Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DOCS-587 - Make terms lowercase in Cloud SIEM - Schema, sensors, and integrations sections #4889

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions docs/cse/integrations/configuring-threatq-source-in-cse.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,15 +39,15 @@ After you set up your ThreatQ source, it will appear on the Threat Intel page in

## Looking for ThreatQ indicators using Cloud SIEM rules

As with other threat intel sources, Cloud SIEM compares each incoming Record to the indicators provided by your ThreatQ source. 
As with other threat intel sources, Cloud SIEM compares each incoming record to the indicators provided by your ThreatQ source. 

When a Record contains a value that matches an entry in one or more threat intel lists, two fields in the Record get populated: a `listMatches` field that contains the names of threat intel lists that the Record matched, and a `matchedItems` field that contains the actual key-value pairs that were matched. In addition, the string “threat” is added to the `listMatches` field.  
When a record contains a value that matches an entry in one or more threat intel lists, two fields in the record get populated: a `listMatches` field that contains the names of threat intel lists that the record matched, and a `matchedItems` field that contains the actual key-value pairs that were matched. In addition, the string “threat” is added to the `listMatches` field.  

For example, give a Record whose `SourceIp` column matches a entry in “My Threat Intel List”, the `listMatches` field added to the record would look like this:
For example, give a record whose `SourceIp` column matches a entry in “My Threat Intel List”, the `listMatches` field added to the record would look like this:

`listMatches: ['My Threat Intel List', 'column:SourceIp', 'threat']`

Because the threat intel information is persisted within Records, you can reference it downstream in both rules and search. To leverage the information in a rule, you extend your rule expression with the `array_contains` function. The syntax is:
Because the threat intel information is persisted within records, you can reference it downstream in both rules and search. To leverage the information in a rule, you extend your rule expression with the `array_contains` function. The syntax is:

`array_contains(listMatches, "threat_intel_list_name")`

Expand All @@ -59,5 +59,5 @@ where 
If the name of the list you are referencing with `array_contains` contains any spaces, replace the spaces with underscores. For example, if the list name is *my list*, refer to it as *my_list*.
:::

For more information, see the [Rules and other content](/docs/cse/rules/about-cse-rules#rules-and-other-content) in the *About Cloud SIEM Rules* topic.
For more information, see [Rules and other content](/docs/cse/rules/about-cse-rules#rules-and-other-content) in the *About Cloud SIEM Rules* topic.

10 changes: 5 additions & 5 deletions docs/cse/integrations/enable-virustotal-enrichment.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,18 @@
id: enable-virustotal-enrichment
title: Enable VirusTotal Enrichment
sidebar_label: Enable VirusTotal Enrichment
description: Enrich your Insights with information from VirusTotal.
description: Enrich your insights with information from VirusTotal.
---

import useBaseUrl from '@docusaurus/useBaseUrl';

The VirusTotal Enrichment enriches Signals based on queries it runs against VirusTotal.
The VirusTotal Enrichment enriches signals based on queries it runs against VirusTotal.

:::note
This feature requires the VirusTotal Premium API.
:::

For each Insight created, the enrichment checks the Records in the Signals that contribute to that Insight, looking for the values found in certain Record attributes that contain IP addresses, URLs, hostnames, or hashes. These are the fields the enrichment examines:
For each insight created, the enrichment checks the records in the signals that contribute to that insight, looking for the values found in certain record attributes that contain IP addresses, URLs, hostnames, or hashes. These are the fields the enrichment examines:

* `srcDevice_ip`
* `dstDevice_ip`
Expand All @@ -28,10 +28,10 @@ For each Insight created, the enrichment checks the Records in the Signals that
* `file_hash_sha256`
* `file_hash_ssdeep`

The enrichment looks up each value it finds in VirusTotal, calling the VirusTotal API to do so. When a Record value has a match in VirusTotal, the enrichment writes the response to Cloud SIEM, where you can view it the Signal’s **Enrichment** tab. For an example, see [Example VirusTotal Enrichment](#example-virustotal-enrichment).
The enrichment looks up each value it finds in VirusTotal, calling the VirusTotal API to do so. When a record value has a match in VirusTotal, the enrichment writes the response to Cloud SIEM, where you can view it the signal’s **Enrichment** tab. For an example, see [Example VirusTotal Enrichment](#example-virustotal-enrichment).

