{
    ".meta": {
        "comment": "Contains the trigger that sends Device Info and Detections to Red Canary. Trigger must be updated before it works, please see Red Canary documentation.",
        "created": 1667853939,
        "name": "Red Canary ExtraHop Enterprise Integration",
        "version": "8.9.1.1470",
        "version_min": "8.9"
    },
    "Trigger": [
        {
            "apply_all": false,
            "author": "Red Canary",
            "comment": null,
            "debug": true,
            "disabled": false,
            "events": "[\"DETECTION_UPDATE\"]",
            "hints": "{}",
            "name": "Red  Canary Data Stream",
            "script": "// _______________________________________________________\n// PLEASE CHANGE THE FOLLOWING LINES\n// USING THE ALERT SOURCE URL FROM YOUR RED CANARY PORTAL\nconst integrationURL = \"https://prod1-use2-randomHex.prod1.collectors.redcanary.io:443/yourUniquePathHere/\"\n\n// This should match the name of the Remote HTTP Open Data Stream source that was created earlier\nconst remoteStreamName = 'RedCanary';\n\n// _______________________________________________________\n// PLEASE DO NOT MODIFY ANYTHING BELOW THIS LINE\n// _______________________________________________________\n\n// Goal here is to make the detection payload\n// similar to what we would see in a REST call to /detections\nconst payload = {}\npayload[\"id\"] = Detection.id\npayload[\"start_time\"] = Detection.startTime\npayload[\"update_time\"] = Detection.updateTime\npayload[\"end_time\"] = Detection.endTime\npayload[\"title\"] = Detection.title\npayload[\"description\"] = Detection.description\npayload[\"categories\"] = Detection.categories\npayload[\"risk_score\"] = Detection.riskScore\npayload[\"type\"] = Detection.type\npayload[\"properties\"] = Detection.properties\n\n// Both tactics and techniques are in Detections.mitreCategories:\npayload[\"mitre_tactics\"] = Detection.mitreCategories.filter(c => { /TA\\d+/.test(c.id) })\npayload[\"mitre_techniques\"] = Detection.mitreCategories.filter(c => { /T\\d+/.test(c.id) })\n\npayload[\"participants\"] = Detection.participants.map(participant => {\n  const participantPayload = {\n    \"id\": participant.id,\n    \"role\": participant.role,\n    \"object_json\": participant.object.toJSON()\n  }\n\n  const pobj = participant.object // Device | IPAddress | Application\n  if (pobj instanceof Device){\n      participantPayload[\"object_type\"] = \"device\"\n  }\n  else if(pobj instanceof IPAddress){\n      participantPayload[\"object_type\"] = \"ipaddr\"\n      participantPayload[\"object_value\"] = pobj.toString()\n  }\n  else if(pobj instanceof Application){\n    // No-op, we have all the data we'd need\n  }\n\n  return participantPayload;\n})\n\n// Get the path from the URL\n// @ts-ignore\nconst path = integrationURL.match(/(https.*redcanary.io:443)(.*)/)[2]\n\nconst req = {\n  'path': path,\n  'headers': {\n      'Content-Type': 'application/json'\n  },\n  'payload': JSON.stringify([payload])\n};\n\nRemote.HTTP(remoteStreamName).post(req);"
        }
    ]
}