[Action Required] Reducing the Noise in Your Events

Effective July 2nd, we will be updating our data model by removing certain metadata fields from all events. These changes are designed to enhance your experience in the following ways: - **Simplified Investigations:** Focus more easily on critical signals by reducing metadata overhead. - **Stability in Detection Rules:** Utilize immutable fields (UUIDs) to improve the reliability of detection rules and automations. - **Performance Boost:** Enhance the performance of event searches and API calls. ## Description of Changes ### Duplicate Fields All events currently contain duplicated values for the UUIDs of the community, the entity, the intake, and the intake format. The fields using the `sekoiaio.` prefix are already available in events and should be used instead of the legacy fields. The legacy fields listed in the table below are going to be deleted. | Legacy Field (deleted) | Prefixed Field (kept) | | --- | --- | | customer.community_uuid | sekoiaio.customer.community_uuid | | customer.intake_uuid | sekoiaio.intake.uuid | | entity.uuid | sekoiaio.entity.uuid | | event.dialect_uuid | sekoiaio.intake.dialect_uuid | | event.dialect | sekoiaio.intake.dialect | ### Deleted Fields The following fields will be deleted. The matching UUID fields should be used instead when needed. | Deleted field name | UUID field to use | | --- | --- | | customer.community_name | sekoiaio.customer.community_uuid | | sekoiaio.customer.community_name | sekoiaio.customer.community_uuid | | customer.id | sekoiaio.customer.community_uuid | | sekoiaio.customer.id | sekoiaio.customer.community_uuid | | customer.intake_key | sekoiaio.intake.uuid | | sekoiaio.intake.key | sekoiaio.intake.uuid | | customer.intake_name | sekoiaio.intake.uuid | | sekoiaio.intake.name | sekoiaio.intake.uuid | | entity.id | sekoiaio.entity.uuid | | sekoiaio.entity.id | sekoiaio.entity.uuid | | entity.name | sekoiaio.entity.uuid | | sekoiaio.entity.name | sekoiaio.entity.uuid | ## Required Actions In order to avoid disruption of your cyber-security operations, we will be automatically updating your detection rules that are currently using one of the fields that will be deleted. Playbooks will also be updated, **but only for fields from the “Duplicate Fields” section**. **If you are using impacted fields outside of Sekoia (in scripts, automations, etc.), you will also have to update this logic yourself since it is unknown to us.** ### Where can I review the changes that will be applied? Once authenticated on the platform, you can click on the following links to list the changes for your workspace: FRA1 (main region): [Rule Changes](https://app.sekoia.io/api/v1/sic/conf/changes/202406-1) / [Playbook Changes](https://app.sekoia.io/api/v1/symphony/changes/202406-1) FRA2: [Rule Changes](https://fra2.app.sekoia.io/api/v1/sic/conf/changes/202406-1) / [Playbook Changes](https://fra2.app.sekoia.io/api/v1/symphony/changes/202406-1) MCO1: [Rule Changes](https://mco1.app.sekoia.io/api/v1/sic/conf/changes/202406-1) / [Playbook Changes](https://mco1.app.sekoia.io/api/v1/symphony/changes/202406-1) UAE1: [Rule Changes](https://app.uae1.sekoia.io/api/v1/sic/conf/changes/202406-1) / [Playbook Changes](https://app.uae1.sekoia.io/api/v1/symphony/changes/202406-1) ### Are there known limitations to the automated migration? * The migration will automatically apply changes to impacted rules. If you are using one of the deleted fields in the definition of an anomaly detection rule, the migration will trigger a recompilation of the rule. This means you will no longer be able to access parts of the rule history (such as past anomalies and predictions). The detection logic will still work as expected. * Rules that require changes will be reformatted automatically, comments will be lost. ## Planning **2024-06-18**: The reference fields are available in events and the links to review changes are available **2024-06-26**: Automated migration is applied, changes can no longer be reviewed **2024-07-02**: Legacy fields are no longer added to events If you have any questions or need further assistance, please do not hesitate to contact our support team at support@sekoia.io.