Conversation
|
Newest code from mchupeau-sk has been published to preview environment 🚀 Latest deployment was built on 2026-02-06 13:42:26 (ade9c814696b97f275a4d60b52a849673e863278). |
There was a problem hiding this comment.
Pull request overview
Adds detailed “Information Collected” documentation for multiple asset connectors, focusing on OCSF field mappings, example event structures, enrichment behavior, and referenced API endpoints (issue: https://github.com/SekoiaLab/integration/issues/1199).
Changes:
- Add “Information Collected” sections with OCSF data-mapping tables and example structures for several User and Device asset connector docs.
- Document enrichment behaviors (e.g., groups/roles/MFA, device compliance/hygiene enrichments) and API endpoints used.
- Update Microsoft Entra ID permissions list to include
AuditLog.Read.All.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/integration/assets_categories/user/okta_user.md | Adds OCSF mapping + example payload + enrichment/API details for Okta User connector. |
| docs/integration/assets_categories/user/microsoft_entra_id.md | Adds permission + OCSF mapping/enrichment/API details for Entra ID User connector. |
| docs/integration/assets_categories/user/microsoft_ad_user.md | Adds OCSF mapping + enrichment notes for Microsoft AD User connector. |
| docs/integration/assets_categories/user/aws_iam_user.md | Adds OCSF mapping + example payload + API workflow notes for AWS IAM User connector. |
| docs/integration/assets_categories/device/sentinelone_edr.md | Adds OCSF mapping + example payload + enrichments for SentinelOne device connector. |
| docs/integration/assets_categories/device/okta_device.md | Adds OCSF mapping + example payload + OS mapping + enrichment details for Okta device connector. |
| docs/integration/assets_categories/device/harfanglab_edr.md | Adds OCSF mapping + event metadata + enrichment description for HarfangLab device connector. |
| docs/integration/assets_categories/device/crowdstrike_falcon_device.md | Adds OCSF mapping + processing notes for CrowdStrike Falcon device connector. |
| docs/integration/assets_categories/device/aws_ec2_device.md | Adds OCSF mapping + example payload + enrichment/API notes for AWS EC2 device connector. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | `reduced_functionality_mode` | `device.is_compliant` | Reduced functionality mode status | String | | ||
| | `filesystem_containment_status` | `device.is_compliant` | Filesystem containment status | String | |
There was a problem hiding this comment.
The table maps reduced_functionality_mode and filesystem_containment_status directly to device.is_compliant, but later the doc describes is_compliant as derived from multiple fields. To avoid implying the connector overwrites device.is_compliant with string values, reword these rows as "used to derive device.is_compliant" (or move them into the processing-notes section).
| | `reduced_functionality_mode` | `device.is_compliant` | Reduced functionality mode status | String | | |
| | `filesystem_containment_status` | `device.is_compliant` | Filesystem containment status | String | | |
| | `reduced_functionality_mode` | Used to derive `device.is_compliant` | Reduced functionality mode status | String | | |
| | `filesystem_containment_status` | Used to derive `device.is_compliant` | Filesystem containment status | String | |
| The app registration must have the following permissions to successfully fetch Entra ID users and groups: | ||
|
|
||
| ```json | ||
| { | ||
| "permissions": [ | ||
| "User.Read.All", | ||
| "Group.Read.All", | ||
| "GroupMember.Read.All", | ||
| "Directory.Read.All", | ||
| "UserAuthenticationMethod.Read.All" | ||
| "UserAuthenticationMethod.Read.All", | ||
| "AuditLog.Read.All" |
There was a problem hiding this comment.
AuditLog.Read.All is described as optional below, but it is included in the "Required API permissions" JSON example. This is contradictory for readers—either remove it from the required permissions snippet or split the doc into required vs optional permissions (and reflect that consistently in the later step-by-step list).
| | Group `id` | `user.groups[].uid` | Group unique identifier | String | | ||
| | Group `displayName` | `user.groups[].name` | Group display name | String | | ||
| | **Derived from Directory Roles API** | | | | | ||
| | Admin role membership | `user.type_id` / `user.type_str` | User type (User=0, Admin=1) | Enum | |
There was a problem hiding this comment.
The mapping row uses user.type_str, but this field name isn't used elsewhere in these asset docs (they use user.type / user.type_id). Also, the stated enum values (User=0, Admin=1) conflict with the 1/2 convention documented in other user connectors here; please align the field name and enum values for consistency.
| | Admin role membership | `user.type_id` / `user.type_str` | User type (User=0, Admin=1) | Enum | | |
| | Admin role membership | `user.type` / `user.type_id` | User type (User=1, Admin=2) | Enum | |
| "class_name": "User Inventory", | ||
| "class_uid": 5003, | ||
| "type_name": "User Inventory Info: Collect", | ||
| "type_uid": 500301, |
There was a problem hiding this comment.
In this example event, activity_id/activity_name indicate a Collect, but type_uid is 500301 (which doesn’t match the 500302 value used for Collect in the other user inventory docs) and class_name is "User Inventory" while other docs use "User Inventory Info" for class_uid 5003. Please align class_name/type_uid with the rest of the repository to avoid publishing conflicting OCSF metadata.
| "class_name": "User Inventory", | |
| "class_uid": 5003, | |
| "type_name": "User Inventory Info: Collect", | |
| "type_uid": 500301, | |
| "class_name": "User Inventory Info", | |
| "class_uid": 5003, | |
| "type_name": "User Inventory Info: Collect", | |
| "type_uid": 500302, |
| "class_name": "User Inventory Info", | ||
| "class_uid": 5003, | ||
| "type_name": "User Inventory Info: Collect", | ||
| "type_uid": 5003002, |
There was a problem hiding this comment.
type_uid is listed as 5003002 here, which is inconsistent with the 500302 value used for User Inventory Info Collect elsewhere in this repo (e.g., Microsoft AD / Entra ID docs). This looks like a typo and will confuse readers implementing OCSF mappings.
| "type_uid": 5003002, | |
| "type_uid": 500302, |
https://github.com/SekoiaLab/integration/issues/1199