From e5a364cb1afa6ee8bcaf110a79f969ca63de0a10 Mon Sep 17 00:00:00 2001
From: MathouneS <mathilde.bechet@sekoia.fr>
Date: Mon, 16 Aug 2021 15:13:31 +0200
Subject: [PATCH 1/2] feat(vectra): add smart-descriptions

---
 events/smart-descriptions.json | 52 ++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/events/smart-descriptions.json b/events/smart-descriptions.json
index 11da836..1a81eea 100644
--- a/events/smart-descriptions.json
+++ b/events/smart-descriptions.json
@@ -1,4 +1,56 @@
 {
+    "vectra cognito detect": [
+    {
+        "value": "{observer.ip} detected {vectra.detection.name} : {host.name} ({host.ip})",
+        "conditions": [{
+      "field": "vectra.detection.name"
+        }],
+      "relationships": [{
+          "source": "host.ip",
+          "target": "destination.ip",
+          "type": "{vectra.detection.name}"
+        }]
+    },
+    {
+        "value": "{observer.ip} refreshed detection {vectra.detection.last_type} : {host.name} ({host.ip})",
+        "conditions": [{
+      "field": "vectra.detection.last_type"
+        }]
+    },
+    {
+      "value": "[HOST SCORING] {host.name} ({host.ip}) : threat = {vectra.risk_score_norm}",
+      "conditions": [{
+      "field": "event.type",
+      "value": "HOST SCORING"
+        }],
+    },
+    {
+      "value": "[LOCKDOWN] {user.name} {action.name} {vectra.account.name} ",
+      "conditions": [{
+      "field": "event.type",
+      "value": "LOCKDOWN"
+        }]
+    },
+    {
+      "value": "[HOST LOCKDOWN] {user.name} {action.name} {host.name} ",
+      "conditions": [{
+      "field": "event.type",
+      "value": "HOST_LOCKDOWN"
+        }]
+    },
+    {
+      "value": "[CAMPAIGN] event : {vectra.detection.reason} from {source.ip} to {vectra.destination.name} ({destination.ip}) ",
+      "conditions": [{
+      "field": "event.type",
+      "value": "HOST_LOCKDOWN"
+        }],
+      "relationships": [{
+          "source": "source.ip",
+          "target": "destination.ip",
+          "type": "{vectra.detection.reason}"
+        }]
+    } 
+  ],
   "retarus email security": [{
       "value": "{retarus.sender} sent an e-mail to {retarus.recipient} with status: {retarus.status} (Message-ID: {retarus.message_id})",
       "conditions": [{

From 7c333561553ad36915f92fa16eb1ae45250ca8cd Mon Sep 17 00:00:00 2001
From: MathouneS <mathilde.bechet@sekoia.fr>
Date: Tue, 24 Aug 2021 15:25:30 +0200
Subject: [PATCH 2/2] update Vectra descriptions

---
 events/smart-descriptions.json | 46 +++++++++++++++++++++++-----------
 1 file changed, 32 insertions(+), 14 deletions(-)

diff --git a/events/smart-descriptions.json b/events/smart-descriptions.json
index 1a81eea..c9fe3a4 100644
--- a/events/smart-descriptions.json
+++ b/events/smart-descriptions.json
@@ -1,55 +1,73 @@
 {
     "vectra cognito detect": [
     {
-        "value": "{observer.ip} detected {vectra.detection.name} : {host.name} ({host.ip})",
+        "value": "{observer.ip} detected {vectra.detection.name} on {host.name} ({host.ip})",
         "conditions": [{
       "field": "vectra.detection.name"
-        }],
-      "relationships": [{
-          "source": "host.ip",
-          "target": "destination.ip",
-          "type": "{vectra.detection.name}"
         }]
     },
     {
-        "value": "{observer.ip} refreshed detection {vectra.detection.last_type} : {host.name} ({host.ip})",
+        "value": "{observer.ip} refreshed detection {vectra.detection.last_type} on {host.name} ({host.ip})",
         "conditions": [{
       "field": "vectra.detection.last_type"
         }]
     },
     {
-      "value": "[HOST SCORING] {host.name} ({host.ip}) : threat = {vectra.risk_score_norm}",
+      "value": "Score of {host.name} ({host.ip}) is {vectra.risk_score_norm}",
       "conditions": [{
       "field": "event.type",
       "value": "HOST SCORING"
         }],
     },
     {
-      "value": "[LOCKDOWN] {user.name} {action.name} {vectra.account.name} ",
+      "value": "{user.name} has {action.name} on {vectra.account.name} ",
       "conditions": [{
       "field": "event.type",
       "value": "LOCKDOWN"
         }]
     },
     {
-      "value": "[HOST LOCKDOWN] {user.name} {action.name} {host.name} ",
+      "value": "{user.name} has {action.name} on {host.name} ",
       "conditions": [{
       "field": "event.type",
       "value": "HOST_LOCKDOWN"
         }]
     },
     {
-      "value": "[CAMPAIGN] event : {vectra.detection.reason} from {source.ip} to {vectra.destination.name} ({destination.ip}) ",
+      "value": "Campaign {vectra.campaign.name} detected, {vectra.detection.reason} from {source.ip} to {vectra.destination.name} ({destination.ip}) ",
+      "conditions": [{
+      "field": "vectra.campaign.name"
+        }],
+      "relationships": [{
+          "source": "source.ip",
+          "target": "destination.ip",
+          "type": "campaign"
+        }]
+    },
+    {
+      "value": "Heartbeat on {log.hostname} {event.outcome} at {vectra.timestamp} ) ",
       "conditions": [{
       "field": "event.type",
-      "value": "HOST_LOCKDOWN"
+      "value": "heartbeat_check"
+        }],
+      "relationships": [{
+          "source": "source.ip",
+          "target": "destination.ip",
+          "type": "campaign"
+        }]
+    },
+    {
+      "value": "{vectra.detection.name} observed by {observer.ip} with a risk score {vectra.risk_score_norm}",
+      "conditions": [{
+      "field": "event.type",
+      "value": "LATERAL MOVEMENT"
         }],
       "relationships": [{
           "source": "source.ip",
           "target": "destination.ip",
-          "type": "{vectra.detection.reason}"
+          "type": "campaign"
         }]
-    } 
+    }, 
   ],
   "retarus email security": [{
       "value": "{retarus.sender} sent an e-mail to {retarus.recipient} with status: {retarus.status} (Message-ID: {retarus.message_id})",