Effective July 2nd, we will be updating our data model by removing certain metadata fields from all events. These changes are designed to enhance your experience in the following ways:

• Simplified Investigations: Focus more easily on critical signals by reducing metadata overhead.
• Stability in Detection Rules: Utilize immutable fields (UUIDs) to improve the reliability of detection rules and automations.
• Performance Boost: Enhance the performance of event searches and API calls.

Description of Changes

Duplicate Fields

All events currently contain duplicated values for the UUIDs of the community, the entity, the intake, and the intake format. The fields using the sekoiaio. prefix are already available in events and should be used instead of the legacy fields.

The legacy fields listed in the table below are going to be deleted.

Legacy Field (deleted)	Prefixed Field (kept)
customer.community_uuid	sekoiaio.customer.community_uuid
customer.intake_uuid	sekoiaio.intake.uuid
entity.uuid	sekoiaio.entity.uuid
event.dialect_uuid	sekoiaio.intake.dialect_uuid
event.dialect	sekoiaio.intake.dialect

Deleted Fields

The following fields will be deleted. The matching UUID fields should be used instead when needed.

Deleted field name	UUID field to use
customer.community_name	sekoiaio.customer.community_uuid
sekoiaio.customer.community_name	sekoiaio.customer.community_uuid
customer.id	sekoiaio.customer.community_uuid
sekoiaio.customer.id	sekoiaio.customer.community_uuid
customer.intake_key	sekoiaio.intake.uuid
sekoiaio.intake.key	sekoiaio.intake.uuid
customer.intake_name	sekoiaio.intake.uuid
sekoiaio.intake.name	sekoiaio.intake.uuid
entity.id	sekoiaio.entity.uuid
sekoiaio.entity.id	sekoiaio.entity.uuid
entity.name	sekoiaio.entity.uuid
sekoiaio.entity.name	sekoiaio.entity.uuid

Required Actions

In order to avoid disruption of your cyber-security operations, we will be automatically updating your detection rules that are currently using one of the fields that will be deleted.

Playbooks will also be updated, but only for fields from the “Duplicate Fields” section.

If you are using impacted fields outside of Sekoia (in scripts, automations, etc.), you will also have to update this logic yourself since it is unknown to us.

Where can I review the changes that will be applied?

Once authenticated on the platform, you can click on the following links to list the changes for your workspace:

FRA1 (main region): Rule Changes / Playbook Changes

FRA2: Rule Changes / Playbook Changes

MCO1: Rule Changes / Playbook Changes

UAE1: Rule Changes / Playbook Changes

Are there known limitations to the automated migration?

• The migration will automatically apply changes to impacted rules. If you are using one of the deleted fields in the definition of an anomaly detection rule, the migration will trigger a recompilation of the rule. This means you will no longer be able to access parts of the rule history (such as past anomalies and predictions). The detection logic will still work as expected.

• Rules that require changes will be reformatted automatically, comments will be lost.

Planning

2024-06-18: The reference fields are available in events and the links to review changes are available

2024-06-26: Automated migration is applied, changes can no longer be reviewed

2024-07-02: Legacy fields are no longer added to events

If you have any questions or need further assistance, please do not hesitate to contact our support team at support@sekoia.io.