security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updated config

Browse Source
This commit is contained in:
vh
2020-05-20 12:35:00 +03:00
parent fb9c5841f4
commit e8b956f575
11 changed files with 1324 additions and 214 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/config/arcsight-zeek.yml
+126 -9
View File
@@ -15,12 +15,14 @@ logsources:
service: syslog
zeek-category-firewall:
category: firewall
conditions:
deviceEventCategory: conn
rewrite:
product: zeek
service: conn
zeek-category-dns:
category: dns
conditions:
deviceEventCategory: dns
rewrite:
product: zeek
service: dns
zeek-category-proxy:
category: proxy
rewrite:
@@ -28,8 +30,6 @@ logsources:
service: http
zeek-category-webserver:
category: webserver
conditions:
deviceEventCategory: http
rewrite:
product: zeek
service: http
@@ -321,7 +321,6 @@ fieldmappings:
- destinationDnsDomain
- destinationHost
# All Logs Applied Mapping & Taxonomy
clientip: sourceAddress
dst: destinationAddress
dst_ip: destinationAddress
dst_port: destinationPort
@@ -499,7 +498,7 @@ fieldmappings:
#service=socks:
status_msg:
- 'message'
#subject:
subject:
- 'message'
#service=known_certs:
#service=sip:
@@ -1050,4 +1049,122 @@ fieldmappings:
- sourceAddress
san.uri:
- requestUrl
- requestUrlQuery
- requestUrlQuery
# Few other variations of names from zeek source itself
id_orig_h: sourceAddress
id_orig_p: sourcePort
id_resp_h: destinationAddress
id_resp_p: destinationPort
# Temporary one off rule name fields
cs-uri: requestUrl
destination.domain:
destination.ip: destinationAddress
destination.port: destinationPort
http.response.status_code: deviceSeverity
#http.request.body.content
source.domain:
#sourceAddress: #TONOTE: is arcsight
source.port: sourcePort
agent.version: deviceCustomString2
c-ip: sourceAddress
clientip: sourceAddress
clientIP: sourceAddress
dest_domain:
- url.domain
dest_ip: destinationAddress
dest_port: destinationPort
#TODO:WhatShouldThisBe?==dest:
#TODO:WhatShouldThisBe?==destination:
#TODO:WhatShouldThisBe?==Destination:
destination.hostname: destinationHostName
#DestinationAddress: #TONOTE: is arcsight
#DestinationHostname: #TONOTE: is arcsight
DestinationIp: destinationAddress
DestinationIP: destinationAddress
DestinationPort: destinationPort
dst-ip: destinationAddress
dstip: destinationAddress
dstport: destinationPort
Host: requestHost
#host:
HostVersion: deviceCustomString2
http_host: destinationHostName
http_uri: requestUrl
http_url: requestUrl
http_user_agent:
- deviceCustomString5
- requestClientApplication
http.request.url-query-params:
- requestUrl
- requestUrlQuery
HttpMethod: requestMethod
in_url: requestUrl
#parent_domain:
# - url.registered_domain
# - destination.registered_domain
post_url_parameter: requestUrl
Request Url: requestUrl
request_url: requestUrl
request_URL: requestUrl
RequestUrl: requestUrl
#response: http.response.status_code
resource.url: requestUrl
resource.URL: requestUrl
sc_status: deviceSeverity
sender_domain: message
service.response_code: deviceSeverity
SourceAddr: sourceAddress
SourceAddress: sourceAddress
SourceIP: sourceAddress
SourceIp: sourceAddress
SourceNetworkAddress:
- source.address
- sourceAddress
SourcePort: sourcePort
srcip: sourceAddress
Status: deviceSeverity
#status: deviceSeverity
url: requestUrl
URL: requestUrl
url_query:
- requestUrl
- requestUrlQuery
url.query:
- requestUrl
- requestUrlQuery
uri_path: requestUrl
#user_agent: user_agent.original
user_agent.name:
