You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/cse/integrations/configuring-threatq-source-in-cse.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -39,15 +39,15 @@ After you set up your ThreatQ source, it will appear on the Threat Intel page in
39
39
40
40
## Looking for ThreatQ indicators using Cloud SIEM rules
41
41
42
-
As with other threat intel sources, Cloud SIEM compares each incoming Record to the indicators provided by your ThreatQ source.
42
+
As with other threat intel sources, Cloud SIEM compares each incoming record to the indicators provided by your ThreatQ source.
43
43
44
-
When a Record contains a value that matches an entry in one or more threat intel lists, two fields in the Record get populated: a `listMatches` field that contains the names of threat intel lists that the Record matched, and a `matchedItems` field that contains the actual key-value pairs that were matched. In addition, the string “threat” is added to the `listMatches` field.
44
+
When a record contains a value that matches an entry in one or more threat intel lists, two fields in the record get populated: a `listMatches` field that contains the names of threat intel lists that the record matched, and a `matchedItems` field that contains the actual key-value pairs that were matched. In addition, the string “threat” is added to the `listMatches` field.
45
45
46
-
For example, give a Record whose `SourceIp` column matches a entry in “My Threat Intel List”, the `listMatches` field added to the record would look like this:
46
+
For example, give a record whose `SourceIp` column matches a entry in “My Threat Intel List”, the `listMatches` field added to the record would look like this:
Because the threat intel information is persisted within Records, you can reference it downstream in both rules and search. To leverage the information in a rule, you extend your rule expression with the `array_contains` function. The syntax is:
50
+
Because the threat intel information is persisted within records, you can reference it downstream in both rules and search. To leverage the information in a rule, you extend your rule expression with the `array_contains` function. The syntax is:
If the name of the list you are referencing with `array_contains` contains any spaces, replace the spaces with underscores. For example, if the list name is *my list*, refer to it as *my_list*.
60
60
:::
61
61
62
-
For more information, see the [Rules and other content](/docs/cse/rules/about-cse-rules#rules-and-other-content) in the *About Cloud SIEM Rules* topic.
62
+
For more information, see [Rules and other content](/docs/cse/rules/about-cse-rules#rules-and-other-content) in the *About Cloud SIEM Rules* topic.
Copy file name to clipboardExpand all lines: docs/cse/integrations/enable-virustotal-enrichment.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,18 +2,18 @@
2
2
id: enable-virustotal-enrichment
3
3
title: Enable VirusTotal Enrichment
4
4
sidebar_label: Enable VirusTotal Enrichment
5
-
description: Enrich your Insights with information from VirusTotal.
5
+
description: Enrich your insights with information from VirusTotal.
6
6
---
7
7
8
8
import useBaseUrl from '@docusaurus/useBaseUrl';
9
9
10
-
The VirusTotal Enrichment enriches Signals based on queries it runs against VirusTotal.
10
+
The VirusTotal Enrichment enriches signals based on queries it runs against VirusTotal.
11
11
12
12
:::note
13
13
This feature requires the VirusTotal Premium API.
14
14
:::
15
15
16
-
For each Insight created, the enrichment checks the Records in the Signals that contribute to that Insight, looking for the values found in certain Record attributes that contain IP addresses, URLs, hostnames, or hashes. These are the fields the enrichment examines:
16
+
For each insight created, the enrichment checks the records in the signals that contribute to that insight, looking for the values found in certain record attributes that contain IP addresses, URLs, hostnames, or hashes. These are the fields the enrichment examines:
17
17
18
18
*`srcDevice_ip`
19
19
*`dstDevice_ip`
@@ -28,10 +28,10 @@ For each Insight created, the enrichment checks the Records in the Signals that
28
28
*`file_hash_sha256`
29
29
*`file_hash_ssdeep`
30
30
31
-
The enrichment looks up each value it finds in VirusTotal, calling the VirusTotal API to do so. When a Record value has a match in VirusTotal, the enrichment writes the response to Cloud SIEM, where you can view it the Signal’s **Enrichment** tab. For an example, see [Example VirusTotal Enrichment](#example-virustotal-enrichment).
31
+
The enrichment looks up each value it finds in VirusTotal, calling the VirusTotal API to do so. When a record value has a match in VirusTotal, the enrichment writes the response to Cloud SIEM, where you can view it the signal’s **Enrichment** tab. For an example, see [Example VirusTotal Enrichment](#example-virustotal-enrichment).
