I am trying to enhance / enrich event data / UDM by means of a Data Table.
I have the following data table called CrownJewels
Column 1: Hostname - mapped to entity.asset.hostname
Column 2: Asset_ID - mapped to entity.asset.asset_id
Column 3: IP - mapped to entity.asset.ip
Column 4: Owner - mapped to entity.asset.attribute.labels.value
Column 5: CrownJewel - mapped to entity.asset.attribute.roles.name
Column6: OwnerKey - mapped to entity.asset.attribute.labels.key
My goal is to enrich UDM data with data from above,
especially I want asset.attribute.roles.name to contain CrownJewel, and I want an asset.attributes.labels entry where by key is called Owner and value from Collumn 4.
But whatever I try, following both the google document, as well as the blogs from
But I can’t get any enrichment happening….
Here’s two detection rules I tried:
1:
rule enrich_asset_crownjewels_byIP
{
meta:
description = "Override asset entity context with CrownJewels data table"
author = "J Spoor"
setup:
graph_override ($graph.graph.entity.asset.ip = %CrownJewels.IP)
events:
$e.target.asset.ip in %CrownJewels.IP
$graph.graph.metadata.entity_type = "ASSET"
$e.target.asset.ip = $hip
$graph.graph.entity.asset.ip = $hip
match:
$hip over 1h
outcome:
//$Owner = array_distinct($graph.graph.entity.asset.attribute.labels["Owner"])
$Role = array_distinct($graph.graph.entity.asset.attribute.roles.name)
condition:
$e and $graph
}
2:
rule enrich_asset_crownjewels_byHostname
{
meta:
description = "Override asset entity context with CrownJewels data table"
author = "J Spoor"
setup:
graph_override ($graph.graph.entity.asset.hostname = %CrownJewels.Hostname)
events:
$e.target.asset.ip in %CrownJewels.IP
$graph.graph.metadata.entity_type = "ASSET"
$e.target.asset.ip = $hip
$graph.graph.entity.asset.ip = $hip
match:
$hip over 1h
outcome:
//$Owner = array_distinct($graph.graph.entity.asset.attribute.labels["Owner"])
$Role = array_distinct($graph.graph.entity.asset.attribute.roles.name)
condition:
$e and $graph
}
I am at a loss here..
