Merge pull request SEKOIA-IO#1095 from SEKOIA-IO/fix/UbikaCloudAlert

Ubika: extract the attack family
HarishHary · May 27, 2024 · 34965ad · 34965ad
2 parents 13fd879 + d9775ae
commit 34965ad
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/Ubika/ubika-cloud-protector-alerts/_meta/fields.yml b/Ubika/ubika-cloud-protector-alerts/_meta/fields.yml
@@ -2,3 +2,8 @@ ubika.cloud_protector.application_id:
   description: Website server name
   name: ubika.cloud_protector.application_id
   type: keyword
+
+ubika.cloud_protector.attack_family:
+  description: The nature of the attack
+  name: ubika.cloud_protector.attack_family
+  type: keyword
diff --git a/Ubika/ubika-cloud-protector-alerts/ingest/parser.yml b/Ubika/ubika-cloud-protector-alerts/ingest/parser.yml
@@ -30,3 +30,4 @@ stages:
           rule.id: "{{ parsed_event.message.rule_id.strip() }}"
 
           ubika.cloud_protector.application_id: "{{ parsed_event.message.application_id }}"
+          ubika.cloud_protector.attack_family: "{{ parsed_event.message.attack_family }}"
diff --git a/Ubika/ubika-cloud-protector-alerts/tests/test_detection.json b/Ubika/ubika-cloud-protector-alerts/tests/test_detection.json
@@ -38,7 +38,8 @@
     },
     "ubika": {
       "cloud_protector": {
-        "application_id": "www.some-app.com"
+        "application_id": "www.some-app.com",
+        "attack_family": "Information Disclosure"
       }
     },
     "url": {
Original file line number	Diff line number	Diff line change
Expand Up		@@ -30,3 +30,4 @@ stages:
		rule.id: "{{ parsed_event.message.rule_id.strip() }}"

		ubika.cloud_protector.application_id: "{{ parsed_event.message.application_id }}"
		ubika.cloud_protector.attack_family: "{{ parsed_event.message.attack_family }}"