sfc-gh-afedorov
commented
4 years ago Can you give an example of what kinds of references you mean? Might generalizing the sources column to have objects with a url give us what we want?
Open sfc-gh-dwyleczukstern opened 4 years ago
sfc-gh-afedorov
commented
4 years ago Can you give an example of what kinds of references you mean? Might generalizing the sources column to have objects with a url give us what we want?
sfc-gh-dwyleczukstern
commented
4 years ago sources might but I interpret sources to be the data sources for the alert.
Something like this:
SELECT OBJECT_CONSTRUCT('processName', processName, 'fileName', fileName) AS environment
, ARRAY_CONSTRUCT('FileTracker') AS sources
, 'ASDF' AS title
, 'ASDF' AS action
, fileName AS object
, ARRAY_CONTSTRUCT(('MITRE Reference', 'https://attack.mitre.org/techniques/T1553/004/'), ('our internal ADS' , 'https://github.com/ADS_1003_1553_004_1.md'))
, 'Description text here' AS description
, userName AS actor
, 'medium' AS severity
, 'ASDF' AS query_id
, 'SnowAlert' AS detector
, OBJECT_CONSTRUCT(*) AS event_data
, event_time as event_time
, CURRENT_TIMESTAMP() as alert_timeBut an easier way to construct the reference pair. Honestly I'd love to write my alerts as YAML and have the SQL be a field in the YAML but that's a separate issue from this.
I would like to have a references field in the snowalert object which can be an array of URLs and alternate text pairs so I can document external references separately from the description field