[Enhancement Request] Add ability to generate AI4SOC alerts #195
Description
This is an enhancement request for adding the ability to generate alerts that will show up when running the AI4SOC product tier. Here are a couple sample alerts that @pborgonovi shared with me from two of the supported integrations.
Splunk Alert
{
"_index": ".ds-logs-splunk.alert-default-2025.08.06-000001",
"_id": "9OaVf0pi2iiaNVou2OoPyqU9u4M=",
"_score": 1,
"_source": {
"@timestamp": "2025-08-06T22:45:20.000Z",
"agent": {
"ephemeral_id": "03b5b12c-bdc1-4771-995a-e661b2fce477",
"id": "971b8243-30b3-48b5-ad95-c64b40daf24f",
"name": "elastic-agent-17375",
"type": "filebeat",
"version": "8.18.0"
},
"data_stream": {
"dataset": "splunk.alert",
"namespace": "default",
"type": "logs"
},
"destination": {
"ip": [
"10.0.0.5"
]
},
"ecs": {
"version": "8.17.0"
},
"elastic_agent": {
"id": "971b8243-30b3-48b5-ad95-c64b40daf24f",
"snapshot": true,
"version": "8.18.0"
},
"event": {
"agent_id_status": "auth_metadata_missing",
"dataset": "splunk.alert",
"ingested": "2025-08-06T22:17:00Z",
"kind": "alert",
"original": """{"search_name": "Suspicious File Access", "app": "windows-sysmon", "ip": "10.0.0.5", "src": "203.0.113.46", "orig_tag": ["file", "access"], "user_count": "1", "unique_id": "0641769e-2864-4953-bf3a-996216e5936d"}""",
"severity": 73,
"severity_label": "high",
"type": [
"info"
]
},
"file": {
"hash": {
"sha256": "8278d01dcaf547ad8318978813e227f0"
},
"path": """C:\Temp\data.zip"""
},
"host": {
"geo": {
"city_name": "New York",
"continent_name": "North America",
"country_iso_code": "US",
"country_name": "United States",
"location": {
"lat": 40.712799984030426,
"lon": -74.00600004941225
},
"region_iso_code": "US-NY",
"region_name": "New York"
},
"ip": [
"10.0.0.5"
],
"name": "host-dc-01"
},
"input": {
"type": "cel"
},
"related": {
"hosts": [
"host-dc-01"
],
"ip": [
"203.0.113.46",
"10.0.0.5"
]
},
"rule": {
"name": "Suspicious File Access"
},
"source": {
"address": "203.0.113.46",
"as": {
"number": 15169,
"organization": {
"name": "Google LLC"
}
},
"geo": {
"city_name": "New York",
"continent_name": "North America",
"country_iso_code": "US",
"country_name": "United States",
"location": {
"lat": 40.712799984030426,
"lon": -74.00600004941225
},
"region_iso_code": "US-NY",
"region_name": "New York"
},
"ip": [
"203.0.113.46"
]
},
"splunk": {
"alert": {
"app": "windows-sysmon",
"orig_tag": [
"file",
"access"
],
"search_name": "Suspicious File Access",
"unique_id": "0641769e-2864-4953-bf3a-996216e5936d",
"user_count": 1
}
},
"tags": [
"preserve_original_event",
"forwarded",
"splunk-alert"
],
"user": {
"name": "bob"
}
}
},Sentinel One Alert
{
"_index": ".ds-logs-sentinel_one.alert-default-2025.08.06-000001",
"_id": "/6wVG2wxR/3CXRxk3GK0aN+hxL8=",
"_score": 1,
"_source": {
"@timestamp": "2025-08-07T09:07:24.810Z",
"agent": {
"ephemeral_id": "6fdcbedd-e735-4681-885b-0fc468a0248a",
"id": "MmQ1ZDk4ZDgtNzMxMC0xMWYwLWJiZWItMDJlN2NhZmQ5NjM1",
"name": "agentless-cdc5ec8d-4380-4aac-9319-cfd2e4af752d-6758fbbf7f-lss27",
"type": "filebeat",
"version": "9.2.0"
},
"data_stream": {
"dataset": "sentinel_one.alert",
"namespace": "default",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "MmQ1ZDk4ZDgtNzMxMC0xMWYwLWJiZWItMDJlN2NhZmQ5NjM1",
"snapshot": true,
"version": "9.2.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"malware"
],
"created": "2025-08-07T09:07:28.049Z",
"dataset": "sentinel_one.alert",
"id": "2276071318271429894",
"ingested": "2025-08-07T09:07:37Z",
"kind": "event",
"severity": 99,
"type": [
"info"
]
},
"file": {
"created": "1970-01-01T00:00:00.000Z",
"mtime": "1970-01-01T00:00:00.000Z"
},
"host": {
"id": "2097738178340462650",
"name": "ip-172-31-91-187",
"os": {
"family": "linux",
"name": "Linux",
"type": "linux",
"version": "Ubuntu 24.04.1 LTS 6.8.0-1031-aws"
},
"type": "server"
},
"input": {
"type": "httpjson"
},
"message": "Test6",
"observer": {
"serial_number": "0df1d701-1ff1-96c7-12e4-0be8ffa8d628",
"version": "23.3.2.12"
},
"process": {
"command_line": "su",
"entity_id": "59c3051a-ce76-9354-136c-bad5d1f9e0fd",
"executable": "/usr/bin/su",
"hash": {
"sha1": "9912c33e76476defd289c93952250dff4e583c88"
},
"name": "su",
"parent": {
"command_line": "sudo su",
