Skip to content

Commit

Permalink
Add rule description to enrichment relationship descriptions
Browse files Browse the repository at this point in the history
  • Loading branch information
@misje
misje committed May 9, 2024
1 parent f4e2608 commit 8a8d02d
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions src/wazuh/enrich.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -463,7 +463,7 @@ def enrich_files(self, *, incident: stix2.Incident, alerts: list[dict]):
created=alert["_source"]["@timestamp"],
**self.stix.common_properties,
relationship_type="related-to",
description=f"StixFile {match} found in {meta['field']} in alert (ID {alert['_id']}, rule ID {alert['_source']['rule']['id']})",
description=f"StixFile {match} found in {meta['field']} in alert (ID {alert['_id']}, rule ID {alert['_source']['rule']['id']}): {alert['_source']['rule']['description']}",
source_ref=incident.id,
target_ref=sco_bundle.sco.id,
),
Expand Down Expand Up @@ -512,7 +512,7 @@ def enrich_reg_keys(self, *, incident: stix2.Incident, alerts: list[dict]):
created=alert["_source"]["@timestamp"],
**self.stix.common_properties,
relationship_type="related-to",
description=f"Windows-Registry-Key {match} found in {meta['field']} in alert (ID {alert['_id']}, rule ID {alert['_source']['rule']['id']})",
description=f"Windows-Registry-Key {match} found in {meta['field']} in alert (ID {alert['_id']}, rule ID {alert['_source']['rule']['id']}): {alert['_source']['rule']['description']}",
source_ref=incident.id,
target_ref=sco_bundle.sco.id,
),
Expand Down Expand Up @@ -754,7 +754,7 @@ def create_process(
created=alert["_source"]["@timestamp"],
**self.stix.common_properties,
relationship_type="related-to",
description=f"Process found in alert (ID {alert['_id']}, rule ID {alert['_source']['rule']['id']})",
description=f"Process found in alert (ID {alert['_id']}, rule ID {alert['_source']['rule']['id']}): {alert['_source']['rule']['description']}",
source_ref=incident.id,
target_ref=process.id,
),
Expand Down Expand Up @@ -913,7 +913,7 @@ def enrich_traffic(self, *, incident: stix2.Incident, alerts: list[dict]):
created=alert["_source"]["@timestamp"],
**self.stix.common_properties,
relationship_type="related-to",
description=f"Network-Traffic found in alert (ID {alert['_id']}, rule ID {alert['_source']['rule']['id']})",
description=f"Network-Traffic found in alert (ID {alert['_id']}, rule ID {alert['_source']['rule']['id']}): {alert['_source']['rule']['description']}",
source_ref=incident.id,
target_ref=sco.id,
),
Expand Down Expand Up @@ -1078,7 +1078,7 @@ def create_sco(match: Any) -> dict[str, SCOBundle]:
created=alert["_source"]["@timestamp"],
**self.stix.common_properties,
relationship_type="related-to",
description=f"{type} {match} found in {meta['field']} in alert (ID {alert['_id']}, rule ID {alert['_source']['rule']['id']})",
description=f"{type} {match} found in {meta['field']} in alert (ID {alert['_id']}, rule ID {alert['_source']['rule']['id']}): {alert['_source']['rule']['description']}",
source_ref=incident.id,
target_ref=sco_bundle.sco.id,
),
Expand Down Expand Up @@ -1135,7 +1135,7 @@ def create_enrichment_obs_from_search_context(
created=alert["_source"]["@timestamp"],
**self.stix.common_properties,
relationship_type="related-to",
description=f"{type} found in alert (ID {alert['_id']}, rule ID {alert['_source']['rule']['id']})",
description=f"{type} found in alert (ID {alert['_id']}, rule ID {alert['_source']['rule']['id']}): {alert['_source']['rule']['description']}",
source_ref=incident.id,
target_ref=sco.id,
),
Expand Down

0 comments on commit 8a8d02d

Please sign in to comment.