:::note
VirusTotal enrichments are only added to Signals that are part of an Insight.
VirusTotal enrichments are only added to signals that are part of an insight.
:::

## Configure VirusTotal enrichment
Expand Down
10 changes: 5 additions & 5 deletions docs/cse/integrations/enrichments-and-indicators.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,16 @@ description: Learn how enrichments include threat indicators.
import useBaseUrl from '@docusaurus/useBaseUrl';


Enrichments can add [threat indicators](#threat-indicators) to show risk level in Insights and Entities.
Enrichments can add [threat indicators](#threat-indicators) to show risk level in insights and entities.

## Enrichments

You can view the results of enrichments in Cloud SIEM by navigating to the **Enrichments** tab (which will appear on the Entity, Signal, and Insight details pages if there are any enrichments to display):
You can view the results of enrichments in Cloud SIEM by navigating to the **Enrichments** tab (which will appear on the entity, signal, and insight details pages if there are any enrichments to display):

<img src={useBaseUrl('img/cse/enrichments.png')} alt="Examples of enrichments" width="800"/>

The enhancements include:
* Enrichments are grouped by Entity, not by enrichment source.
* Enrichments are grouped by entity, not by enrichment source.
* Groups can be collapsed and expanded.
* The list can be filtered.
* Empty fields (fields with a null or empty value) can be optionally hidden.
Expand All @@ -34,7 +34,7 @@ Threat indicators, if set, will be displayed throughout the Cloud SIEM UI either
| **Suspicious** | <img src={useBaseUrl('img/cse/indicator-suspicious-label.png')} alt="Suspicious label" width="110"/> | <img src={useBaseUrl('img/cse/indicator-suspicious-icon.png')} alt="Suspicious icon" width="30"/> |
| **Not Flagged** | <img src={useBaseUrl('img/cse/indicator-notflagged-label.png')} alt="Suspicious label" width="125"/> | None |

No icon is displayed for Entities with the **Not Flagged** label.
No icon is displayed for entities with the **Not Flagged** label.

:::note
**Not Flagged** is not the default value (which is no indicator at all). Cloud SIEM will not automatically determine the indicator value; enrichments must explicitly set it.
Expand All @@ -44,5 +44,5 @@ No icon is displayed for Entities with the **Not Flagged** label.

The enrichment schema includes support for the following optional attributes:
* `expiresAt`. Defines when the enrichment should be auto-deleted from Cloud SIEM (by default, enrichments will never be auto-deleted).
* `externalUrl`. Defines a link that will be displayed with an enrichment (for example, to include a link to the VirusTotal details page for this Entity, put the link in this field).
* `externalUrl`. Defines a link that will be displayed with an enrichment (for example, to include a link to the VirusTotal details page for this entity, put the link in this field).
* `reputation`. Associates a threat indicator with this enrichment data. The allowable values are `malicious`, `suspicious`, and `notflagged`. The default is not to display any reputation.
6 changes: 3 additions & 3 deletions docs/cse/integrations/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,13 @@ In this section, we'll introduce the following concepts:
<div className="box smallbox card">
<div className="container">
<a href="/docs/cse/integrations/insight-enrichment-server"><img src={useBaseUrl('img/icons/integrations.png')} alt="Icon of two screens" width="40"/><h4>Insight Enrichment Server</h4></a>
<p>Learn how to automatically enrich Cloud SIEM Insights.</p>
<p>Learn how to automatically enrich Cloud SIEM insights.</p>
</div>
</div>
<div className="box smallbox card">
<div className="container">
<a href="/docs/cse/integrations/enable-virustotal-enrichment"><img src={useBaseUrl('img/icons/integrations.png')} alt="Icon of two screens" width="40"/><h4>Enable VirusTotal Enrichment</h4></a>
<p>Learn how to enrich Signals based on queries it runs against VirusTotal.</p>
<p>Learn how to enrich signals based on queries it runs against VirusTotal.</p>
</div>
</div>
<div className="box smallbox card">
Expand All @@ -43,7 +43,7 @@ In this section, we'll introduce the following concepts:
<div className="box smallbox card">
<div className="container">
<a href="/docs/cse/integrations/enrichments-and-indicators"><img src={useBaseUrl('img/icons/integrations.png')} alt="Icon of two screens" width="40"/><h4>Enrichments and Threat Indicators</h4></a>
<p>Learn how enrichments can add threat indicators to show risk level in Insights and Entities.</p>
<p>Learn how enrichments can add threat indicators to show risk level in insights and entities.</p>
</div>
</div>
</div>
Expand Down
24 changes: 12 additions & 12 deletions docs/cse/integrations/insight-enrichment-server.md
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
---
id: insight-enrichment-server
title: Insight Enrichment Server
description: You can use the Cloud SIEM Insight Enrichment Server to automatically enrich Cloud SIEM Insights.
description: You can use the Cloud SIEM Insight Enrichment Server to automatically enrich Cloud SIEM insights.
---

