c55 100644 --- a/HarfangLab/harfanglab/_meta/fields.yml +++ b/HarfangLab/harfanglab/_meta/fields.yml @@ -953,6 +953,11 @@ action.properties.param9: name: action.properties.param9 type: keyword +harfanglab.agent_ids: + description: '' + name: harfanglab.agent_ids + type: keyword + harfanglab.aggregation_key: description: The key to the events aggregation name: harfanglab.aggregation_key diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 5050c7429..34535641b 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -142,6 +142,10 @@ stages: organization.id: "{{json_event.message.tenant}}" url.original: "{{json_event.message.details_url_request.url}}" + - set: + harfanglab.agent_ids: "{{json_event.message.agents | map(attribute='agent_id') | list}}" + filter: "{{json_event.message.agents | length > 0}}" + network_info: actions: - set: diff --git a/HarfangLab/harfanglab/tests/threat_critical.json b/HarfangLab/harfanglab/tests/threat_critical.json index 94e83a1fd..ce1d2faa4 100644 --- a/HarfangLab/harfanglab/tests/threat_critical.json +++ b/HarfangLab/harfanglab/tests/threat_critical.json @@ -13,6 +13,9 @@ "name": "harfanglab" }, "harfanglab": { + "agent_ids": [ + "af5e2f63-becd-4660-ade8-30d04c0dd044" + ], "count": { "rules": 1, "users_impacted": 0 diff --git a/HarfangLab/harfanglab/tests/threat_log.json b/HarfangLab/harfanglab/tests/threat_log.json index dcab41c28..bed91707b 100644 --- a/HarfangLab/harfanglab/tests/threat_log.json +++ b/HarfangLab/harfanglab/tests/threat_log.json @@ -13,6 +13,10 @@ "name": "harfanglab" }, "harfanglab": { + "agent_ids": [ + "215fe295-905f-4a8d-8347-e9d438d4e415", + "999ba0c7-96b8-4c57-bf0e-63b24813c873" + ], "count": { "rules": 4, "users_impacted": 3