diff --git a/DoppelVision/DoppelVision.json b/DoppelVision/DoppelVision.json index d626882..9138238 100644 --- a/DoppelVision/DoppelVision.json +++ b/DoppelVision/DoppelVision.json @@ -7,7 +7,7 @@ "type": "SavedSearchWithScheduleSyncDefinition", "name": "Alerts By Product", "search": { - "queryText": "$$logsrc \n| dedup alert_id\n| timeslice 1d\n| count by _timeslice, product\n| sort by _timeslice asc\n| transpose row _timeslice column product as * ", + "queryText": "$$logsrc \n| dedup id\n| timeslice 1d\n| count by _timeslice, product\n| sort by _timeslice asc\n| transpose row _timeslice column product as * ", "byReceiptTime": false, "viewName": "", "viewStartTime": "1970-01-01T00:00:00Z", @@ -22,7 +22,7 @@ "type": "SavedSearchWithScheduleSyncDefinition", "name": "Alerts By Status", "search": { - "queryText": "$$logsrc \n| dedup alert_id\n | timeslice 1d\n| count by _timeslice, alert_status\n| sort by _timeslice asc\n| transpose row _timeslice column alert_status as * ", + "queryText": "$$logsrc \n| dedup id\n | timeslice 1d\n| count by _timeslice, queue_state\n| sort by _timeslice asc\n| transpose row _timeslice column queue_state as * ", "byReceiptTime": false, "viewName": "", "viewStartTime": "1970-01-01T00:00:00Z", @@ -91,7 +91,7 @@ "queries": [ { "transient": false, - "queryString": "$$logsrc \n| dedup alert_id\n| count", + "queryString": "$$logsrc \n| dedup id\n| count", "queryType": "Logs", "queryKey": "A", "metricsQueryMode": null, @@ -118,7 +118,7 @@ "queries": [ { "transient": false, - "queryString": "$$logsrc \n| where alert_status=\"reported\" or alert_status=\"needs_confirmation\"\n| dedup alert_id\n| count", + "queryString": "$$logsrc \n| where queue_state=\"reported\" or queue_state=\"needs_confirmation\"\n| dedup id\n| count", "queryType": "Logs", "queryKey": "A", "metricsQueryMode": null, @@ -145,7 +145,7 @@ "queries": [ { "transient": false, - "queryString": "$$logsrc \n| where alert_status=\"taken_down\"\n| dedup alert_id\n| count", + "queryString": "$$logsrc \n| where queue_state=\"taken_down\"\n| dedup id\n| count", "queryType": "Logs", "queryKey": "A", "metricsQueryMode": null, @@ -172,7 +172,7 @@ "queries": [ { "transient": false, - "queryString": "$$logsrc \n| dedup alert_id\n| count by product\n| sort by _count\n| limit 10", + "queryString": "$$logsrc \n| dedup id\n| count by product\n| sort by _count\n| limit 10", "queryType": "Logs", "queryKey": "A", "metricsQueryMode": null, @@ -199,7 +199,7 @@ "queries": [ { "transient": false, - "queryString": "$$logsrc \n| dedup alert_id\n| timeslice 1d\n| count by _timeslice, product\n| sort by _timeslice asc\n| transpose row _timeslice column product as * ", + "queryString": "$$logsrc \n| dedup id\n| timeslice 1d\n| count by _timeslice, product\n| sort by _timeslice asc\n| transpose row _timeslice column product as * ", "queryType": "Logs", "queryKey": "A", "metricsQueryMode": null, @@ -226,7 +226,7 @@ "queries": [ { "transient": false, - "queryString": "$$logsrc \n| dedup alert_id\n| timeslice 1d\n| count by _timeslice, alert_status\n| sort by _timeslice asc\n| transpose row _timeslice column alert_status as * ", + "queryString": "$$logsrc \n| dedup id\n| timeslice 1d\n| count by _timeslice, queue_state\n| sort by _timeslice asc\n| transpose row _timeslice column queue_state as * ", "queryType": "Logs", "queryKey": "A", "metricsQueryMode": null, @@ -251,7 +251,7 @@ "type": "SavedSearchWithScheduleSyncDefinition", "name": "Resolved Alerts", "search": { - "queryText": "$$logsrc \n| where alert_status=\"taken_down\"\n| dedup alert_id\n| count", + "queryText": "$$logsrc \n| where queue_state=\"taken_down\"\n| dedup id\n| count", "byReceiptTime": false, "viewName": "", "viewStartTime": "1970-01-01T00:00:00Z", @@ -266,7 +266,7 @@ "type": "SavedSearchWithScheduleSyncDefinition", "name": "Total Alerts", "search": { - "queryText": "$$logsrc \n| dedup alert_id\n| count", + "queryText": "$$logsrc \n| dedup