From a0bfdeaa4f061e8fdff21bfb70487d3e519f6135 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Mon, 16 Dec 2024 16:16:30 +0100 Subject: [PATCH] HarfangLab: Adding field for Harfanglab Threat Key --- HarfangLab/harfanglab/_meta/fields.yml | 5 +++++ HarfangLab/harfanglab/ingest/parser.yml | 1 + HarfangLab/harfanglab/tests/alert_1.json | 3 ++- HarfangLab/harfanglab/tests/alert_2.json | 3 ++- HarfangLab/harfanglab/tests/alert_3.json | 3 ++- HarfangLab/harfanglab/tests/alert_4.json | 3 ++- HarfangLab/harfanglab/tests/alert_5.json | 3 ++- 7 files changed, 16 insertions(+), 5 deletions(-) diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml index 902363c55..1ad5ffb1e 100644 --- a/HarfangLab/harfanglab/_meta/fields.yml +++ b/HarfangLab/harfanglab/_meta/fields.yml @@ -1043,6 +1043,11 @@ harfanglab.threat_id: name: harfanglab.threat_id type: keyword +harfanglab.threat_key: + description: The key of the threat + name: harfanglab.threat_key + type: keyword + network.direction: description: The direction of the network connection name: network.direction diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 253355fce..2b8fb9c96 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -266,6 +266,7 @@ stages: harfanglab.aggregation_key: "{{json_event.message.aggregation_key}}" harfanglab.process.powershell.command: "{{json_event.message.details_powershell.PowershellCommand}}" harfanglab.process.powershell.script_path: "{{json_event.message.details_powershell.PowershellScriptPath}}" + harfanglab.threat_key: "{{json_event.message.threat_key}}" alert_process_info: actions: diff --git a/HarfangLab/harfanglab/tests/alert_1.json b/HarfangLab/harfanglab/tests/alert_1.json index 9ac1abc0a..484cfee47 100644 --- a/HarfangLab/harfanglab/tests/alert_1.json +++ b/HarfangLab/harfanglab/tests/alert_1.json @@ -35,7 +35,8 @@ "execution": 0, "groups": [], "level": "medium", - "status": "new" + "status": "new", + "threat_key": "2971" }, "host": { "domain": "EXAMPLE", diff --git a/HarfangLab/harfanglab/tests/alert_2.json b/HarfangLab/harfanglab/tests/alert_2.json index 60c039be7..ffb3dd936 100644 --- a/HarfangLab/harfanglab/tests/alert_2.json +++ b/HarfangLab/harfanglab/tests/alert_2.json @@ -35,7 +35,8 @@ "{\"id\": \"00000000-0000-0000-0000-000000000000\", \"name\": \"EXAMPLE\"}" ], "level": "medium", - "status": "new" + "status": "new", + "threat_key": "2912" }, "host": { "domain": "EXAMPLE", diff --git a/HarfangLab/harfanglab/tests/alert_3.json b/HarfangLab/harfanglab/tests/alert_3.json index f37d2fad4..4ea4e0884 100644 --- a/HarfangLab/harfanglab/tests/alert_3.json +++ b/HarfangLab/harfanglab/tests/alert_3.json @@ -42,7 +42,8 @@ "script_path": "C:\\Scripts\\SomeWhere\\Get-FaInterco\\Get-FaNetworkFlowV2.ps1" } }, - "status": "new" + "status": "new", + "threat_key": "16364" }, "host": { "domain": "Example", diff --git a/HarfangLab/harfanglab/tests/alert_4.json b/HarfangLab/harfanglab/tests/alert_4.json index 1a45b2b22..c0c748a53 100644 --- a/HarfangLab/harfanglab/tests/alert_4.json +++ b/HarfangLab/harfanglab/tests/alert_4.json @@ -42,7 +42,8 @@ "{\"id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"name\": \"DOMAIN_Postes_de_travail_Windows\"}" ], "level": "medium", - "status": "new" + "status": "new", + "threat_key": "1343" }, "host": { "domain": "DOMAINSI", diff --git a/HarfangLab/harfanglab/tests/alert_5.json b/HarfangLab/harfanglab/tests/alert_5.json index 19abfe567..3202a7f54 100644 --- a/HarfangLab/harfanglab/tests/alert_5.json +++ b/HarfangLab/harfanglab/tests/alert_5.json @@ -45,7 +45,8 @@ "{\"id\": \"66666666-7777-8888-9999-000000000000\", \"name\": \"Postes de travail : Lot 3\"}" ], "level": "medium", - "status": "new" + "status": "new", + "threat_key": "20528" }, "host": { "domain": "NT_DOMAIN",