import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
import useBaseUrl from '@docusaurus/useBaseUrl';

The Cloud SIEM Insight Enrichment Server is a component that automatically enriches Cloud SIEM Insights.  
The Cloud SIEM Insight Enrichment Server is a component that automatically enriches Cloud SIEM insights.  

:::warning
The Insight Enrichment Server is deprecated. Use the Automation Service instead for enrichments. See [Migrate from legacy actions and enrichments to the Automation Service](/docs/cse/automation/automations-in-cloud-siem/#migrate-from-legacy-actions-and-enrichments-to-the-automation-service).
Expand All @@ -20,11 +20,11 @@ This topic describes v1.5.0 of the non-FedRAMP version of the Insight Enrichmen

## What the Insight Enrichment Server does

The Insight Enrichment Server performs an external query on the [Entity](/docs/cse/records-signals-entities-insights/view-manage-entities) for an Insight—for example, an IP address, a hostname, username, or a MAC address—and adds the query results as an enrichment to the Insight.
The Insight Enrichment Server performs an external query on the [entity](/docs/cse/records-signals-entities-insights/view-manage-entities) for an insight—for example, an IP address, a hostname, username, or a MAC address—and adds the query results as an enrichment to the insight.

You configure enrichments in the server’s configuration file. The key settings are the Entity type to run the enrichment on, and the command and command arguments to run. 
You configure enrichments in the server’s configuration file. The key settings are the entity type to run the enrichment on, and the command and command arguments to run. 

The Insight Enrichment Server periodically polls Cloud SIEM for new Insights. If an Insight’s Entity is of the same type as the `entity_type` specified for an enrichment configured in the server’s configuration file, the server runs the enrichment for the Entity instance in the Insight. You can see an enrichment that has been added to an Insight on the **Enrichments** tab for an Insight.  
The Insight Enrichment Server periodically polls Cloud SIEM for new insights. If an insight’s entity is of the same type as the `entity_type` specified for an enrichment configured in the server’s configuration file, the server runs the enrichment for the entity instance in the insight. You can see an enrichment that has been added to an insight on the **Enrichments** tab for an insight.  

<img src={useBaseUrl('img/cse/enrichment-1a.png')} alt="Example enrichment" width="800"/>

Expand Down Expand Up @@ -141,7 +141,7 @@ Run the installer and follow the instructions.

The Enrichment Server supports these variables:

`${IP}`, `${MAC}`, `${USERNAME}`, and `${HOSTNAME}`, and for custom Entities, `${ENTITY}`.
`${IP}`, `${MAC}`, `${USERNAME}`, and `${HOSTNAME}`, and for custom entities, `${ENTITY}`.


