Examples modification v2 #45
Conversation
Signed-off-by: Micah Pegman <mpegman@octolabs.io> Signed-off-by: Cristian Vasilica <cvasilica@secureworks.com>
replaced tenant_id with tenant.id as per JIRA SECOPS-1646 Signed-off-by: Cristian Vasilica <cvasilica@secureworks.com>
replaced tenant_id with tenant.id as per JIRA SECOPS-1646 Signed-off-by: Cristian Vasilica <cvasilica@secureworks.com>
replaced tenant_id with tenant.id as per JIRA SECOPS-1646 Signed-off-by: Cristian Vasilica <cvasilica@secureworks.com>
Signed-off-by: Cristian Vasilica <cvasilica@secureworks.com>
replaced tenant_id with tenant.id as per JIRA SECOPS-1646 Signed-off-by: Cristian Vasilica <cvasilica@secureworks.com>
cvasilica
force-pushed
the
SECOPS-1646_examples_modificationV2
branch
from
c628093 to
fb12436
Compare
cvasilica
changed the title
mpegman-scwx
left a comment
mpegman-scwx
left a comment
There was a problem hiding this comment.
@cvasilica tenant_id as a results field from Taegis has not completely gone away. Only Alerts has deprecated this field in favor of a TenantV4 object.
| add_threat_intel, | ||
| correlations=[get_ti_pubs], | ||
| tenant_id=TENANT, | ||
| tenant.id=TENANT, |
There was a problem hiding this comment.
I believe this will still be tenant_id as it is the function parameter and not a parsed column from a result set.
https://github.com/secureworks/taegis-magic/blob/main/taegis_magic/pandas/context.py#L492
| " add_threat_intel,\n", | ||
| " correlations=[get_ti_pubs],\n", | ||
| " tenant_id=TENANT,\n", | ||
| " tenant.id=TENANT,\n", |
There was a problem hiding this comment.
I believe this will still be tenant_id as it is the function parameter and not a parsed column from a result set.
https://github.com/secureworks/taegis-magic/blob/main/taegis_magic/pandas/context.py#L492
| "This pandas pipe function will work when there are the following columns in the DataFrame:\n", | ||
| "- A column name that contains `host_id`\n", | ||
| "- A column name that contains `tenant.id` (or `tenant_id`)\n", | ||
| "- A column name that contains `tenant.id`\n", |
There was a problem hiding this comment.
The dual column lookup is still correct. Events still use tenant_id, it was alerts that deprecated the tenant_id string in favor of a Tenant object.
Event schemas can be verified using the following snippet, change the RuleEventType to one of the options here:
from taegis_sdk_python import GraphQLService
from taegis_sdk_python.services.rules.types import RuleEventType
service = GraphQLService()
results = service.rules.query.filter_keys(RuleEventType.PROCESS)
print(results)https://github.com/secureworks/taegis-magic/blob/main/taegis_magic/pandas/assets.py#L124
| "#### Asset Data with Taegis Events\n", | ||
| "\n", | ||
| "- Unlike Alert DataFrames, Taegis Event DataFrames only need the `tenant_id` and `host_id` fields" | ||
| "- Unlike Alert DataFrames, Taegis Event DataFrames only need the `tenant.id` and `host_id` fields" |
There was a problem hiding this comment.
Events still use the tenant_id string.
| " 'enrichSummary',\n", | ||
| " 'host_id',\n", | ||
| " 'tenant_id'\n", | ||
| " 'tenant.id'\n", |
There was a problem hiding this comment.
Events still use the tenant_id string.
| " add_threat_intel,\n", | ||
| " correlations=[get_ti_pubs],\n", | ||
| " tenant_id=TENANT,\n", | ||
| " tenant.id=TENANT,\n", |
There was a problem hiding this comment.
I believe this will still be tenant_id as it is the function parameter and not a parsed column from a result set.
https://github.com/secureworks/taegis-magic/blob/main/taegis_magic/pandas/context.py#L492
2 participants
Closes #44