diff --git a/docs/xdr/features/investigate/querying_events.md b/docs/xdr/features/investigate/querying_events.md index db47e18f33..6e6338d2b2 100644 --- a/docs/xdr/features/investigate/querying_events.md +++ b/docs/xdr/features/investigate/querying_events.md @@ -20,10 +20,8 @@ The Tables below detail the main fields that can be used to narrow down your sea | name | type | description | | ------------------------------ | ------ | ------------------------------------------- | -| sekoiaio.entity.name | string | Name of the entity | | sekoiaio.entity.uuid | string | Unique identifier of the entity | -| sekoiaio.intake.key | string | The intake key | -| sekoiaio.intake.name | string | Name of the intake | +| sekoiaio.intake.uuid | string | Unique identifier of the intake | | sekoiaio.intake.dialect | string | Name of the intake format | | sekoiaio.intake.dialect_uuid | string | UUID of the intake format | | sekoiaio.intake.parsing_status | string | The parsing status (`success` or `failure`) | diff --git a/docs/xdr/usecases/playbook/Add_UserAgent_in_comment.md b/docs/xdr/usecases/playbook/Add_UserAgent_in_comment.md index 37c0583d91..4459285393 100644 --- a/docs/xdr/usecases/playbook/Add_UserAgent_in_comment.md +++ b/docs/xdr/usecases/playbook/Add_UserAgent_in_comment.md @@ -36,7 +36,7 @@ Find the playbook configuration below: - **earliest_time** `{{ ((node.2.first_seen_at | iso8601_to_timestamp) - 3600000) | timestamp_to_iso8601 }}` - **fields** `user_agent.original` - **latest_time** `now` - - **query** `source.ip:"{{ node.2['source'] }}" AND destination.ip:"{{ node.2['target'] }}" AND entity.name:"{{ node.2['entity']['name'] }}"` + - **query** `source.ip:"{{ node.2['source'] }}" AND destination.ip:"{{ node.2['target'] }}" AND entity.uuid:"{{ node.2['entity']['uuid'] }}"` `Comment Alert` - **content** `{{ node.3| jsonpath("$.fields[*].common_values[*]['value']", True) }}% of time this user-agent "{{ node.3| jsonpath("$.fields[*].common_values[*]['name']", True) }}}" was seen on these events during the last 60 minutes.`