-
Notifications
You must be signed in to change notification settings - Fork 460
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
carbon_black_cloud: Cleanup fields based on Alert API doc
Removes fields missing from the Carbon Black Cloud Alert APIs(https://developer.carbonblack.com/reference/carbon-black-cloud/platform/latest/alerts-api/#fields.) but present in the integration doc
- Loading branch information
Showing
13 changed files
with
70 additions
and
189 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,7 @@ rules: | |
| responses: | ||
| - status_code: 200 | ||
| body: | | ||
| {"results":[{"type":"DEVICE_CONTROL","id":"test1","legacy_alert_id":"C8EB7306-AF26-4A9A-B677-814B3AF69720","org_key":"ABCD6X3T","create_time":"2020-11-17T22:05:13Z","last_update_time":"2020-11-17T22:05:13Z","first_event_time":"2020-11-17T22:02:16Z","last_event_time":"2020-11-17T22:02:16Z","threat_id":"t5678","severity":3,"category":"WARNING","device_id":2,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_name":"DESKTOP-002","device_username":"[email protected]","policy_id":6997287,"policy_name":"Standard","target_value":"MEDIUM","workflow":{"state":"OPEN","remediation":"","last_update_time":"2020-11-17T22:02:16Z","comment":"","changed_by":"Carbon Black"},"device_internal_ip":"81.2.69.144","device_external_ip":"81.2.69.143","alert_url":"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976","reason":"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.","reason_code":"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC","device_location":"UNKNOWN","threat_cause_threat_category":"NON_MALWARE","threat_cause_vector":"REMOVABLE_MEDIA","threat_cause_cause_event_id":"FCEE2AF0-D832-4C9F-B988-F11B46028C9E","sensor_action":"DENY","run_state":"DID_NOT_RUN","policy_applied":"APPLIED","vendor_name":"SanDisk","vendor_id":"0x0781","product_name":"U3 Cruzer Micro","product_id":"0x5406","serial_number":"0875920EF7C2A304"}],"num_found":6197,"num_available":6197} | ||
| {"results":[{"type":"DEVICE_CONTROL","id":"test1","legacy_alert_id":"C8EB7306-AF26-4A9A-B677-814B3AF69720","org_key":"ABCD6X3T","create_time":"2020-11-17T22:05:13Z","last_update_time":"2020-11-17T22:05:13Z","first_event_time":"2020-11-17T22:02:16Z","last_event_time":"2020-11-17T22:02:16Z","threat_id":"t5678","severity":3,"category":"WARNING","device_id":2,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_name":"DESKTOP-002","device_username":"[email protected]","policy_id":6997287,"policy_name":"Standard","target_value":"MEDIUM","workflow":{"state":"OPEN","remediation":"","last_update_time":"2020-11-17T22:02:16Z","comment":"","changed_by":"Carbon Black"},"reason":"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.","reason_code":"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC","device_location":"UNKNOWN","threat_cause_threat_category":"NON_MALWARE","threat_cause_vector":"REMOVABLE_MEDIA","threat_cause_cause_event_id":"FCEE2AF0-D832-4C9F-B988-F11B46028C9E","sensor_action":"DENY","run_state":"DID_NOT_RUN","policy_applied":"APPLIED","vendor_name":"SanDisk","vendor_id":"0x0781","product_name":"U3 Cruzer Micro","product_id":"0x5406","serial_number":"0875920EF7C2A304"}],"num_found":6197,"num_available":6197} | ||
| - path: /integrationServices/v3/auditlogs | ||
| methods: ["GET"] | ||
| responses: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6 changes: 3 additions & 3 deletions
6
packages/carbon_black_cloud/data_stream/alert/_dev/test/pipeline/test-alert.log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,3 @@ | ||
| {"type":"WATCHLIST","id":"test1","legacy_alert_id":"ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613-BC154984541016AFD2467DF221AA20FD","org_key":"ABCD1234","create_time":"2021-01-04T23:33:32Z","last_update_time":"2021-01-04T23:33:32Z","first_event_time":"2021-01-04T23:25:58Z","last_event_time":"2021-01-04T23:25:58Z","threat_id":"t9101","severity":7,"category":"WARNING","device_id":1,"device_os":"WINDOWS","device_name":"abc\\DESKTOP-001","device_username":"xyz\\[email protected]","policy_id":6525,"policy_name":"default","target_value":"MEDIUM","workflow":{"state":"OPEN","remediation":"","last_update_time":"2021-01-04T23:32:19Z","comment":"","changed_by":"Carbon Black"},"device_internal_ip":"1.128.3.4","device_external_ip":"81.2.69.145","alert_url":"https://defense.conferdeploy.net/cb/investigate/processes?orgId=123&query=alert_id%3A951d536a-2817-4790-8c97-c2d31624de7c+AND+device_id%3A3775337&searchWindow=ALL","reason_code":"Process powershell.exe was detected by the report \"Execution - PowerShell Downloading Behaviors Detected\" in watchlist \"Carbon Black Advanced