Sekoia Defend (XDR)
Reducing the noise in your events
Today, we updated our data model by removing certain metadata fields from all events. These changes are designed to enhance your experience in the following ways:
- Simplified Investigations: Focus more easily on critical signals by reducing metadata overhead.
- Stability in Detection Rules: Utilize immutable fields (UUIDs) to improve the reliability of detection rules and automations.
- Performance Boost: Enhance the performance of event searches and API calls.
In order to avoid disruption of your cyber-security operations, we automatically updated your detection rules that were impacted. Playbooks were also updated, but only for fields in the "Duplicate Fields" section.
If you are still using impacted fields ouside of Sekoia (in scripts, automations, etc.), you also have to update this logic yourself.
The change is effective on FRA1 (our main region) and will be rolled out to all regions in the coming days.
Description of Changes
Duplicate Fields
All events contained duplicated values for the UUIDs of the community, the entity, the intake, and the intake format. The fields using the sekoiaio. prefix are already available in events and should be used instead of the legacy fields.
The legacy fields listed in the table below are no longer available.
| Legacy Field (deleted) | Prefixed Field (kept) |
|---|---|
| customer.community_uuid | sekoiaio.customer.community_uuid |
| customer.intake_uuid | sekoiaio.intake.uuid |
| entity.uuid | sekoiaio.entity.uuid |
| event.dialect_uuid | sekoiaio.intake.dialect_uuid |
| event.dialect | sekoiaio.intake.dialect |
Deleted Fields
The following fields are no longer available in events. The matching UUID fields should be used instead when needed.
| Deleted field name | UUID field to use |
|---|---|
| customer.community_name | sekoiaio.customer.community_uuid |
| sekoiaio.customer.community_name | sekoiaio.customer.community_uuid |
| customer.id | sekoiaio.customer.community_uuid |
| sekoiaio.customer.id | sekoiaio.customer.community_uuid |
| customer.intake_key | sekoiaio.intake.uuid |
| sekoiaio.intake.key | sekoiaio.intake.uuid |
| customer.intake_name | sekoiaio.intake.uuid |
| sekoiaio.intake.name | sekoiaio.intake.uuid |
| entity.id | sekoiaio.entity.uuid |
| sekoiaio.entity.id | sekoiaio.entity.uuid |
| entity.name | sekoiaio.entity.uuid |
| sekoiaio.entity.name | sekoiaio.entity.uuid |
If you have any questions or need further assistance, please do not hesitate to contact our support team at support@sekoia.io.
What do you think about this update?