id\n| count", "byReceiptTime": false, "viewName": "", "viewStartTime": "1970-01-01T00:00:00Z", @@ -281,7 +281,7 @@ "type": "SavedSearchWithScheduleSyncDefinition", "name": "Total Alerts By Product", "search": { - "queryText": "$$logsrc \n| dedup alert_id\n| count by product\n| sort by _count\n| limit 10", + "queryText": "$$logsrc \n| dedup id\n| count by product\n| sort by _count\n| limit 10", "byReceiptTime": false, "viewName": "", "viewStartTime": "1970-01-01T00:00:00Z", @@ -296,7 +296,7 @@ "type": "SavedSearchWithScheduleSyncDefinition", "name": "Verified Alerts", "search": { - "queryText": "$$logsrc \n| where alert_status=\"reported\" or alert_status=\"needs_confirmation\"\n| dedup alert_id\n| count", + "queryText": "$$logsrc \n| where queue_state=\"reported\" or queue_state=\"needs_confirmation\"\n| dedup id\n| count", "byReceiptTime": false, "viewName": "", "viewStartTime": "1970-01-01T00:00:00Z", diff --git a/DoppelVision/README.md b/DoppelVision/README.md index 2c68e56..7935e7f 100644 --- a/DoppelVision/README.md +++ b/DoppelVision/README.md @@ -18,7 +18,7 @@ ```text -{"event_type":"alert_updated","timestamp":"2024-09-05T14:45:30.129321","updated_values":{"alert_status":"archived"},"alert":{"alert_id":"MTN-13","doppel_url":"https://app.doppel.com/crypto/MTN-13","created_at":"2024-09-05T13:55:19.28432","alert_value":"phishing_wallet_v2","alert_status":"archived","alert_state":"resolved","severity":"medium","product":"crypto","source":"user_report","notes":"No further action required","uploaded_by":"liam@doppel.com","tags":[]}} +{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"archived"},"alert":{"id":"MTN-13","doppel_link":"https://app.doppel.com/crypto/MTN-13","created_at":"2024-09-05T13:55:19.28432","entity":"phishing_wallet_v2","queue_state":"archived","entity_state":"resolved","severity":"medium","product":"crypto","source":"user_report","notes":"No further action required","uploaded_by":"liam@doppel.com","tags":[]}} ``` ## Query Sample @@ -53,8 +53,8 @@ Post creation of a host collector, create a source on the collector using follow Your Sumo Logic Admin setting up the Doppel Vision App(only once) should add the following field extraction rules to the tenant using below mentioned steps: Follow below steps to create Field Extraction rules at ingest time. 1. Copy the rules from below: ```text - json "alert.alert_status", "alert.product", "alert.alert_id" as alert_status, product, alert_id - | fields alert_status, product, alert_id + json "alert.queue_state", "alert.product", "alert.id" as queue_state, product, id + | fields queue_state, product, id ``` 2. Login to the Sumo Logic tenant -> Manage Data -> Logs -> Field Extraction Rules -> Click on "+ Add Rule" diff --git a/DoppelVision/resources/logs/DoppelVisionLogs.txt b/DoppelVision/resources/logs/DoppelVisionLogs.txt index a5e82ad..219fe5d 100644 --- a/DoppelVision/resources/logs/DoppelVisionLogs.txt +++ b/DoppelVision/resources/logs/DoppelVisionLogs.txt @@ -1,10 +1,10 @@ -{"event_type":"alert_updated","timestamp":"2024-08-30T22:59:20.207046","updated_values":{"alert_status":"doppel_review"},"alert":{"alert_id":"MTN-2","doppel_url":"https://app.doppel.com/domains/MTN-2","created_at":"2024-08-30T22:59:02.14829","alert_value":"example1.com","alert_status":"doppel_review","alert_state":"active","severity":"medium","product":"domains","source":"ui_upload","notes":null,"uploaded_by":"john@doppel.com","tags":[]}} -{"event_type": "alert_updated", "timestamp": "2024-08-30T22:59:20.207046", "updated_values": {"alert_status": "needs_action"}, "alert": {"alert_id": "MTN-1", "doppel_url": "https://app.doppel.com/domains/MTN-1", "created_at": "2024-08-30T22:59:02.14829", "alert_value": "test_1.com", "alert_status": "needs_action", "alert_state": "active", "severity": "high", "product": "domains", "source": "ui_upload", "notes": null, "uploaded_by": "abhishek@doppel.com", "tags": []}} -{"event_type":"alert_updated","timestamp":"2024-09-06T06:42:17.593210","updated_values":{"alert_status":"doppel_review"},"