metron-labs · saipriya-metron · Sep 11, 2024 · Sep 11, 2024
diff --git a/DoppelVision/DoppelVision.json b/DoppelVision/DoppelVision.json
@@ -7,7 +7,7 @@
             "type": "SavedSearchWithScheduleSyncDefinition",
             "name": "Alerts By Product",
             "search": {
-                "queryText": "$$logsrc \n| dedup alert_id\n| timeslice 1d\n| count by _timeslice, product\n| sort by _timeslice asc\n| transpose row _timeslice column product as * ",
+                "queryText": "$$logsrc \n| dedup id\n| timeslice 1d\n| count by _timeslice, product\n| sort by _timeslice asc\n| transpose row _timeslice column product as * ",
                 "byReceiptTime": false,
                 "viewName": "",
                 "viewStartTime": "1970-01-01T00:00:00Z",
@@ -22,7 +22,7 @@
             "type": "SavedSearchWithScheduleSyncDefinition",
             "name": "Alerts By Status",
             "search": {
-                "queryText": "$$logsrc \n| dedup alert_id\n | timeslice 1d\n| count by _timeslice, alert_status\n| sort by _timeslice asc\n| transpose row _timeslice column alert_status as * ",
+                "queryText": "$$logsrc \n| dedup id\n | timeslice 1d\n| count by _timeslice, queue_state\n| sort by _timeslice asc\n| transpose row _timeslice column queue_state as * ",
                 "byReceiptTime": false,
                 "viewName": "",
                 "viewStartTime": "1970-01-01T00:00:00Z",
@@ -91,7 +91,7 @@
                     "queries": [
                         {
                             "transient": false,
-                            "queryString": "$$logsrc \n| dedup alert_id\n| count",
+                            "queryString": "$$logsrc \n| dedup id\n| count",
                             "queryType": "Logs",
                             "queryKey": "A",
                             "metricsQueryMode": null,
@@ -118,7 +118,7 @@
                     "queries": [
                         {
                             "transient": false,
-                            "queryString": "$$logsrc \n| where alert_status=\"reported\" or alert_status=\"needs_confirmation\"\n| dedup alert_id\n| count",
+                            "queryString": "$$logsrc \n| where queue_state=\"reported\" or queue_state=\"needs_confirmation\"\n| dedup id\n| count",
                             "queryType": "Logs",
                             "queryKey": "A",
                             "metricsQueryMode": null,
@@ -145,7 +145,7 @@
                     "queries": [
                         {
                             "transient": false,
-                            "queryString": "$$logsrc \n| where alert_status=\"taken_down\"\n| dedup alert_id\n| count",
+                            "queryString": "$$logsrc \n| where queue_state=\"taken_down\"\n| dedup id\n| count",
                             "queryType": "Logs",
                             "queryKey": "A",
                             "metricsQueryMode": null,
@@ -172,7 +172,7 @@
                     "queries": [
                         {
                             "transient": false,
-                            "queryString": "$$logsrc  \n| dedup alert_id\n| count by product\n| sort by _count\n| limit 10",
+                            "queryString": "$$logsrc  \n| dedup id\n| count by product\n| sort by _count\n| limit 10",
                             "queryType": "Logs",
                             "queryKey": "A",
                             "metricsQueryMode": null,
@@ -199,7 +199,7 @@
                     "queries": [
                         {
                             "transient": false,
-                            "queryString": "$$logsrc \n| dedup alert_id\n| timeslice 1d\n| count by _timeslice, product\n| sort by _timeslice asc\n| transpose row _timeslice column product as * ",
+                            "queryString": "$$logsrc \n| dedup id\n| timeslice 1d\n| count by _timeslice, product\n| sort by _timeslice asc\n| transpose row _timeslice column product as * ",
                             "queryType": "Logs",
