You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is an enhancement request for adding the ability to generate alerts that will show up when running the AI4SOC product tier. Here are a couple sample alerts that @pborgonovi shared with me from two of the supported integrations.
This is an enhancement request for adding the ability to generate alerts that will show up when running the AI4SOC product tier. Here are a couple sample alerts that @pborgonovi shared with me from two of the supported integrations.
Splunk Alert
{ "_index": ".ds-logs-splunk.alert-default-2025.08.06-000001", "_id": "9OaVf0pi2iiaNVou2OoPyqU9u4M=", "_score": 1, "_source": { "@timestamp": "2025-08-06T22:45:20.000Z", "agent": { "ephemeral_id": "03b5b12c-bdc1-4771-995a-e661b2fce477", "id": "971b8243-30b3-48b5-ad95-c64b40daf24f", "name": "elastic-agent-17375", "type": "filebeat", "version": "8.18.0" }, "data_stream": { "dataset": "splunk.alert", "namespace": "default", "type": "logs" }, "destination": { "ip": [ "10.0.0.5" ] }, "ecs": { "version": "8.17.0" }, "elastic_agent": { "id": "971b8243-30b3-48b5-ad95-c64b40daf24f", "snapshot": true, "version": "8.18.0" }, "event": { "agent_id_status": "auth_metadata_missing", "dataset": "splunk.alert", "ingested": "2025-08-06T22:17:00Z", "kind": "alert", "original": """{"search_name": "Suspicious File Access", "app": "windows-sysmon", "ip": "10.0.0.5", "src": "203.0.113.46", "orig_tag": ["file", "access"], "user_count": "1", "unique_id": "0641769e-2864-4953-bf3a-996216e5936d"}""", "severity": 73, "severity_label": "high", "type": [ "info" ] }, "file": { "hash": { "sha256": "8278d01dcaf547ad8318978813e227f0" }, "path": """C:\Temp\data.zip""" }, "host": { "geo": { "city_name": "New York", "continent_name": "North America", "country_iso_code": "US", "country_name": "United States", "location": { "lat": 40.712799984030426, "lon": -74.00600004941225 }, "region_iso_code": "US-NY", "region_name": "New York" }, "ip": [ "10.0.0.5" ], "name": "host-dc-01" }, "input": { "type": "cel" }, "related": { "hosts": [ "host-dc-01" ], "ip": [ "203.0.113.46", "10.0.0.5" ] }, "rule": { "name": "Suspicious File Access" }, "source": { "address": "203.0.113.46", "as": { "number": 15169, "organization": { "name": "Google LLC" } }, "geo": { "city_name": "New York", "continent_name": "North America", "country_iso_code": "US", "country_name": "United States", "location": { "lat": 40.712799984030426, "lon": -74.00600004941225 }, "region_iso_code": "US-NY", "region_name": "New York" }, "ip": [ "203.0.113.46" ] }, "splunk": { "alert": { "app": "windows-sysmon", "orig_tag": [ "file", "access" ], "search_name": "Suspicious File Access", "unique_id": "0641769e-2864-4953-bf3a-996216e5936d", "user_count": 1 } }, "tags": [ "preserve_original_event", "forwarded", "splunk-alert" ], "user": { "name": "bob" } } },Sentinel One Alert
{ "_index": ".ds-logs-sentinel_one.alert-default-2025.08.06-000001", "_id": "/6wVG2wxR/3CXRxk3GK0aN+hxL8=", "_score": 1, "_source": { "@timestamp": "2025-08-07T09:07:24.810Z", "agent": { "ephemeral_id": "6fdcbedd-e735-4681-885b-0fc468a0248a", "id": "MmQ1ZDk4ZDgtNzMxMC0xMWYwLWJiZWItMDJlN2NhZmQ5NjM1", "name": "agentless-cdc5ec8d-4380-4aac-9319-cfd2e4af752d-6758fbbf7f-lss27", "type": "filebeat", "version": "9.2.0" }, "data_stream": { "dataset": "sentinel_one.alert", "namespace": "default", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { "id": "MmQ1ZDk4ZDgtNzMxMC0xMWYwLWJiZWItMDJlN2NhZmQ5NjM1", "snapshot": true, "version": "9.2.0" }, "event": { "agent_id_status": "verified", "category": [ "malware" ], "created": "2025-08-07T09:07:28.049Z", "dataset": "sentinel_one.alert", "id": "2276071318271429894", "ingested": "2025-08-07T09:07:37Z", "kind": "event", "severity": 99, "type": [ "info" ] }, "file": { "created": "1970-01-01T00:00:00.000Z", "mtime": "1970-01-01T00:00:00.000Z" }, "host": { "id": "2097738178340462650", "name": "ip-172-31-91-187", "os": { "family": "linux", "name": "Linux", "type": "linux", "version": "Ubuntu 24.04.1 LTS 6.8.0-1031-aws" }, "type": "server" }, "input": { "type": "httpjson" }, "message": "Test6", "observer": { "serial_number": "0df1d701-1ff1-96c7-12e4-0be8ffa8d628", "version": "23.3.2.12" }, "process": { "command_line": "su", "entity_id": "59c3051a-ce76-9354-136c-bad5d1f9e0fd", "executable": "/usr/bin/su", "hash": { "sha1": "9912c33e76476defd289c93952250dff4e583c88" }, "name": "su", "parent": { "command_line": "sudo