@@ -182,15 +182,18 @@ def callback_slack_webhook(detection_batch: DetectionBatch):
182182 for detection in detections :
183183 # detection["detection"] is always a list that has one element.
184184 meta = detection ["detection" ][0 ]
185- detection_metadatas .append (
186- tuple ((meta ["ruleName" ], meta ["ruleId" ], meta ["ruleVersion" ])))
185+ # ruleVersion is only populated for RULE_DETECTION type detections.
186+ rule_info = tuple ((meta ["ruleName" ], meta ["ruleId" ], meta ["ruleVersion" ]
187+ )) if detection ["type" ] == "RULE_DETECTION" else tuple (
188+ (meta ["ruleName" ], meta ["ruleId" ]))
189+ detection_metadatas .append (rule_info )
187190
188191 for detection_metadata , count in collections .Counter (
189192 detection_metadatas ).items ():
190- report_lines . append (
191- f" \t { count } detections from Rule ` { detection_metadata [ 0 ] } `" +
192- f" (Rule ID `{ detection_metadata [1 ]} ," +
193- f" Version ID ` { detection_metadata [ 2 ] } `)"
193+ line = f" \t { count } detections from Rule ` { detection_metadata [ 0 ] } `" + f" (Rule ID ` { detection_metadata [ 1 ] } `,"
194+ if len ( detection_metadata ) >= 3 :
195+ line = line + f" Version ID `{ detection_metadata [2 ]} )"
196+ report_lines . append ( line )
194197
195198 if batch_size > MAX_BATCH_SIZE_TO_REPORT_IN_DETAIL :
196199 # Avoid flooding our output channels.
@@ -207,8 +210,8 @@ def callback_slack_webhook(detection_batch: DetectionBatch):
207210 for idx , detection in enumerate (detections ):
208211 report_lines .append (f"{ idx } )
209212
210- # This for loop includes rule name, rule ID, version ID ,
211- # rule type, and fields.
213+ # This for loop includes rule name, rule ID, rule type, rule version ,
214+ # rule set and other fields.
212215 for meta_key , meta_value in detection ["detection" ][0 ].items ():
213216 report_lines .append (f"\t { meta_key } { meta_value } )
214217 report_lines .append (f"\t Time Window: { detection ['timeWindow' ]} )
@@ -298,7 +301,7 @@ def stream_detection_alerts(
298301 The contents of a detection follow this format:
299302 {
300303 "id": "de_<UUID>",
301- "type": "RULE_DETECTION",
304+ "type": "RULE_DETECTION"/"GCTI_FINDING" ,
302305 "createdTime": "yyyy-mm-ddThh:mm:ssZ",
303306 "detectionTime": "yyyy-mm-ddThh:mm:ssZ",
304307 "timeWindow": {
@@ -323,8 +326,9 @@ def stream_detection_alerts(
323326 ],
324327 "detection": [ <-- this is always a list that has one element.
325328 {
326- "ruleId": "ru_<UUID>",
329+ "ruleId": "ru_<UUID>"/"ur_ruleID" ,
327330 "ruleName": "<rule_name>",
331+ // ruleVersion is only populated for RULE_DETECTION type detections.
328332 "ruleVersion": "ru_<UUID>@v_<seconds>_<nanoseconds>",
329333 "urlBackToProduct": "<URL>",
330334 "alertState": "ALERTING"/"NOT_ALERTING",
@@ -334,9 +338,20 @@ def stream_detection_alerts(
334338 "key": "<field name>",
335339 "value": "<field value>"
336340 }
337- ]
341+ ],
342+ // Following fields are only populated for "GCTI_FINDING" type
343+ // detections.
344+ "summary": "Rule Detection",
345+ "ruleSet": "<rule set ID>",
346+ "ruleSetDisplayName": "<rule set display name>",
347+ "description": "<rule description>",
348+ "severity": "INFORMATIONAL"/"LOW"/"HIGH"
338349 },
339350 ],
351+ // Following fields are only populated for "GCTI_FINDING" type
352+ // detections.
353+ "lastUpdatedTime": "yyyy-mm-ddThh:mm:ssZ",
354+ "tags": ["<tag1>", "<tag2>", ...]
340355 }
341356
342357 Args:
0 commit comments