Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: da32c6c597
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
orenma-dd
added
assets/no-dry-run
|
This PR does not modify any files shipped with the agent. To help streamline the release process, please consider adding the |
|
orenma-dd
removed
the
assets/no-dry-run
|
| className: HTTP Activity | ||
| classUid: 4002 | ||
| extensions: [] | ||
| profiles: [] |
There was a problem hiding this comment.
Should probably have the network proxy and security control profiles. If you had the security_control profile, you could map info on malware, DLS prevention, etc.
There was a problem hiding this comment.
Good point will add it
| targetFormat: string | ||
| preserveSource: true | ||
| overrideOnConflict: true | ||
| type: schema-remapper |
There was a problem hiding this comment.
If you're using the Network Proxy Profile, you could map externalip to proxy_endpoint.ip
| preserveSource: true | ||
| overrideOnConflict: true | ||
| type: schema-remapper | ||
| - name: Map `domain` to `ocsf.query.hostname` |
There was a problem hiding this comment.
You could map info in the identities array to additional fields in ocsf.src_endpoint (like hw_info). Not required though, so up to you and not blocking
There was a problem hiding this comment.
I am not sure how consistent is hw_info
| preserveSource: true | ||
| overrideOnConflict: true | ||
| type: schema-remapper | ||
| - name: Map `internalip` to `ocsf.src_endpoint.ip` |
There was a problem hiding this comment.
You should map destination IP as well as source IP
| targetFormat: string | ||
| preserveSource: true | ||
| overrideOnConflict: true | ||
| type: schema-remapper |
There was a problem hiding this comment.
You could map various file attributes to ocsf.file as well, it would extract indicators that could be useful for threat intel matching
There was a problem hiding this comment.
This logs for proxy is kinda weird since they have field blockedfilename\responsefilename which I am not sure is what the ocsf.file is looking for
The File object represents the metadata associated with a file stored in a computer system
https://schema.ocsf.io/1.3.0/objects/file
orenma-dd
added
the
assets/no-dry-run
orenma-dd
removed
the
assets/no-dry-run
orenma-dd
added
the
assets/no-dry-run
orenma-dd
removed
the
assets/no-dry-run
jbfeldman-dd
left a comment
jbfeldman-dd
left a comment
There was a problem hiding this comment.
Non-blocking comments. LGTM
| targetType: attribute | ||
| targetFormat: integer | ||
| preserveSource: false | ||
| overrideOnConflict: false |
There was a problem hiding this comment.
The preferred design here I think is to have OCSF sub pipeline for HTTP Activity [4002] malware transformations come before the other 4002 sub pipeline, and then map ocsf.disposition_id to itself in the schema-processor. This will ensure it's always mapped to the correct type based on the OCSF schema, and you don't have to map it yourself. But ultimately a stylistic choice so up to you
There was a problem hiding this comment.
Is the query that specifically has service:proxy not enough to ensure that?
| source: ocsf.malware.classification_id | ||
| target: ocsf.malware.classification_ids | ||
| preserveSource: false | ||
| type: append |
There was a problem hiding this comment.
similar to above comment - mapping ocsf.malware.classification_ids to itself in the schema-processor is a slightly more elegant way of doing this
There was a problem hiding this comment.
Issue is if there is not malware its an issue since I cant remove a field/
temporal-github-worker-1
Bot
dismissed
jbfeldman-dd’s stale review
Review from jbfeldman-dd is dismissed. Related teams and files:
- logs-integrations-reviewers
- cisco_umbrella_dns/assets/logs/cisco-umbrella-dns.yaml
orenma-dd
deleted the
oren.margalit/SCI2-5670-cisco-umbrella-ocsf-mapping
branch
* Add OCSF pipelines * update test file * update processor name * remove metadata placeholder and cahnge test file * chnage schema processor name * add facets * remove conflicting facets * update activity id mapping * update activity id mapping * preserve source * update test file * add is_ocsf flag * address feedback * fix test file * add malware sub pipeline * fix test file * add endpoint proxy to dns * Bring back ocsf.metadata field * add ocsf.metadata Signed-off-by: lukepatrick <lukephilips@gmail.com>
2 participants
Create OCSF mappings for Cisco Umbrella pipeline