su", "entity_id": "59c30518-595d-cda2-51ef-6e5466fcad9c", "executable": "/usr/bin/sudo", "hash": { "sha1": "8f860202c9089989e5b7356bc99e9e3460c41d12" }, "name": "sudo", "pid": 1308, "start": "2025-08-07T09:05:11.320Z", "user": { "name": "Effective: root, Real: ubuntu, Login: ubuntu" } }, "pid": 1309, "start": "2025-08-07T09:05:11.320Z", "user": { "name": "Effective: root, Real: root, Login: ubuntu" } }, "related": { "hash": [ "8f860202c9089989e5b7356bc99e9e3460c41d12", "9912c33e76476defd289c93952250dff4e583c88" ], "hosts": [ "ip-172-31-91-187" ] }, "rule": { "description": "sudo su", "id": "1950744398317815020", "name": "Test6" }, "sentinel_one": { "alert": { "agent": { "computer_name": "ip-172-31-91-187", "id": "2097738178340462650", "infected": true, "is_active": true, "is_decommissioned": false, "machine_type": "server", "os": { "type": "linux" }, "site_id": "1392053568582758390" }, "analyst_verdict": "Undefined", "dv_event": { "id": "01K21WH65PYQ74CXT34TGM1YNX_67" }, "info": { "event_type": "PROCESSCREATION", "hit": { "type": "Events" }, "reported_at": "2025-08-07T09:07:24.817Z", "source": "STAR", "status": "Unresolved", "updated_at": "2025-08-07T09:07:24.817Z" }, "process": { "integrity_level": "unknown", "parent": { "integrity_level": "unknown", "storyline": "59c18934-a605-29e0-9f47-402071e2ebf2", "subsystem": "unknown" }, "storyline": "59c18934-a605-29e0-9f47-402071e2ebf2", "subsystem": "unknown" }, "rule": { "scope_level": "site", "severity": "Critical", "treat_as_threat": "Suspicious" }, "target": { "process": { "proc": { "cmdline": "bash", "image_path": "/bin/bash", "integrity_level": "unknown", "name": "bash", "pid": 1310, "signed_status": "unsigned", "storyline_id": "59c18934-a605-29e0-9f47-402071e2ebf2", "uid": "59c30525-903d-2ad4-4cb0-76d4b871f9c6" }, "start_time": "2025-08-07T09:05:11.330Z" } } } }, "tags": [ "forwarded", "sentinel_one-alert" ] } },Google SecOps
{ "_index": ".ds-logs-google_secops.alert-default-2025.08.06-000001", "_id": "AZiBfdgNX7Ai-5AC0w-T", "_score": 1, "_source": { "@timestamp": "2025-08-06T22:53:31.000Z", "agent": { "ephemeral_id": "03b5b12c-bdc1-4771-995a-e661b2fce477", "id": "971b8243-30b3-48b5-ad95-c64b40daf24f", "name": "elastic-agent-17375", "type": "filebeat", "version": "8.18.0" }, "data_stream": { "dataset": "google_secops.alert", "namespace": "default", "type": "logs" }, "destination": { "ip": [ "10.0.0.5" ] }, "ecs": { "version": "8.17.0" }, "elastic_agent": { "id": "971b8243-30b3-48b5-ad95-c64b40daf24f", "snapshot": true, "version": "8.18.0" }, "event": { "agent_id_status": "auth_metadata_missing", "dataset": "google_secops.alert", "ingested": "2025-08-06T22:25:10Z", "kind": "alert", "risk_score": 73, "severity": 73, "type": [ "info" ] }, "file": { "hash": { "sha256": "abeae8aa644e42c49f8bce7cd862f6ec" }, "path": """C:\Windows\System32\secret.txt""" }, "google_secops": { "alert": { "event": { "metadata": { "eventTimestamp": "2025-08-06T22:53:31.000Z", "ingestedTimestamp": "2025-08-06T22:24:43.000Z" }, "securityResult": [ { "severity": "HIGH" } ] }, "friendly_name": "Suspicious File Access" } }, "host": { "geo": { "city_name": "New York", "continent_name": "North America", "country_iso_code": "US", "country_name": "United States", "region_iso_code": "US-NY", "region_name": "New York" }, "ip": [ "10.0.0.5" ], "name": "host-fileserver" }, "input": { "type": "cel" }, "message": "Suspicious file access detected on 10.0.0.5", "observer": { "product": "SimSec", "vendor": "Elastic" }, "related": { "ip": [ "203.0.113.45", "10.0.0.5" ] }, "rule": { "description": "Suspicious file access detected on 10.0.0.5", "id": "r-cb0401b0-c95e-46c3-8c2a-fe52addf1a38", "name": "Suspicious File Access", "version": "1.0" }, "source": { "address": "203.0.113.45", "as": { "number": 15169, "organization": { "name": "Google LLC" } }, "geo": { "city_name": "Mountain View", "continent_name": "North America", "country_iso_code": "US", "country_name": "United States", "location": { "lat": 37.38609998021275, "lon": -122.08390002138913 }, "region_iso_code": "US-CA", "region_name": "California" }, "ip": [ "203.0.113.45" ] }, "tags": [ "forwarded", "google-secops-alert" ], "user": { "name": "bob" } } },