alert":{"alert_id":"MTN-20","doppel_url":"https://app.doppel.com/crypto/MTN-20","created_at":"2024-09-06T06:30:45.11222","alert_value":"malicious_wallet_v3","alert_status":"doppel_review","alert_state":"active","severity":"high","product":"crypto","source":"api_detection","notes":null,"uploaded_by":"isabella@doppel.com","tags":[]}} -{"event_type":"alert_updated","timestamp":"2024-09-06T03:25:11.648391","updated_values":{"alert_status":"archived"},"alert":{"alert_id":"MTN-19","doppel_url":"https://app.doppel.com/ecommerce/MTN-19","created_at":"2024-09-06T03:00:15.78332","alert_value":"fake_listing_v3","alert_status":"archived","alert_state":"resolved","severity":"medium","product":"ecommerce","source":"user_report","notes":"Issue resolved, no further action","uploaded_by":"charlotte@doppel.com","tags":[]}} -{"event_type":"alert_updated","timestamp":"2024-09-06T00:12:54.743210","updated_values":{"alert_status":"monitoring"},"alert":{"alert_id":"MTN-18","doppel_url":"https://app.doppel.com/mobile_apps/MTN-18","created_at":"2024-09-05T23:45:22.21211","alert_value":"suspicious_app_v3.apk","alert_status":"monitoring","alert_state":"active","severity":"low","product":"mobile_apps","source":"automated_scan","notes":null,"uploaded_by":"jack@doppel.com","tags":[]}} -{"event_type":"alert_updated","timestamp":"2024-09-05T22:59:20.207046","updated_values":{"alert_status":"taken_down"},"alert":{"alert_id":"MTN-17","doppel_url":"https://app.doppel.com/social_media/MTN-17","created_at":"2024-09-05T22:30:22.34567","alert_value":"@fake_account_v2","alert_status":"taken_down","alert_state":"resolved","severity":"critical","product":"social_media","source":"user_report","notes":null,"uploaded_by":"emma@doppel.com","tags":[]}} -{"event_type":"alert_updated","timestamp":"2024-09-05T20:45:12.743210","updated_values":{"alert_status":"reported"},"alert":{"alert_id":"MTN-16","doppel_url":"https://app.doppel.com/domains/MTN-16","created_at":"2024-09-05T20:30:54.11222","alert_value":"example3.com","alert_status":"reported","alert_state":"active","severity":"high","product":"domains","source":"api_detection","notes":null,"uploaded_by":"olivia@doppel.com","tags":[]}} -{"event_type":"alert_updated","timestamp":"2024-09-05T19:05:47.390245","updated_values":{"alert_status":"needs_confirmation"},"alert":{"alert_id":"MTN-15","doppel_url":"https://app.doppel.com/paid_ads/MTN-15","created_at":"2024-09-05T18:45:23.98332","alert_value":"fraudulent_ad_v2","alert_status":"needs_confirmation","alert_state":"active","severity":"medium","product":"paid_ads","source":"user_report","notes":null,"uploaded_by":"natalie@doppel.com","tags":[]}} -{"event_type":"alert_updated","timestamp":"2024-09-05T17:23:11.482317","updated_values":{"alert_status":"doppel_review"},"alert":{"alert_id":"MTN-14","doppel_url":"https://app.doppel.com/email/MTN-14","created_at":"2024-09-05T17:00:11.59293","alert_value":"phishing_email_v2","alert_status":"doppel_review","alert_state":"active","severity":"critical","product":"email","source":"ui_upload","notes":null,"uploaded_by":"james@doppel.com","tags":[]}} -{"event_type":"alert_updated","timestamp":"2024-09-05T14:45:30.129321","updated_values":{"alert_status":"archived"},"alert":{"alert_id":"MTN-13","doppel_url":"https://app.doppel.com/crypto/MTN-13","created_at":"2024-09-05T13:55:19.28432","alert_value":"phishing_wallet_v2","alert_status":"archived","alert_state":"resolved","severity":"medium","product":"crypto","source":"user_report","notes":"No further action