Event

Event gives SIEM capability with event generation and correlation triggers and actions. Event uses a custom SIEM scoring system 'score = (( accuracy * ( impact * layer ) / benign )' enable simple adoption of Mitre Att&ck framework and custom events alike. Using Event's correlation engine makes it possible to draw links between different events and take action when thresholds are exceeded.

Triggers

Event Threshold

Trigger that returns matching correlations based on the defined fields.

Input

Name Description Type Required Syntax
correlationName input False False
includeInactive checkbox False False
excludeSingleTypes checkbox False False
minScore input False False
idsOnly checkbox False False
summaryOnly checkbox False False

Actions

Raise Event

Raise a new event based on the fields provided.

Input

Name Description Type Required Syntax
eventType input False False
eventSubType input False False
layer input False False
accuracy input False False
impact input False False
benign input False False
history checkbox False False
uid input False False
timeToLive input False False
eventValues json-input False False
eventTitle input False False
updateValues checkbox False False

Output

Name Description Type always_present values
result Returns True when successful. boolean True {"True": {"description": "Successful."}, "False": {"description": "Failure."}}
rc Returns the exit code for the action. number True {"0": {"description": "Successful."}}

Event Update Score

Updates the score on an existing event by index.

Input

Name Description Type Required Syntax
eventIndex input False False
layer input False False
accuracy input False False
impact input False False
benign input False False
zeroUpdate checkbox False False

Output

Name Description Type always_present values
result Returns True when successful. boolean True {"True": {"description": "Successful."}, "False": {"description": "Failure."}}
rc Returns the exit code for the action. number True {"0": {"description": "Successful."}}

Event Update

Updates a value on an existing event by index.

Input

Name Description Type Required Syntax
eventValues json-input False False
eventIndex input False False
updateMode input False False

Output

Name Description Type always_present values
result Returns True when successful. boolean True {"True": {"description": "Successful."}, "False": {"description": "Failure."}}
rc Returns the exit code for the action. number True {"0": {"description": "Successful."}}

Event Get Correlations

Get a list of correlations based on the provided criteria.

Input

Name Description Type Required Syntax
correlationName input False False
includeInactive checkbox False False
excludeSingleTypes checkbox False False
minScore input False False
idsOnly checkbox False False
summaryOnly checkbox False False
multiTypeMultiplier input False False

Output

Name Description Type always_present values
result Returns True when successful. boolean True {"True": {"description": "Successful."}, "False": {"description": "Failure."}}
rc Returns the exit code for the action. number True {"0": {"description": "Successful."}}

Event Get Correlation

Get a correlation from UID string.

Input

Name Description Type Required Syntax
correlationID input False False

Output

Name Description Type always_present values
result Returns True when successful. boolean True {"True": {"description": "Successful."}, "False": {"description": "Failure."}}
rc Returns the exit code for the action. number True {"0": {"description": "Successful."}}

Event Build Correlations

Build and updates event correlations.

Input

Name Description Type Required Syntax
correlationName input False False
expiryTime input False False
oldestEvent input False False
correlationFields json-input False False
excludeCorrelationValues json-input False False
alwaysProcessEvents checkbox False False
ignoreScoreLessThan input False False

Output

Name Description Type always_present values
result Returns True when successful. boolean True {"True": {"description": "Successful."}, "False": {"description": "Failure."}}
rc Returns the exit code for the action. number True {"0": {"description": "Successful."}}