Merge pull request #1397 from SEKOIA-IO/fix/Harfanglab

HarfangLab: Adding field for Harfanglab Threat Key
SEKOIA-IO · Dec 16, 2024 · f9a0e7a · f9a0e7a
2 parents 09a517d + a0bfdea
commit f9a0e7a
Show file tree

Hide file tree

Showing 7 changed files with 16 additions and 5 deletions.
diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml
@@ -1043,6 +1043,11 @@ harfanglab.threat_id:
   name: harfanglab.threat_id
   type: keyword
 
+harfanglab.threat_key:
+  description: The key of the threat
+  name: harfanglab.threat_key
+  type: keyword
+
 network.direction:
   description: The direction of the network connection
   name: network.direction

diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
@@ -266,6 +266,7 @@ stages:
           harfanglab.aggregation_key: "{{json_event.message.aggregation_key}}"
           harfanglab.process.powershell.command: "{{json_event.message.details_powershell.PowershellCommand}}"
           harfanglab.process.powershell.script_path: "{{json_event.message.details_powershell.PowershellScriptPath}}"
+          harfanglab.threat_key: "{{json_event.message.threat_key}}"
 
   alert_process_info:
     actions:

diff --git a/HarfangLab/harfanglab/tests/alert_1.json b/HarfangLab/harfanglab/tests/alert_1.json
@@ -35,7 +35,8 @@
       "execution": 0,
       "groups": [],
       "level": "medium",
-      "status": "new"
+      "status": "new",
+      "threat_key": "2971"
     },
     "host": {
       "domain": "EXAMPLE",

diff --git a/HarfangLab/harfanglab/tests/alert_2.json b/HarfangLab/harfanglab/tests/alert_2.json
@@ -35,7 +35,8 @@
         "{\"id\": \"00000000-0000-0000-0000-000000000000\", \"name\": \"EXAMPLE\"}"
       ],
       "level": "medium",
-      "status": "new"
+      "status": "new",
+      "threat_key": "2912"
     },
     "host": {
       "domain": "EXAMPLE",

diff --git a/HarfangLab/harfanglab/tests/alert_3.json b/HarfangLab/harfanglab/tests/alert_3.json
@@ -42,7 +42,8 @@
           "script_path": "C:\\Scripts\\SomeWhere\\Get-FaInterco\\Get-FaNetworkFlowV2.ps1"
         }
       },
-      "status": "new"
+      "status": "new",
+      "threat_key": "16364"
     },
     "host": {
       "domain": "Example",

diff --git a/HarfangLab/harfanglab/tests/alert_4.json b/HarfangLab/harfanglab/tests/alert_4.json
@@ -42,7 +42,8 @@
         "{\"id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"name\": \"DOMAIN_Postes_de_travail_Windows\"}"
       ],
       "level": "medium",
-      "status": "new"
+      "status": "new",
+      "threat_key": "1343"
     },
     "host": {
       "domain": "DOMAINSI",

diff --git a/HarfangLab/harfanglab/tests/alert_5.json b/HarfangLab/harfanglab/tests/alert_5.json
@@ -45,7 +45,8 @@
         "{\"id\": \"66666666-7777-8888-9999-000000000000\", \"name\": \"Postes de travail : Lot 3\"}"
       ],
       "level": "medium",
-      "status": "new"
+      "status": "new",
+      "threat_key": "20528"
     },
     "host": {
       "domain": "NT_DOMAIN",