                             "queryKey": "A",
                             "metricsQueryMode": null,
@@ -226,7 +226,7 @@
                     "queries": [
                         {
                             "transient": false,
-                            "queryString": "$$logsrc \n| dedup alert_id\n| timeslice 1d\n| count by _timeslice, alert_status\n| sort by _timeslice asc\n| transpose row _timeslice column alert_status as * ",
+                            "queryString": "$$logsrc \n| dedup id\n| timeslice 1d\n| count by _timeslice, queue_state\n| sort by _timeslice asc\n| transpose row _timeslice column queue_state as * ",
                             "queryType": "Logs",
                             "queryKey": "A",
                             "metricsQueryMode": null,
@@ -251,7 +251,7 @@
             "type": "SavedSearchWithScheduleSyncDefinition",
             "name": "Resolved Alerts",
             "search": {
-                "queryText": "$$logsrc \n| where alert_status=\"taken_down\"\n| dedup alert_id\n| count",
+                "queryText": "$$logsrc \n| where queue_state=\"taken_down\"\n| dedup id\n| count",
                 "byReceiptTime": false,
                 "viewName": "",
                 "viewStartTime": "1970-01-01T00:00:00Z",
@@ -266,7 +266,7 @@
             "type": "SavedSearchWithScheduleSyncDefinition",
             "name": "Total Alerts",
             "search": {
-                "queryText": "$$logsrc \n| dedup alert_id\n| count",
+                "queryText": "$$logsrc \n| dedup id\n| count",
                 "byReceiptTime": false,
                 "viewName": "",
                 "viewStartTime": "1970-01-01T00:00:00Z",
@@ -281,7 +281,7 @@
             "type": "SavedSearchWithScheduleSyncDefinition",
             "name": "Total Alerts By Product",
             "search": {
-                "queryText": "$$logsrc  \n| dedup alert_id\n| count by product\n| sort by _count\n| limit 10",
+                "queryText": "$$logsrc  \n| dedup id\n| count by product\n| sort by _count\n| limit 10",
                 "byReceiptTime": false,
                 "viewName": "",
                 "viewStartTime": "1970-01-01T00:00:00Z",
@@ -296,7 +296,7 @@
             "type": "SavedSearchWithScheduleSyncDefinition",
             "name": "Verified Alerts",
             "search": {
-                "queryText": "$$logsrc \n| where alert_status=\"reported\" or alert_status=\"needs_confirmation\"\n| dedup alert_id\n| count",
+                "queryText": "$$logsrc \n| where queue_state=\"reported\" or queue_state=\"needs_confirmation\"\n| dedup id\n| count",
                 "byReceiptTime": false,
                 "viewName": "",
                 "viewStartTime": "1970-01-01T00:00:00Z",

diff --git a/DoppelVision/README.md b/DoppelVision/README.md
@@ -18,7 +18,7 @@
 
 
 ```text
-{"event_type":"alert_updated","timestamp":"2024-09-05T14:45:30.129321","updated_values":{"alert_status":"archived"},"alert":{"alert_id":"MTN-13","doppel_url":"https://app.doppel.com/crypto/MTN-13","created_at":"2024-09-05T13:55:19.28432","alert_value":"phishing_wallet_v2","alert_status":"archived","alert_state":"resolved","severity":"medium","product":"crypto","source":"user_report","notes":"No further action required","uploaded_by":"[email protected]","tags":[]}}
+{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"archived"},"alert":{"id":"MTN-13","doppel_link":"https://app.doppel.com/crypto/MTN-13","created_at":"2024-09-05T13:55:19.28432","entity":"phishing_wallet_v2","queue_state":"archived","entity_state":"resolved","severity":"medium","product":"crypto","source":"user_report","notes":"No further action required","uploaded_by":"[email protected]","tags":[]}}
 ```
 
 ## Query Sample
@@ -53,8 +53,8 @@ Post creation of a host collector, create a source on the collector using follow
 Your Sumo Logic Admin setting up the Doppel Vision App(only once) should add the following field extraction rules to the tenant using below mentioned steps: Follow below steps to create Field Extraction rules at ingest time.