32
32
33
33
:::note
34
-
VirusTotal enrichments are only added to Signals that are part of an Insight.
34
+
VirusTotal enrichments are only added to signals that are part of an insight.
Copy file name to clipboardExpand all lines: docs/cse/integrations/enrichments-and-indicators.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,16 +8,16 @@ description: Learn how enrichments include threat indicators.
8
8
import useBaseUrl from '@docusaurus/useBaseUrl';
9
9
10
10
11
-
Enrichments can add [threat indicators](#threat-indicators) to show risk level in Insights and Entities.
11
+
Enrichments can add [threat indicators](#threat-indicators) to show risk level in insights and entities.
12
12
13
13
## Enrichments
14
14
15
-
You can view the results of enrichments in Cloud SIEM by navigating to the **Enrichments** tab (which will appear on the Entity, Signal, and Insight details pages if there are any enrichments to display):
15
+
You can view the results of enrichments in Cloud SIEM by navigating to the **Enrichments** tab (which will appear on the entity, signal, and insight details pages if there are any enrichments to display):
16
16
17
17
<img src={useBaseUrl('img/cse/enrichments.png')} alt="Examples of enrichments" width="800"/>
18
18
19
19
The enhancements include:
20
-
* Enrichments are grouped by Entity, not by enrichment source.
20
+
* Enrichments are grouped by entity, not by enrichment source.
21
21
* Groups can be collapsed and expanded.
22
22
* The list can be filtered.
23
23
* Empty fields (fields with a null or empty value) can be optionally hidden.
@@ -34,7 +34,7 @@ Threat indicators, if set, will be displayed throughout the Cloud SIEM UI either
No icon is displayed for Entities with the **Not Flagged** label.
37
+
No icon is displayed for entities with the **Not Flagged** label.
38
38
39
39
:::note
40
40
**Not Flagged** is not the default value (which is no indicator at all). Cloud SIEM will not automatically determine the indicator value; enrichments must explicitly set it.
@@ -44,5 +44,5 @@ No icon is displayed for Entities with the **Not Flagged** label.
44
44
45
45
The enrichment schema includes support for the following optional attributes:
46
46
*`expiresAt`. Defines when the enrichment should be auto-deleted from Cloud SIEM (by default, enrichments will never be auto-deleted).
47
-
*`externalUrl`. Defines a link that will be displayed with an enrichment (for example, to include a link to the VirusTotal details page for this Entity, put the link in this field).
47
+
*`externalUrl`. Defines a link that will be displayed with an enrichment (for example, to include a link to the VirusTotal details page for this entity, put the link in this field).
48
48
*`reputation`. Associates a threat indicator with this enrichment data. The allowable values are `malicious`, `suspicious`, and `notflagged`. The default is not to display any reputation.
Copy file name to clipboardExpand all lines: docs/cse/integrations/index.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,13 +19,13 @@ In this section, we'll introduce the following concepts:
19
19
<divclassName="box smallbox card">
20
20
<divclassName="container">
21
21
<ahref="/docs/cse/integrations/insight-enrichment-server"><img src={useBaseUrl('img/icons/integrations.png')} alt="Icon of two screens" width="40"/><h4>Insight Enrichment Server</h4></a>
22
-
<p>Learn how to automatically enrich Cloud SIEM Insights.</p>
22
+
<p>Learn how to automatically enrich Cloud SIEM insights.</p>
23
23
</div>
24
24
</div>
25
25
<divclassName="box smallbox card">
26
26
<divclassName="container">
27
27
<ahref="/docs/cse/integrations/enable-virustotal-enrichment"><img src={useBaseUrl('img/icons/integrations.png')} alt="Icon of two screens" width="40"/><h4>Enable VirusTotal Enrichment</h4></a>
28
-
<p>Learn how to enrich Signals based on queries it runs against VirusTotal.</p>
28
+
<p>Learn how to enrich signals based on queries it runs against VirusTotal.</p>
29
29
</div>
30
30
</div>
31
31
<divclassName="box smallbox card">
@@ -43,7 +43,7 @@ In this section, we'll introduce the following concepts:
43
43
<divclassName="box smallbox card">
44
44
<divclassName="container">
45
45
<ahref="/docs/cse/integrations/enrichments-and-indicators"><img src={useBaseUrl('img/icons/integrations.png')} alt="Icon of two screens" width="40"/><h4>Enrichments and Threat Indicators</h4></a>
46
-
<p>Learn how enrichments can add threat indicators to show risk level in Insights and Entities.</p>
46
+
<p>Learn how enrichments can add threat indicators to show risk level in insights and entities.</p>
Copy file name to clipboardExpand all lines: docs/cse/integrations/insight-enrichment-server.md
+12-12Lines changed: 12 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,14 +1,14 @@
1
1
---
2
2
id: insight-enrichment-server
3
3
title: Insight Enrichment Server
4
-
description: You can use the Cloud SIEM Insight Enrichment Server to automatically enrich Cloud SIEM Insights.
