Event stream syntax
truekonrads opened this issue · comments
Hello,
Is the event stream format documented anywere beyond "it's AMQP"? There is this third party document from LogRhythm, but not much else.
The EventStream event format is equivalent to the of the event objects in .data[] retrieved from the GET /v1/events API endpoint. There are some superficial differences such as the casing of file hashes.
An example event from an EventStraem:
{
"id": 1586887493524041000,
"timestamp": 1586887493,
"timestamp_nanoseconds": 524041000,
"date": "2020-04-14T18:04:53+00:00",
"event_type": "Threat Quarantined",
"event_type_id": 553648143,
"detection_id": "13311776372294007",
"connector_guid": "94e0194a-3962-4d62-82a1-6760d4441f4f",
"group_guids": [
"abce6abf-11d7-40cf-9532-22a242cc93c1"
],
"severity": "Medium",
"computer": {
"connector_guid": "94e0194a-3962-4d62-82a1-6760d4441f4f",
"hostname": "localhost.localdomain",
"external_ip": "198.51.100.43",
"active": true,
"network_addresses": [
{
"ip": "192.168.78.161",
"mac": "00:0c:29:5a:31:21"
},
{
"ip": "192.168.122.1",
"mac": "52:54:00:6d:13:3c"
}
],
"links": {
"computer": "https://api.amp.cisco.com/v1/computers/94e0194a-3962-4d62-82a1-6760d4441f4f",
"trajectory": "https://api.amp.cisco.com/v1/computers/94e0194a-3962-4d62-82a1-6760d4441f4f/trajectory",
"group": "https://api.amp.cisco.com/v1/groups/abce6abf-11d7-40cf-9532-22a242cc93c1"
}
},
"file": {
"disposition": "Malicious",
"identity": {
"sha256": "00B32C3428362E39E4DF2A0C3E0950947C147781FDD3D2FFD0BF5F96989BB002"
}
}
}Hello,
thank you for this, however I am looking one level deeper - something that describes each event type. The format for vulnerable software is different from alert.
Your "best" option is the figure out how to generate all of the given events in your own environment. Alternatively you could open a support ticket or ask your account team to try and get this information for you. I was unable to get this information in over 5 years of trying, maybe you'll have better luck.