Threats\"","process_name":"powershell.exe","threat_indicators":[{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["e41b000e-eb5a-41f4-aa67-1902d186a457-0"]}],"threat_cause_actor_sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","threat_cause_actor_name":"powershell.exe","threat_cause_reputation":"COMMON_WHITE_LIST","threat_cause_threat_category":"RESPONSE_WATCHLIST","threat_cause_vector":"UNKNOWN","run_state":"RAN","ioc_id":"e41b000e-eb5a-41f4-aa67-1902d186a457-0","ioc_hit":"(process_cmdline:powershell* AND (process_cmdline:.downloaddata OR process_cmdline:.downloadstring OR process_cmdline:.downloadfile) -process_cmdline:chocolatey.org*) -enriched:true","watchlists":[{"id":"mrTB06fAQbeNfvl47cQiGg","name":"Carbon Black Advanced Threats"}],"process_guid":"ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613","process_path":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","report_name":"Execution - PowerShell Downloading Behaviors Detected","report_id":"MLRtPcpQGKFh5OE4BT3tQ-e41b000e-eb5a-41f4-aa67-1902d186a457","status":"UNRESOLVED"} | ||
| {"type":"DEVICE_CONTROL","id":"test1","legacy_alert_id":"C8EB7306-AF26-4A9A-B677-814B3AF69720","org_key":"ABCD6X3T","create_time":"2020-11-17T22:05:13Z","last_update_time":"2020-11-17T22:05:13Z","first_event_time":"2020-11-17T22:02:16Z","last_event_time":"2020-11-17T22:02:16Z","threat_id":"t5678","severity":3,"category":"WARNING","device_id":2,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_name":"DESKTOP-002","device_username":"[email protected]","policy_id":6997287,"policy_name":"Standard","target_value":"MEDIUM","workflow":{"state":"OPEN","remediation":"","last_update_time":"2020-11-17T22:02:16Z","comment":"","changed_by":"Carbon Black"},"device_internal_ip":"81.2.69.144","device_external_ip":"81.2.69.143","alert_url":"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976","reason":"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.","reason_code":"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC","device_location":"UNKNOWN","threat_cause_threat_category":"NON_MALWARE","threat_cause_vector":"REMOVABLE_MEDIA","threat_cause_cause_event_id":"FCEE2AF0-D832-4C9F-B988-F11B46028C9E","sensor_action":"DENY","run_state":"DID_NOT_RUN","policy_applied":"APPLIED","vendor_name":"SanDisk","vendor_id":"0x0781","product_name":"U3 Cruzer Micro","product_id":"0x5406","serial_number":"0875920EF7C2A304"} | ||
| {"type":"CB_ANALYTICS","id":"test1","legacy_alert_id":"ZHGKP3EM","org_key":"ABCD1234","create_time":"2021-01-04T22:22:52Z","last_update_time":"2021-01-04T22:23:05Z","first_event_time":"2021-01-04T22:22:42Z","last_event_time":"2021-01-04T22:22:42Z","threat_id":"t1234","severity":4,"category":"NOTICE","device_id":3,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_name":"DESKTOP-003","device_username":"[email protected]","policy_id":6525,"policy_name":"default","target_value":"MEDIUM","workflow":{"state":"OPEN","remediation":"","last_update_time":"2021-01-04T22:22:52Z","comment":"","changed_by":"Carbon Black"},"device_internal_ip":"1.128.3.4","device_external_ip":"81.2.69.143","alert_url":"https://defense.conferdeploy.net/triage?incidentId=ZHGKP3EM&orgId=123","reason":"The application powershell.exe is executing a fileless script or command.","reason_code":"R_FILELESS","process_name":"powershell.exe","device_location":"OFFSITE","created_by_event_id":"5daf0f2c4edb11ebb2828b41ebaf3867","threat_indicators":[{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["MODIFY_MEMORY_PROTECTION"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["FILELESS"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["MITRE_T1057_PROCESS_DISCOVERY"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["CODE_DROP"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["ENUMERATE_PROCESSES"]}],"threat_cause_actor_sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","threat_cause_actor_name":"powershell.exe","threat_cause_actor_process_pid":"3292-132541831999374961-0","threat_cause_reputation":"COMMON_WHITE_LIST","threat_cause_threat_category":"NON_MALWARE","threat_cause_vector":"UNKNOWN","threat_cause_cause_event_id":"5daf0f344edb11ebb2828b41ebaf3867","blocked_threat_category":"UNKNOWN","not_blocked_threat_category":"NON_MALWARE","kill_chain_status":["DELIVER_EXPLOIT"],"run_state":"RAN","policy_applied":"NOT_APPLIED"} | ||
