Merged
Conversation
…on scenarios (natesmalley#70) - Added CorrelationRunRequest model with trace_id, tag_phase, and tag_trace fields for correlation scenario execution - Implemented /correlation/run endpoint to execute scenarios with SIEM context and trace ID tagging - Updated start_correlation_scenario() and _execute_correlation_scenario() to accept and pass trace_id via S1_TRACE_ID environment variable - Added tag_phase and tag_trace boolean flags with S1_TAG
…r email correlation - Added user.email_addr field to M365 email interaction events (MailItemsAccessed, FileDownloaded, FileAccessed) using VICTIM_PROFILE['email'] - Updated microsoft_365_collaboration parser to copy unmapped.user.email_addr to user.email_addr for OCSF actor.user.email_addr mapping - Enables correlation of M365 collaboration events with email security events via actor email address
…tems analysis - Added object_id field to MailItemsAccessed, FileDownloaded, and FileAccessed events with contextual paths (/Inbox/, /Attachments/, /Documents/) - Enables mail items analysis and tracking of malicious attachment flow through M365 collaboration events - Maps to OCSF object_id field for consistent object identification across email interaction phases
…xecution paths - Added overwrite_parser boolean field to GeneratorExecuteRequest, ScenarioExecuteRequest, CorrelationRunRequest, ParserSyncRequest, and SingleParserSyncRequest models - Updated parser sync service to skip existence check when overwrite=True, allowing parser updates instead of skipping existing parsers - Added JARVIS_OVERWRITE_PARSER environment variable support in hec_sender for generator-level parser overwrite control
…E_UID placeholder - Replaced hardcoded resource UIDs (helios-asset-001, res-001, jeanluc@starfleet.com) with DYNAMIC_RESOURCE_UID placeholder across all alert templates - Enables dynamic resource UID injection during alert generation for correlation scenarios - Updated 50+ O365 alert templates and default/advanced sample alerts to use consistent placeholder format
…o scenario - Updated data exfiltration alert offset from 20 to 25 minutes with clarifying comment (after last document download at base+24:30) - Updated RDP download alert offset from 25 to 35 minutes with clarifying comment (after RDP file download event at base+25) - Changed RDP alert title from "Apollo Ransomware - RDP Files Downloaded" to "OneDrive RDP Files Downloaded" for consistency
…chine asset correlation - Added 4 new WEL alert mappings: hidden scheduled tasks (bridge/enterprise), brute force success (enterprise), and AD admin group creation (enterprise) - Implemented target_machine field in alert mappings to specify which machine (email/bridge/enterprise) each alert correlates to - Updated alert resource UID logic to use separate XDR asset IDs for bridge (xdr_asset_id_bridge) and enterprise (xdr_asset_
Adding asset id discovery service for correlated alerts
feat: Add WEL alerts for Bridge and Enterprise machines with multi-ma…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix alets going to site
WEL alerts send directly
Asset discovery and alerts correlate to asset database.
Remove need for users to need to put star rules. Alerts are sent specifically and map to star rules.
Parsers overwrite logic