Skip to content

Commit 881f5d5

Browse files
pyth0n1cpyth0n1c
authored
Merge pull request #404 from splunk/conf_file_updates
detection_Type and _entities conf file updates
2 parents 8be90ad + 9a475a5 commit 881f5d5

File tree

1 file changed

+3
-27
lines changed

1 file changed

+3
-27
lines changed

contentctl/output/templates/savedsearches_detections.j2

Lines changed: 3 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -1,31 +1,20 @@
11
### {{app.label}} DETECTIONS ###
22

33
{% for detection in objects %}
4-
{% if (detection.type == 'TTP' or detection.type == 'Anomaly' or detection.type == 'Hunting' or detection.type == 'Correlation') %}
54
[{{ detection.get_conf_stanza_name(app) }}]
65
action.escu = 0
76
action.escu.enabled = 1
87
description = {{ detection.status_aware_description | escapeNewlines() }}
98
action.escu.mappings = {{ detection.mappings | tojson }}
109
action.escu.data_models = {{ detection.datamodel | tojson }}
1110
action.escu.eli5 = {{ detection.status_aware_description | escapeNewlines() }}
12-
{% if detection.how_to_implement %}
1311
action.escu.how_to_implement = {{ detection.how_to_implement | escapeNewlines() }}
14-
{% else %}
15-
action.escu.how_to_implement = none
16-
{% endif %}
17-
{% if detection.known_false_positives %}
1812
action.escu.known_false_positives = {{ detection.known_false_positives | escapeNewlines() }}
19-
{% else %}
20-
action.escu.known_false_positives = None
21-
{% endif %}
2213
action.escu.creation_date = {{ detection.date }}
2314
action.escu.modification_date = {{ detection.date }}
2415
action.escu.confidence = high
2516
action.escu.search_type = detection
26-
{% if detection.tags.product is defined %}
2717
action.escu.product = {{ detection.tags.product | tojson }}
28-
{% endif %}
2918
{% if detection.tags.atomic_guid %}
3019
action.escu.atomic_red_team_guids = {{ detection.tags.getAtomicGuidStringArray() | tojson }}
3120
{% endif %}
@@ -34,7 +23,6 @@ action.escu.providing_technologies = {{ detection.providing_technologies | tojso
3423
{% else %}
3524
action.escu.providing_technologies = null
3625
{% endif %}
37-
{% if detection.tags.analytic_story %}
3826
action.escu.analytic_story = {{ objectListToNameList(detection.tags.analytic_story) | tojson }}
3927
{% if detection.deployment.alert_action.rba.enabled%}
4028
action.risk = 1
@@ -43,25 +31,19 @@ action.risk.param._risk = {{ detection.risk | tojson }}
4331
action.risk.param._risk_score = 0
4432
action.risk.param.verbose = 0
4533
{% endif %}
46-
{% else %}
47-
action.escu.analytic_story = []
48-
{% endif %}
4934
cron_schedule = {{ detection.deployment.scheduling.cron_schedule }}
5035
dispatch.earliest_time = {{ detection.deployment.scheduling.earliest_time }}
5136
dispatch.latest_time = {{ detection.deployment.scheduling.latest_time }}
5237
action.correlationsearch.enabled = 1
38+
action.correlationsearch.detection_type = ebd
5339
action.correlationsearch.label = {{ detection.get_action_dot_correlationsearch_dot_label(app) }}
5440
action.correlationsearch.annotations = {{ detection.annotations | tojson }}
5541
action.correlationsearch.metadata = {{ detection.metadata | tojson }}
56-
{% if detection.deployment.scheduling.schedule_window is defined %}
5742
schedule_window = {{ detection.deployment.scheduling.schedule_window }}
58-
{% endif %}
59-
{% if detection.deployment is defined %}
6043
{% if detection.deployment.alert_action.notable %}
6144
action.notable = 1
62-
{% if detection.nes_fields %}
45+
action.notable.param._entities = [{"risk_object_field": "N/A", "risk_object_type": "N/A", "risk_score": "0"}]
6346
action.notable.param.nes_fields = {{ detection.nes_fields }}
64-
{% endif %}
6547
action.notable.param.rule_description = {{ detection.deployment.alert_action.notable.rule_description | custom_jinja2_enrichment_filter(detection) | escapeNewlines()}}
6648
action.notable.param.rule_title = {% if detection.type | lower == "correlation" %}RBA: {{ detection.deployment.alert_action.notable.rule_title | custom_jinja2_enrichment_filter(detection) }}{% else %}{{ detection.deployment.alert_action.notable.rule_title | custom_jinja2_enrichment_filter(detection) }}{% endif +%}
6749
action.notable.param.security_domain = {{ detection.tags.security_domain }}
@@ -87,13 +69,8 @@ action.sendtophantom.param.phantom_server = {{ detection.deployment.alert_action
8769
action.sendtophantom.param.sensitivity = {{ detection.deployment.alert_action.phantom.sensitivity | custom_jinja2_enrichment_filter(detection) }}
8870
action.sendtophantom.param.severity = {{ detection.deployment.alert_action.phantom.severity | custom_jinja2_enrichment_filter(detection) }}
8971
{% endif %}
90-
{% endif %}
9172
alert.digest_mode = 1
92-
{% if detection.enabled_by_default %}
93-
disabled = false
94-
{% else %}
95-
disabled = true
96-
{% endif %}
73+
disabled = {{ (not detection.enabled_by_default) | lower }}
9774
enableSched = 1
9875
allow_skew = 100%
9976
counttype = number of events
@@ -108,7 +85,6 @@ alert.suppress.period = {{ detection.tags.throttling.period }}
10885
{% endif %}
10986
search = {{ detection.search | escapeNewlines() }}
11087
action.notable.param.drilldown_searches = {{ detection.drilldowns_in_JSON | tojson | escapeNewlines() }}
111-
{% endif %}
11288

11389
{% endfor %}
11490
### END {{ app.label }} DETECTIONS ###

0 commit comments

Comments
 (0)