| {"type":"WATCHLIST","id":"test1","legacy_alert_id":"ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613-BC154984541016AFD2467DF221AA20FD","org_key":"ABCD1234","create_time":"2021-01-04T23:33:32Z","last_update_time":"2021-01-04T23:33:32Z","first_event_time":"2021-01-04T23:25:58Z","last_event_time":"2021-01-04T23:25:58Z","threat_id":"t9101","severity":7,"category":"WARNING","device_id":1,"device_os":"WINDOWS","device_name":"abc\\DESKTOP-001","device_username":"xyz\\[email protected]","policy_id":6525,"policy_name":"default","target_value":"MEDIUM","workflow":{"state":"OPEN","remediation":"","last_update_time":"2021-01-04T23:32:19Z","comment":"","changed_by":"Carbon Black"},"reason_code":"Process powershell.exe was detected by the report \"Execution - PowerShell Downloading Behaviors Detected\" in watchlist \"Carbon Black Advanced Threats\"","process_name":"powershell.exe","threat_indicators":[{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["e41b000e-eb5a-41f4-aa67-1902d186a457-0"]}],"threat_cause_actor_sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","threat_cause_actor_name":"powershell.exe","threat_cause_reputation":"COMMON_WHITE_LIST","threat_cause_threat_category":"RESPONSE_WATCHLIST","threat_cause_vector":"UNKNOWN","run_state":"RAN","ioc_id":"e41b000e-eb5a-41f4-aa67-1902d186a457-0","ioc_hit":"(process_cmdline:powershell* AND (process_cmdline:.downloaddata OR process_cmdline:.downloadstring OR process_cmdline:.downloadfile) -process_cmdline:chocolatey.org*) -enriched:true","watchlists":[{"id":"mrTB06fAQbeNfvl47cQiGg","name":"Carbon Black Advanced Threats"}],"process_guid":"ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613","process_path":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","report_name":"Execution - PowerShell Downloading Behaviors Detected","report_id":"MLRtPcpQGKFh5OE4BT3tQ-e41b000e-eb5a-41f4-aa67-1902d186a457","status":"UNRESOLVED"} | ||
| {"type":"DEVICE_CONTROL","id":"test1","legacy_alert_id":"C8EB7306-AF26-4A9A-B677-814B3AF69720","org_key":"ABCD6X3T","create_time":"2020-11-17T22:05:13Z","last_update_time":"2020-11-17T22:05:13Z","first_event_time":"2020-11-17T22:02:16Z","last_event_time":"2020-11-17T22:02:16Z","threat_id":"t5678","severity":3,"category":"WARNING","device_id":2,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_name":"DESKTOP-002","device_username":"[email protected]","policy_id":6997287,"policy_name":"Standard","target_value":"MEDIUM","workflow":{"state":"OPEN","remediation":"","last_update_time":"2020-11-17T22:02:16Z","comment":"","changed_by":"Carbon Black"},"reason":"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.","reason_code":"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC","device_location":"UNKNOWN","threat_cause_threat_category":"NON_MALWARE","threat_cause_vector":"REMOVABLE_MEDIA","threat_cause_cause_event_id":"FCEE2AF0-D832-4C9F-B988-F11B46028C9E","sensor_action":"DENY","run_state":"DID_NOT_RUN","policy_applied":"APPLIED","vendor_name":"SanDisk","vendor_id":"0x0781","product_name":"U3 Cruzer Micro","product_id":"0x5406","serial_number":"0875920EF7C2A304"} | ||
| {"type":"CB_ANALYTICS","id":"test1","legacy_alert_id":"ZHGKP3EM","org_key":"ABCD1234","create_time":"2021-01-04T22:22:52Z","last_update_time":"2021-01-04T22:23:05Z","first_event_time":"2021-01-04T22:22:42Z","last_event_time":"2021-01-04T22:22:42Z","threat_id":"t1234","severity":4,"category":"NOTICE","device_id":3,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_name":"DESKTOP-003","device_username":"[email protected]","policy_id":6525,"policy_name":"default","target_value":"MEDIUM","workflow":{"state":"OPEN","remediation":"","last_update_time":"2021-01-04T22:22:52Z","comment":"","changed_by":"Carbon Black"},"reason":"The application powershell.exe is executing a fileless script or command.","reason_code":"R_FILELESS","process_name":"powershell.exe","device_location":"OFFSITE","created_by_event_id":"5daf0f2c4edb11ebb2828b41ebaf3867","threat_indicators":[{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["MODIFY_MEMORY_PROTECTION"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["FILELESS"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["MITRE_T1057_PROCESS_DISCOVERY"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["CODE_DROP"]},{"process_name":"powershell.exe","sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","ttps":["ENUMERATE_PROCESSES"]}],"threat_cause_actor_sha256":"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53","threat_cause_actor_name":"powershell.exe","threat_cause_actor_process_pid":"3292-132541831999374961-0","threat_cause_reputation":"COMMON_WHITE_LIST","threat_cause_threat_category":"NON_MALWARE","threat_cause_vector":"UNKNOWN","threat_cause_cause_event_id":"5daf0f344edb11ebb2828b41ebaf3867","blocked_threat_category":"UNKNOWN","not_blocked_threat_category":"NON_MALWARE","kill_chain_status":["DELIVER_EXPLOIT"],"run_state":"RAN","policy_applied":"NOT_APPLIED"} |
Oops, something went wrong.