"entity_id": "59c30518-595d-cda2-51ef-6e5466fcad9c",
"executable": "/usr/bin/sudo",
"hash": {
"sha1": "8f860202c9089989e5b7356bc99e9e3460c41d12"
},
"name": "sudo",
"pid": 1308,
"start": "2025-08-07T09:05:11.320Z",
"user": {
"name": "Effective: root, Real: ubuntu, Login: ubuntu"
}
},
"pid": 1309,
"start": "2025-08-07T09:05:11.320Z",
"user": {
"name": "Effective: root, Real: root, Login: ubuntu"
}
},
"related": {
"hash": [
"8f860202c9089989e5b7356bc99e9e3460c41d12",
"9912c33e76476defd289c93952250dff4e583c88"
],
"hosts": [
"ip-172-31-91-187"
]
},
"rule": {
"description": "sudo su",
"id": "1950744398317815020",
"name": "Test6"
},
"sentinel_one": {
"alert": {
"agent": {
"computer_name": "ip-172-31-91-187",
"id": "2097738178340462650",
"infected": true,
"is_active": true,
"is_decommissioned": false,
"machine_type": "server",
"os": {
"type": "linux"
},
"site_id": "1392053568582758390"
},
"analyst_verdict": "Undefined",
"dv_event": {
"id": "01K21WH65PYQ74CXT34TGM1YNX_67"
},
"info": {
"event_type": "PROCESSCREATION",
"hit": {
"type": "Events"
},
"reported_at": "2025-08-07T09:07:24.817Z",
"source": "STAR",
"status": "Unresolved",
"updated_at": "2025-08-07T09:07:24.817Z"
},
"process": {
"integrity_level": "unknown",
"parent": {
"integrity_level": "unknown",
"storyline": "59c18934-a605-29e0-9f47-402071e2ebf2",
"subsystem": "unknown"
},
"storyline": "59c18934-a605-29e0-9f47-402071e2ebf2",
"subsystem": "unknown"
},
"rule": {
"scope_level": "site",
"severity": "Critical",
"treat_as_threat": "Suspicious"
},
"target": {
"process": {
"proc": {
"cmdline": "bash",
"image_path": "/bin/bash",
"integrity_level": "unknown",
"name": "bash",
"pid": 1310,
"signed_status": "unsigned",
"storyline_id": "59c18934-a605-29e0-9f47-402071e2ebf2",
"uid": "59c30525-903d-2ad4-4cb0-76d4b871f9c6"
},
"start_time": "2025-08-07T09:05:11.330Z"
}
}
}
},
"tags": [
"forwarded",
"sentinel_one-alert"
]
}
},Google SecOps
{
"_index": ".ds-logs-google_secops.alert-default-2025.08.06-000001",
"_id": "AZiBfdgNX7Ai-5AC0w-T",
"_score": 1,
"_source": {
"@timestamp": "2025-08-06T22:53:31.000Z",
"agent": {
"ephemeral_id": "03b5b12c-bdc1-4771-995a-e661b2fce477",
"id": "971b8243-30b3-48b5-ad95-c64b40daf24f",
"name": "elastic-agent-17375",
"type": "filebeat",
"version": "8.18.0"
},
"data_stream": {
"dataset": "google_secops.alert",
"namespace": "default",
"type": "logs"
},
"destination": {
"ip": [
"10.0.0.5"
]
},
"ecs": {
"version": "8.17.0"
},
"elastic_agent": {
"id": "971b8243-30b3-48b5-ad95-c64b40daf24f",
"snapshot": true,
"version": "8.18.0"
},
"event": {
"agent_id_status": "auth_metadata_missing",
"dataset": "google_secops.alert",
"ingested": "2025-08-06T22:25:10Z",
"kind": "alert",
"risk_score": 73,
"severity": 73,
"type": [
"info"
]
},
"file": {
"hash": {
"sha256": "abeae8aa644e42c49f8bce7cd862f6ec"
},
"path": """C:\Windows\System32\secret.txt"""
},
"google_secops": {
"alert": {
"event": {
"metadata": {
"eventTimestamp": "2025-08-06T22:53:31.000Z",
"ingestedTimestamp": "2025-08-06T22:24:43.000Z"
},
"securityResult": [
{
"severity": "HIGH"
}
]
},
"friendly_name": "Suspicious File Access"
}
},
"host": {
"geo": {
"city_name": "New York",
"continent_name": "North America",
"country_iso_code": "US",
"country_name": "United States",
"region_iso_code": "US-NY",
"region_name": "New York"
},
"ip": [
"10.0.0.5"
],
"name": "host-fileserver"
},
"input": {
"type": "cel"
},
"message": "Suspicious file access detected on 10.0.0.5",
"observer": {
"product": "SimSec",
"vendor": "Elastic"
},
"related": {
"ip": [
"203.0.113.45",
"10.0.0.5"
]
},
"rule": {
"description": "Suspicious file access detected on 10.0.0.5",
"id": "r-cb0401b0-c95e-46c3-8c2a-fe52addf1a38",
"name": "Suspicious File Access",
"version": "1.0"
},
"source": {
"address": "203.0.113.45",
"as": {
"number": 15169,
"organization": {
"name": "Google LLC"
}
},
"geo": {
"city_name": "Mountain View",
"continent_name": "North America",
"country_iso_code": "US",
"country_name": "United States",
"location": {
"lat": 37.38609998021275,
"lon": -122.08390002138913
},
"region_iso_code": "US-CA",
"region_name": "California"
},
"ip": [
"203.0.113.45"
]
},
"tags": [
"forwarded",
"google-secops-alert"
],
"user": {
"name": "bob"
}
}
},