Event
Event gives SIEM capability with event generation and correlation triggers and actions. Event uses a custom SIEM scoring system 'score = (( accuracy * ( impact * layer ) / benign )' enable simple adoption of Mitre Att&ck framework and custom events alike. Using Event's correlation engine makes it possible to draw links between different events and take action when thresholds are exceeded.
Triggers
Event Threshold
Trigger that returns matching correlations based on the defined fields.
Input
Name | Description | Type | Required | Syntax |
---|---|---|---|---|
correlationName | input | False | False | |
includeInactive | checkbox | False | False | |
excludeSingleTypes | checkbox | False | False | |
minScore | input | False | False | |
idsOnly | checkbox | False | False | |
summaryOnly | checkbox | False | False |
Actions
Raise Event
Raise a new event based on the fields provided.
Input
Name | Description | Type | Required | Syntax |
---|---|---|---|---|
eventType | input | False | False | |
eventSubType | input | False | False | |
layer | input | False | False | |
accuracy | input | False | False | |
impact | input | False | False | |
benign | input | False | False | |
history | checkbox | False | False | |
uid | input | False | False | |
timeToLive | input | False | False | |
eventValues | json-input | False | False | |
eventTitle | input | False | False | |
updateValues | checkbox | False | False |
Output
Name | Description | Type | always_present | values |
---|---|---|---|---|
result | Returns True when successful. | boolean | True | {"True": {"description": "Successful."}, "False": {"description": "Failure."}} |
rc | Returns the exit code for the action. | number | True | {"0": {"description": "Successful."}} |
Event Update Score
Updates the score on an existing event by index.
Input
Name | Description | Type | Required | Syntax |
---|---|---|---|---|
eventIndex | input | False | False | |
layer | input | False | False | |
accuracy | input | False | False | |
impact | input | False | False | |
benign | input | False | False | |
zeroUpdate | checkbox | False | False |
Output
Name | Description | Type | always_present | values |
---|---|---|---|---|
result | Returns True when successful. | boolean | True | {"True": {"description": "Successful."}, "False": {"description": "Failure."}} |
rc | Returns the exit code for the action. | number | True | {"0": {"description": "Successful."}} |
Event Update
Updates a value on an existing event by index.
Input
Name | Description | Type | Required | Syntax |
---|---|---|---|---|
eventValues | json-input | False | False | |
eventIndex | input | False | False | |
updateMode | input | False | False |
Output
Name | Description | Type | always_present | values |
---|---|---|---|---|
result | Returns True when successful. | boolean | True | {"True": {"description": "Successful."}, "False": {"description": "Failure."}} |
rc | Returns the exit code for the action. | number | True | {"0": {"description": "Successful."}} |
Event Get Correlations
Get a list of correlations based on the provided criteria.
Input
Name | Description | Type | Required | Syntax |
---|---|---|---|---|
correlationName | input | False | False | |
includeInactive | checkbox | False | False | |
excludeSingleTypes | checkbox | False | False | |
minScore | input | False | False | |
idsOnly | checkbox | False | False | |
summaryOnly | checkbox | False | False | |
multiTypeMultiplier | input | False | False |
Output
Name | Description | Type | always_present | values |
---|---|---|---|---|
result | Returns True when successful. | boolean | True | {"True": {"description": "Successful."}, "False": {"description": "Failure."}} |
rc | Returns the exit code for the action. | number | True | {"0": {"description": "Successful."}} |
Event Get Correlation
Get a correlation from UID string.
Input
Name | Description | Type | Required | Syntax |
---|---|---|---|---|
correlationID | input | False | False |
Output
Name | Description | Type | always_present | values |
---|---|---|---|---|
result | Returns True when successful. | boolean | True | {"True": {"description": "Successful."}, "False": {"description": "Failure."}} |
rc | Returns the exit code for the action. | number | True | {"0": {"description": "Successful."}} |
Event Build Correlations
Build and updates event correlations.
Input
Name | Description | Type | Required | Syntax |
---|---|---|---|---|
correlationName | input | False | False | |
expiryTime | input | False | False | |
oldestEvent | input | False | False | |
correlationFields | json-input | False | False | |
excludeCorrelationValues | json-input | False | False | |
alwaysProcessEvents | checkbox | False | False | |
ignoreScoreLessThan | input | False | False |
Output
Name | Description | Type | always_present | values |
---|---|---|---|---|
result | Returns True when successful. | boolean | True | {"True": {"description": "Successful."}, "False": {"description": "Failure."}} |
rc | Returns the exit code for the action. | number | True | {"0": {"description": "Successful."}} |