 1. Copy the rules from below:
     ```text
-        json "alert.alert_status", "alert.product", "alert.alert_id" as alert_status, product, alert_id
-        | fields alert_status, product, alert_id
+    json "alert.queue_state", "alert.product", "alert.id" as queue_state, product, id
+    | fields queue_state, product, id
     ```
 
 2. Login to the Sumo Logic tenant -> Manage Data -> Logs -> Field Extraction Rules -> Click on "+ Add Rule"

diff --git a/DoppelVision/resources/logs/DoppelVisionLogs.txt b/DoppelVision/resources/logs/DoppelVisionLogs.txt
@@ -1,10 +1,10 @@
-{"event_type":"alert_updated","timestamp":"2024-08-30T22:59:20.207046","updated_values":{"alert_status":"doppel_review"},"alert":{"alert_id":"MTN-2","doppel_url":"https://app.doppel.com/domains/MTN-2","created_at":"2024-08-30T22:59:02.14829","alert_value":"example1.com","alert_status":"doppel_review","alert_state":"active","severity":"medium","product":"domains","source":"ui_upload","notes":null,"uploaded_by":"[email protected]","tags":[]}}
-{"event_type": "alert_updated", "timestamp": "2024-08-30T22:59:20.207046", "updated_values": {"alert_status": "needs_action"}, "alert": {"alert_id": "MTN-1", "doppel_url": "https://app.doppel.com/domains/MTN-1", "created_at": "2024-08-30T22:59:02.14829", "alert_value": "test_1.com", "alert_status": "needs_action", "alert_state": "active", "severity": "high", "product": "domains", "source": "ui_upload", "notes": null, "uploaded_by": "[email protected]", "tags": []}}
-{"event_type":"alert_updated","timestamp":"2024-09-06T06:42:17.593210","updated_values":{"alert_status":"doppel_review"},"alert":{"alert_id":"MTN-20","doppel_url":"https://app.doppel.com/crypto/MTN-20","created_at":"2024-09-06T06:30:45.11222","alert_value":"malicious_wallet_v3","alert_status":"doppel_review","alert_state":"active","severity":"high","product":"crypto","source":"api_detection","notes":null,"uploaded_by":"[email protected]","tags":[]}}
-{"event_type":"alert_updated","timestamp":"2024-09-06T03:25:11.648391","updated_values":{"alert_status":"archived"},"alert":{"alert_id":"MTN-19","doppel_url":"https://app.doppel.com/ecommerce/MTN-19","created_at":"2024-09-06T03:00:15.78332","alert_value":"fake_listing_v3","alert_status":"archived","alert_state":"resolved","severity":"medium","product":"ecommerce","source":"user_report","notes":"Issue resolved, no further action","uploaded_by":"[email protected]","tags":[]}}
-{"event_type":"alert_updated","timestamp":"2024-09-06T00:12:54.743210","updated_values":{"alert_status":"monitoring"},"alert":{"alert_id":"MTN-18","doppel_url":"https://app.doppel.com/mobile_apps/MTN-18","created_at":"2024-09-05T23:45:22.21211","alert_value":"suspicious_app_v3.apk","alert_status":"monitoring","alert_state":"active","severity":"low","product":"mobile_apps","source":"automated_scan","notes":null,"uploaded_by":"[email protected]","tags":[]}}
-{"event_type":"alert_updated","timestamp":"2024-09-05T22:59:20.207046","updated_values":{"alert_status":"taken_down"},"alert":{"alert_id":"MTN-17","doppel_url":"https://app.doppel.com/social_media/MTN-17","created_at":"2024-09-05T22:30:22.34567","alert_value":"@fake_account_v2","alert_status":"taken_down","alert_state":"resolved","severity":"critical","product":"social_media","source":"user_report","notes":null,"uploaded_by":"[email protected]","tags":[]}}
-{"event_type":"alert_updated","timestamp":"2024-09-05T20:45:12.743210","updated_values":{"alert_status":"reported"},"alert":{"alert_id":"MTN-16","doppel_url":"https://app.doppel.com/domains/MTN-16","created_at":"2024-09-05T20:30:54.11222","alert_value":"example3.com","alert_status":"reported","alert_state":"active","severity":"high","product":"domains","source":"api_detection","notes":null,"uploaded_by":"[email protected]","tags":[]}}
-{"event_type":"alert_updated","timestamp":"2024-09-05T19:05:47.390245","updated_values":{"alert_status":"needs_confirmation"},"alert":{"alert_id":"MTN-15","doppel_url":"https://app.doppel.com/paid_ads/MTN-15","created_at":"2024-09-05T18:45:23.98332","alert_value":"fraudulent_ad_v2","alert_status":"needs_confirmation","alert_state":"active","severity":"medium","product":"paid_ads","source":"user_report","notes":null,"uploaded_by":"[email protected]","tags":[]}}
-{"event_type":"alert_updated","timestamp":"2024-09-05T17:23:11.482317","updated_values":{"alert_status":"doppel_review"},"alert":{"alert_id":"MTN-14","doppel_url":"https://app.doppel.com/email/MTN-14","created_at":"2024-09-05T17:00:11.59293","alert_value":"phishing_email_v2","alert_status":"doppel_review","alert_state":"active","severity":"critical","product":"email","source":"ui_upload","notes":null,"uploaded_by":"[email protected]","tags":[]}}