4
+
description: You can use the Cloud SIEM Insight Enrichment Server to automatically enrich Cloud SIEM insights.
5
5
---
6
6
7
7
import Tabs from '@theme/Tabs';
8
8
import TabItem from '@theme/TabItem';
9
9
import useBaseUrl from '@docusaurus/useBaseUrl';
10
10
11
-
The Cloud SIEM Insight Enrichment Server is a component that automatically enriches Cloud SIEM Insights.
11
+
The Cloud SIEM Insight Enrichment Server is a component that automatically enriches Cloud SIEM insights.
12
12
13
13
:::warning
14
14
The Insight Enrichment Server is deprecated. Use the Automation Service instead for enrichments. See [Migrate from legacy actions and enrichments to the Automation Service](/docs/cse/automation/automations-in-cloud-siem/#migrate-from-legacy-actions-and-enrichments-to-the-automation-service).
@@ -20,11 +20,11 @@ This topic describes v1.5.0 of the non-FedRAMP version of the Insight Enrichmen
20
20
21
21
## What the Insight Enrichment Server does
22
22
23
-
The Insight Enrichment Server performs an external query on the [Entity](/docs/cse/records-signals-entities-insights/view-manage-entities) for an Insight—for example, an IP address, a hostname, username, or a MAC address—and adds the query results as an enrichment to the Insight.
23
+
The Insight Enrichment Server performs an external query on the [entity](/docs/cse/records-signals-entities-insights/view-manage-entities) for an insight—for example, an IP address, a hostname, username, or a MAC address—and adds the query results as an enrichment to the insight.
24
24
25
-
You configure enrichments in the server’s configuration file. The key settings are the Entity type to run the enrichment on, and the command and command arguments to run.
25
+
You configure enrichments in the server’s configuration file. The key settings are the entity type to run the enrichment on, and the command and command arguments to run.
26
26
27
-
The Insight Enrichment Server periodically polls Cloud SIEM for new Insights. If an Insight’s Entity is of the same type as the `entity_type` specified for an enrichment configured in the server’s configuration file, the server runs the enrichment for the Entity instance in the Insight. You can see an enrichment that has been added to an Insight on the **Enrichments** tab for an Insight.
27
+
The Insight Enrichment Server periodically polls Cloud SIEM for new insights. If an insight’s entity is of the same type as the `entity_type` specified for an enrichment configured in the server’s configuration file, the server runs the enrichment for the entity instance in the insight. You can see an enrichment that has been added to an insight on the **Enrichments** tab for an insight.
@@ -141,7 +141,7 @@ Run the installer and follow the instructions.
141
141
142
142
The Enrichment Server supports these variables:
143
143
144
-
`${IP}`, `${MAC}`, `${USERNAME}`, and `${HOSTNAME}`, and for custom Entities, `${ENTITY}`.
144
+
`${IP}`, `${MAC}`, `${USERNAME}`, and `${HOSTNAME}`, and for custom entities, `${ENTITY}`.
