Closed chrisforce1 closed 6 years ago
chrisforce1
commented
6 years ago @ioj had some input around tidying this up. We should include both the group name (e.g. default or arbitrary_group) and label (e.g. Default or Arbitrary group name) under the groups: section, and look to put all the threats: data under one section also, instead of having a dictionary at the end.
@ioj can you please adjust the format so that Hubert can work on this?
ioj
commented
6 years ago {
"follow": "4.9b3db",
"more": false,
"events": [
{
"type": "alert",
"ts": ["2017-05-22T16:16:56+02:00"],
"ip": "10.0.2.15",
"groups": [
{
"label": "default",
"desc": "Default"
},
{
"label": "arbitrary_group",
"desc": "Arbitrary group name"
},
{
"label": "another",
"desc": "Another group"
}
],
"record_type": "A",
"fqdn": "microsoft775.com",
"risk": 5,
"flags": ["c2"],
"threats": [
{
"id": "c2_communication",
"severity": 5,
"desc": "C2 communication attempt indicating infection",
"policy": false,
"deprecated": false
},
{
"id": "suspicious_domain",
"severity": 2,
"desc": "Accessing a suspicious domain",
"policy": false,
"deprecated": false
}
]
}
]
}I changed the following things:
threats key and render all these fields directly in events.threats. The resulting JSON will be bigger, but it'll be easier to manipulate this new format, especially when using a command line json manipulation tools, like jq (e.g. if someone wants to process only policy events)chrisforce1
commented
6 years ago Looks good. @krhubert can you please implement?
So when we describe events, we should attach the group(s) that the source IP belongs to. Within JSON we'd then add a
"groups": []section, e.g.