required","uploaded_by":"liam@doppel.com","tags":[]}} +{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"doppel_review"},"alert":{"id":"MTN-2","doppel_link":"https://app.doppel.com/domains/MTN-2","created_at":"2024-08-30T22:59:02.14829","entity":"example1.com","queue_state":"doppel_review","entity_state":"active","severity":"medium","product":"domains","source":"ui_upload","notes":null,"uploaded_by":"john@doppel.com","tags":[]}} +{"event_type": "alert_updated","timestamp":"2024-09-11T06:12:17.593210", "updated_values": {"queue_state": "needs_action"}, "alert": {"id": "MTN-1", "doppel_link": "https://app.doppel.com/domains/MTN-1", "created_at": "2024-08-30T22:59:02.14829", "entity": "test_1.com", "queue_state": "needs_action", "entity_state": "active", "severity": "high", "product": "domains", "source": "ui_upload", "notes": null, "uploaded_by": "abhishek@doppel.com", "tags": []}} +{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"doppel_review"},"alert":{"id":"MTN-20","doppel_link":"https://app.doppel.com/crypto/MTN-20","created_at":"2024-09-06T06:30:45.11222","entity":"malicious_wallet_v3","queue_state":"doppel_review","entity_state":"active","severity":"high","product":"crypto","source":"api_detection","notes":null,"uploaded_by":"isabella@doppel.com","tags":[]}} +{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"archived"},"alert":{"id":"MTN-19","doppel_link":"https://app.doppel.com/ecommerce/MTN-19","created_at":"2024-09-06T03:00:15.78332","entity":"fake_listing_v3","queue_state":"archived","entity_state":"resolved","severity":"medium","product":"ecommerce","source":"user_report","notes":"Issue resolved, no further action","uploaded_by":"charlotte@doppel.com","tags":[]}} +{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"monitoring"},"alert":{"id":"MTN-18","doppel_link":"https://app.doppel.com/mobile_apps/MTN-18","created_at":"2024-09-05T23:45:22.21211","entity":"suspicious_app_v3.apk","queue_state":"monitoring","entity_state":"active","severity":"low","product":"mobile_apps","source":"automated_scan","notes":null,"uploaded_by":"jack@doppel.com","tags":[]}} +{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"taken_down"},"alert":{"id":"MTN-17","doppel_link":"https://app.doppel.com/social_media/MTN-17","created_at":"2024-09-05T22:30:22.34567","entity":"@fake_account_v2","queue_state":"taken_down","entity_state":"resolved","severity":"critical","product":"social_media","source":"user_report","notes":null,"uploaded_by":"emma@doppel.com","tags":[]}} +{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"reported"},"alert":{"id":"MTN-16","doppel_link":"https://app.doppel.com/domains/MTN-16","created_at":"2024-09-05T20:30:54.11222","entity":"example3.com","queue_state":"reported","entity_state":"active","severity":"high","product":"domains","source":"api_detection","notes":null,"uploaded_by":"olivia@doppel.com","tags":[]}} +{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"needs_confirmation"},"alert":{"id":"MTN-15","doppel_link":"https://app.doppel.com/paid_ads/MTN-15","created_at":"2024-09-05T18:45:23.98332","entity":"fraudulent_ad_v2","queue_state":"needs_confirmation","entity_state":"active","severity":"medium","product":"paid_ads","source":"user_report","notes":null,"uploaded_by":"natalie@doppel.com","tags":[]}} +{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"doppel_review"},"alert":{"id":"MTN-14","doppel_link":"https://app.doppel.com/email/MTN-14","created_at":"2024-09-05T17:00:11.59293","entity":"phishing_email_v2","queue_state":"doppel_review","entity_state":"active","severity":"critical","product":"email","source":"ui_upload","notes":null,"uploaded_by":"james@doppel.com","tags":[]}} +{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"archived"},"alert":{"id":"MTN-13","doppel_link":"https://app.doppel.com/crypto/MTN-13","created_at":"2024-09-05T13:55:19.28432","entity":"phishing_wallet_v2","queue_state":"archived","entity_state":"resolved","severity":"medium","product":"crypto","source":"user_report","notes":"No further action required","uploaded_by":"liam@doppel.com","tags":[]}} diff --git a/DoppelVision/resources/screenshots/DoppelVisionFieldExtractionRules.png b/DoppelVision/resources/screenshots/DoppelVisionFieldExtractionRules.png index d72e075..a8d6d80 100644 Binary files a/DoppelVision/resources/screenshots/DoppelVisionFieldExtractionRules.png and b/DoppelVision/resources/screenshots/DoppelVisionFieldExtractionRules.png differ