145
145
146
146
147
147
### General settings
@@ -154,7 +154,7 @@ The following parameters control general server behaviors, as opposed to enrichm
154
154
|`api_id`| yes | Enter your Sumo Logic Access ID. For more information, see [Manage your access keys on Preferences page](/docs/manage/security/access-keys#from-the-preferences-page). |
155
155
|`api_key`| yes | Enter your Sumo Logic Access Key.|
156
156
|`log_level`| no | Log level the server should use. The options are:<br/><br/>-`error`. Only display error messages.<br/>-`info`. Display informational messages. This is the recommended value.<br/>-`debug`. Displays debug (or trace) data. Recommended only when debugging.<br/><br/>Default: `info`|
157
-
|`poll_interval`| no | How often the Insight Enrichment Server should check fornew Insights. You can specify the intervalin seconds (s), minutes (m), or hours (h).<br/><br/>Default: 10s |
157
+
|`poll_interval`| no | How often the Insight Enrichment Server should check fornew insights. You can specify the intervalin seconds (s), minutes (m), or hours (h).<br/><br/>Default: 10s |
158
158
|`post_workers`| no | The number of parallel workers (threads) posting enrichment results. Default: 6 |
159
159
| enrichment_workers | no | The number of parallel workers (threads) running enrichment tasks. <br/><br/>Default: 12 |
160
160
|`proxy_url`| no | An HTTP proxy URL to use when communicating with the Sumo Logic backend. For example, `my.proxy.myorg.com:3128` or `username:[email protected]:31281`. <br/><br/>Default: No proxy used |
@@ -168,11 +168,11 @@ Each enrichment should be configured in a separate section in the configuration
168
168
| Setting | Required?| Description |
169
169
|:--|:--|:--|
170
170
|`enrichment_type`| yes | Specifies the type of the enrichment. Currently, the only supported value is `command`. |
171
-
|`entity_type`| yes | The type of Entity to enrich. The Insight Enrichment server supports built-in Entity types, including IP, mac, username, and hostname. (For a complete list, see [View and Manage Entities](/docs/cse/records-signals-entities-insights/view-manage-entities). It also supports [custom Entity types](/docs/cse/records-signals-entities-insights/create-custom-entity-type). For custom Entity types, the `entity_type` should match the unique Identifier assigned to the custom Entity type. |
172
-
|`cache_time`| no | The length of time that the results of a specific enrichment fora specific Entity will be cached and returned for other enrichment requests for that enrichment and Entity. This setting can be used to prevent an enrichment from running multiple times for the same Entity. You can specify `cache_time`in hours (h), minutes (m), or seconds (s). If you specify a value without a unit, the value is treated as nanoseconds. <br/><br/>Default: none |
171
+
|`entity_type`| yes | The type of entity to enrich. The Insight Enrichment server supports built-in entity types, including IP, mac, username, and hostname. (For a complete list, see [View and Manage Entities](/docs/cse/records-signals-entities-insights/view-manage-entities). It also supports [custom entity types](/docs/cse/records-signals-entities-insights/create-custom-entity-type). For custom entity types, the `entity_type` should match the unique Identifier assigned to the custom entity type. |
172
+
|`cache_time`| no | The length of time that the results of a specific enrichment fora specific entity will be cached and returned for other enrichment requests for that enrichment and entity. This setting can be used to prevent an enrichment from running multiple times for the same entity. You can specify `cache_time`in hours (h), minutes (m), or seconds (s). If you specify a value without a unit, the value is treated as nanoseconds. <br/><br/>Default: none |
173
173
|`ip_range`| no | When `entity_type` is IP, you can specify a range of IP addresses that the enrichment will be limited to. Specify IP address ranges as a comma-separated list. For example:<br/><br/>`192.168.1.1-192.168.1.255, 192.168.5.1-192.168.8.120`|
174
-
|`command_exe`| yes | The executable to run when enriching the Entity. |
175
-
|`command_args`| yes | The arguments to pass to the executable specified by `command_exe` when performing the enrichment. Note that the value `${IP}` will be replaced by the IP address for IP Entities. The value `${HOSTNAME}` will be replaced with the hostname for hostname Entities. The value `${MAC}` will be replaced with the MAC address for MAC Entities. The value `${USERNAME}` will be replaced with the username for username Entities. `command_args` also supports an `${ENTITY}` replacement value that you can use for custom Entity types and any of the built-in Entity types. |
174
+
|`command_exe`| yes | The executable to run when enriching the entity. |
175
+
|`command_args`| yes | The arguments to pass to the executable specified by `command_exe` when performing the enrichment. Note that the value `${IP}` will be replaced by the IP address for IP entities. The value `${HOSTNAME}` will be replaced with the hostname for hostname entities. The value `${MAC}` will be replaced with the MAC address for MAC entities. The value `${USERNAME}` will be replaced with the username for username entities. `command_args` also supports an `${ENTITY}` replacement value that you can use for custom entity types and any of the built-in entity types. |
176
176
|`command_timeout`| no | A timeout value (in seconds) that will be enforced when running the command.<br/><br/>Default: none |
If an Insight’s Entity is an IP address in one of the ranges specified by `ip_range`, the enrichment will run the command`whois.exe` on that IP address.
191
+
If an insight’s entity is an IP address in one of the ranges specified by `ip_range`, the enrichment will run the command`whois.exe` on that IP address.
0 commit comments