From d9775ae2d65699861e156fe8e89b15fc85b4c817 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Fri, 24 May 2024 15:11:21 +0200
Subject: [PATCH] fix(Ubika): extract the attack family

---
 Ubika/ubika-cloud-protector-alerts/_meta/fields.yml          | 5 +++++
 Ubika/ubika-cloud-protector-alerts/ingest/parser.yml         | 1 +
 Ubika/ubika-cloud-protector-alerts/tests/test_detection.json | 3 ++-
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/Ubika/ubika-cloud-protector-alerts/_meta/fields.yml b/Ubika/ubika-cloud-protector-alerts/_meta/fields.yml
index add6bfb42..e6188726e 100644
--- a/Ubika/ubika-cloud-protector-alerts/_meta/fields.yml
+++ b/Ubika/ubika-cloud-protector-alerts/_meta/fields.yml
@@ -2,3 +2,8 @@ ubika.cloud_protector.application_id:
   description: Website server name
   name: ubika.cloud_protector.application_id
   type: keyword
+
+ubika.cloud_protector.attack_family:
+  description: The nature of the attack
+  name: ubika.cloud_protector.attack_family
+  type: keyword
diff --git a/Ubika/ubika-cloud-protector-alerts/ingest/parser.yml b/Ubika/ubika-cloud-protector-alerts/ingest/parser.yml
index ea3e6fdf7..23798d465 100644
--- a/Ubika/ubika-cloud-protector-alerts/ingest/parser.yml
+++ b/Ubika/ubika-cloud-protector-alerts/ingest/parser.yml
@@ -30,3 +30,4 @@ stages:
           rule.id: "{{ parsed_event.message.rule_id.strip() }}"
 
           ubika.cloud_protector.application_id: "{{ parsed_event.message.application_id }}"
+          ubika.cloud_protector.attack_family: "{{ parsed_event.message.attack_family }}"
diff --git a/Ubika/ubika-cloud-protector-alerts/tests/test_detection.json b/Ubika/ubika-cloud-protector-alerts/tests/test_detection.json
index 517b49f04..f948d6fd8 100644
--- a/Ubika/ubika-cloud-protector-alerts/tests/test_detection.json
+++ b/Ubika/ubika-cloud-protector-alerts/tests/test_detection.json
@@ -38,7 +38,8 @@
     },
     "ubika": {
       "cloud_protector": {
-        "application_id": "www.some-app.com"
+        "application_id": "www.some-app.com",
+        "attack_family": "Information Disclosure"
       }
     },
     "url": {