-{"event_type":"alert_updated","timestamp":"2024-09-05T14:45:30.129321","updated_values":{"alert_status":"archived"},"alert":{"alert_id":"MTN-13","doppel_url":"https://app.doppel.com/crypto/MTN-13","created_at":"2024-09-05T13:55:19.28432","alert_value":"phishing_wallet_v2","alert_status":"archived","alert_state":"resolved","severity":"medium","product":"crypto","source":"user_report","notes":"No further action required","uploaded_by":"[email protected]","tags":[]}}
+{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"doppel_review"},"alert":{"id":"MTN-2","doppel_link":"https://app.doppel.com/domains/MTN-2","created_at":"2024-08-30T22:59:02.14829","entity":"example1.com","queue_state":"doppel_review","entity_state":"active","severity":"medium","product":"domains","source":"ui_upload","notes":null,"uploaded_by":"[email protected]","tags":[]}}
+{"event_type": "alert_updated","timestamp":"2024-09-11T06:12:17.593210", "updated_values": {"queue_state": "needs_action"}, "alert": {"id": "MTN-1", "doppel_link": "https://app.doppel.com/domains/MTN-1", "created_at": "2024-08-30T22:59:02.14829", "entity": "test_1.com", "queue_state": "needs_action", "entity_state": "active", "severity": "high", "product": "domains", "source": "ui_upload", "notes": null, "uploaded_by": "[email protected]", "tags": []}}
+{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"doppel_review"},"alert":{"id":"MTN-20","doppel_link":"https://app.doppel.com/crypto/MTN-20","created_at":"2024-09-06T06:30:45.11222","entity":"malicious_wallet_v3","queue_state":"doppel_review","entity_state":"active","severity":"high","product":"crypto","source":"api_detection","notes":null,"uploaded_by":"[email protected]","tags":[]}}
+{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"archived"},"alert":{"id":"MTN-19","doppel_link":"https://app.doppel.com/ecommerce/MTN-19","created_at":"2024-09-06T03:00:15.78332","entity":"fake_listing_v3","queue_state":"archived","entity_state":"resolved","severity":"medium","product":"ecommerce","source":"user_report","notes":"Issue resolved, no further action","uploaded_by":"[email protected]","tags":[]}}
+{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"monitoring"},"alert":{"id":"MTN-18","doppel_link":"https://app.doppel.com/mobile_apps/MTN-18","created_at":"2024-09-05T23:45:22.21211","entity":"suspicious_app_v3.apk","queue_state":"monitoring","entity_state":"active","severity":"low","product":"mobile_apps","source":"automated_scan","notes":null,"uploaded_by":"[email protected]","tags":[]}}
+{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"taken_down"},"alert":{"id":"MTN-17","doppel_link":"https://app.doppel.com/social_media/MTN-17","created_at":"2024-09-05T22:30:22.34567","entity":"@fake_account_v2","queue_state":"taken_down","entity_state":"resolved","severity":"critical","product":"social_media","source":"user_report","notes":null,"uploaded_by":"[email protected]","tags":[]}}
+{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"reported"},"alert":{"id":"MTN-16","doppel_link":"https://app.doppel.com/domains/MTN-16","created_at":"2024-09-05T20:30:54.11222","entity":"example3.com","queue_state":"reported","entity_state":"active","severity":"high","product":"domains","source":"api_detection","notes":null,"uploaded_by":"[email protected]","tags":[]}}
+{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"needs_confirmation"},"alert":{"id":"MTN-15","doppel_link":"https://app.doppel.com/paid_ads/MTN-15","created_at":"2024-09-05T18:45:23.98332","entity":"fraudulent_ad_v2","queue_state":"needs_confirmation","entity_state":"active","severity":"medium","product":"paid_ads","source":"user_report","notes":null,"uploaded_by":"[email protected]","tags":[]}}
+{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"doppel_review"},"alert":{"id":"MTN-14","doppel_link":"https://app.doppel.com/email/MTN-14","created_at":"2024-09-05T17:00:11.59293","entity":"phishing_email_v2","queue_state":"doppel_review","entity_state":"active","severity":"critical","product":"email","source":"ui_upload","notes":null,"uploaded_by":"[email protected]","tags":[]}}
+{"event_type":"alert_updated","timestamp":"2024-09-11T06:12:17.593210","updated_values":{"queue_state":"archived"},"alert":{"id":"MTN-13","doppel_link":"https://app.doppel.com/crypto/MTN-13","created_at":"2024-09-05T13:55:19.28432","entity":"phishing_wallet_v2","queue_state":"archived","entity_state":"resolved","severity":"medium","product":"crypto","source":"user_report","notes":"No further action required","uploaded_by":"[email protected]","tags":[]}}
diff --git a/DoppelVision/resources/screenshots/DoppelVisionFieldExtractionRules.png b/DoppelVision/resources/screenshots/DoppelVisionFieldExtractionRules.png