### General settings
Expand All @@ -154,7 +154,7 @@ The following parameters control general server behaviors, as opposed to enrichm
| `api_id` | yes | Enter your Sumo Logic Access ID. For more information, see [Manage your access keys on Preferences page](/docs/manage/security/access-keys#from-the-preferences-page). |
| `api_key` | yes | Enter your Sumo Logic Access Key.|
| `log_level` | no | Log level the server should use. The options are:<br/><br/>-`error`. Only display error messages.<br/>-`info`. Display informational messages. This is the recommended value.<br/>-`debug`. Displays debug (or trace) data. Recommended only when debugging.<br/><br/>Default: `info` |
| `poll_interval` | no | How often the Insight Enrichment Server should check for new Insights. You can specify the interval in seconds (s), minutes (m), or hours (h).<br/><br/>Default: 10s |
| `poll_interval` | no | How often the Insight Enrichment Server should check for new insights. You can specify the interval in seconds (s), minutes (m), or hours (h).<br/><br/>Default: 10s |
| `post_workers` | no | The number of parallel workers (threads) posting enrichment results. Default: 6 |
| enrichment_workers | no | The number of parallel workers (threads) running enrichment tasks. <br/><br/>Default: 12 |
| `proxy_url` | no | An HTTP proxy URL to use when communicating with the Sumo Logic backend. For example, `my.proxy.myorg.com:3128` or `username:[email protected]:31281`. <br/><br/>Default: No proxy used |
Expand All @@ -168,11 +168,11 @@ Each enrichment should be configured in a separate section in the configuration
| Setting | Required? | Description |
|:--|:--|:--|
| `enrichment_type` | yes | Specifies the type of the enrichment. Currently, the only supported value is `command`. |
| `entity_type` | yes | The type of Entity to enrich. The Insight Enrichment server supports built-in Entity types, including IP, mac, username, and hostname. (For a complete list, see [View and Manage Entities](/docs/cse/records-signals-entities-insights/view-manage-entities). It also supports [custom Entity types](/docs/cse/records-signals-entities-insights/create-custom-entity-type). For custom Entity types, the `entity_type` should match the unique Identifier assigned to the custom Entity type. |
| `cache_time` | no | The length of time that the results of a specific enrichment for a specific Entity will be cached and returned for other enrichment requests for that enrichment and Entity. This setting can be used to prevent an enrichment from running multiple times for the same Entity. You can specify `cache_time` in hours (h), minutes (m), or seconds (s). If you specify a value without a unit, the value is treated as nanoseconds. <br/><br/>Default: none |
| `entity_type` | yes | The type of entity to enrich. The Insight Enrichment server supports built-in entity types, including IP, mac, username, and hostname. (For a complete list, see [View and Manage Entities](/docs/cse/records-signals-entities-insights/view-manage-entities). It also supports [custom entity types](/docs/cse/records-signals-entities-insights/create-custom-entity-type). For custom entity types, the `entity_type` should match the unique Identifier assigned to the custom entity type. |
| `cache_time` | no | The length of time that the results of a specific enrichment for a specific entity will be cached and returned for other enrichment requests for that enrichment and entity. This setting can be used to prevent an enrichment from running multiple times for the same entity. You can specify `cache_time` in hours (h), minutes (m), or seconds (s). If you specify a value without a unit, the value is treated as nanoseconds. <br/><br/>Default: none |
| `ip_range` | no | When `entity_type` is IP, you can specify a range of IP addresses that the enrichment will be limited to. Specify IP address ranges as a comma-separated list. For example:<br/><br/> `192.168.1.1-192.168.1.255, 192.168.5.1-192.168.8.120` |
| `command_exe` | yes | The executable to run when enriching the Entity. |
| `command_args` | yes | The arguments to pass to the executable specified by `command_exe` when performing the enrichment. Note that the value `${IP}` will be replaced by the IP address for IP Entities. The value `${HOSTNAME}` will be replaced with the hostname for hostname Entities. The value `${MAC}` will be replaced with the MAC address for MAC Entities. The value `${USERNAME}` will be replaced with the username for username Entities. `command_args` also supports an `${ENTITY}` replacement value that you can use for custom Entity types and any of the built-in Entity types. |
| `command_exe` | yes | The executable to run when enriching the entity. |
| `command_args` | yes | The arguments to pass to the executable specified by `command_exe` when performing the enrichment. Note that the value `${IP}` will be replaced by the IP address for IP entities. The value `${HOSTNAME}` will be replaced with the hostname for hostname entities. The value `${MAC}` will be replaced with the MAC address for MAC entities. The value `${USERNAME}` will be replaced with the username for username entities. `command_args` also supports an `${ENTITY}` replacement value that you can use for custom entity types and any of the built-in entity types. |
| `command_timeout` | no | A timeout value (in seconds) that will be enforced when running the command.<br/><br/>Default: none |

### Example enrichment
Expand All @@ -188,7 +188,7 @@ command_args = ${IP}
ip_range = 10.10.10.1-10.10.10.4, 192.168.0.0-192.168.255.255
```

If an Insight’s Entity is an IP address in one of the ranges specified by `ip_range`, the enrichment will run the command `whois.exe` on that IP address.
If an insight’s entity is an IP address in one of the ranges specified by `ip_range`, the enrichment will run the command `whois.exe` on that IP address.

## Example configuration file

Expand Down
Loading
Loading