- deviceCustomString5
- requestClientApplication
user-agent:
- deviceCustomString5
- requestClientApplication
User-Agent:
- deviceCustomString5
- requestClientApplication
useragent:
- deviceCustomString5
- requestClientApplication
UserAgent:
- deviceCustomString5
- requestClientApplication
User Agent:
- deviceCustomString5
- requestClientApplication
web_dest: destinationHostName
web.dest: destinationHostName
Web.dest: destinationHostName
web.host: destinationHostName
Web.host: destinationHostName
web_method: requestMethod
Web_method: requestMethod
web.method: requestMethod
Web.method: requestMethod
web_src: sourceAddress
web_status: deviceSeverity
Web_status: deviceSeverity
web.status: deviceSeverity
Web.status: deviceSeverity
web_uri: requestUrl
web_url: requestUrl
tools/config/arcsight.yml
+129 -1
View File
@@ -349,4 +349,132 @@ fieldmappings:
keywords:
- deviceCustomString1
ScriptBlockText:
- deviceCustomString1
- deviceCustomString1
AccessMask: deviceCustomString1
AccountName: deviceCustomString1
AllowedToDelegateTo: deviceCustomString1
AttributeLDAPDisplayName: deviceCustomString1
AuditPolicyChanges: deviceCustomString1
AuthenticationPackageName: deviceCustomString1
CallingProcessName: deviceCustomString1
Command: deviceCustomString1
Command_Line: deviceCustomString1
ComputerName: deviceCustomString1
destination.domain: deviceCustomString1
DestinationIP: deviceCustomString1
EngineVersion: deviceCustomString1
Event: deviceCustomString1
event.category: deviceCustomString1
event.raw: deviceCustomString1
event_data.AccessMask: deviceCustomString1
event_data.AccountName: deviceCustomString1
event_data.AllowedToDelegateTo: deviceCustomString1
event_data.AttributeLDAPDisplayName: deviceCustomString1
event_data.AuditPolicyChanges: deviceCustomString1
event_data.AuthenticationPackageName: deviceCustomString1
event_data.CallingProcessName: deviceCustomString1
event_data.CallTrace: deviceCustomString1
event_data.CommandLine: deviceCustomString1
event_data.ComputerName: deviceCustomString1
event_data.CurrentDirectory: deviceCustomString1
event_data.Description: deviceCustomString1
event_data.DestinationHostname: deviceCustomString1
event_data.DestinationIp: deviceCustomString1
event_data.DestinationIsIpv6: deviceCustomString1
event_data.DestinationPort: deviceCustomString1
event_data.Details: deviceCustomString1
event_data.EngineVersion: deviceCustomString1
event_data.EventType: deviceCustomString1
event_data.FailureCode: deviceCustomString1
event_data.FileName: deviceCustomString1
event_data.GrantedAccess: deviceCustomString1
event_data.GroupName: deviceCustomString1
event_data.GroupSid: deviceCustomString1
event_data.Hashes: deviceCustomString1
event_data.HiveName: deviceCustomString1
event_data.HostVersion: deviceCustomString1
event_data.Image: deviceCustomString1
event_data.ImageLoaded: deviceCustomString1
event_data.ImagePath: deviceCustomString1
event_data.Imphash: deviceCustomString1
event_data.IpAddress: deviceCustomString1
event_data.KeyLength: deviceCustomString1
event_data.LogonProcessName: deviceCustomString1
event_data.LogonType: deviceCustomString1
event_data.NewProcessName: deviceCustomString1
event_data.ObjectClass: deviceCustomString1
event_data.ObjectName: deviceCustomString1
event_data.ObjectType: deviceCustomString1
event_data.ObjectValueName: deviceCustomString1
event_data.ParentCommandLine: deviceCustomString1
event_data.ParentImage: deviceCustomString1
event_data.ParentProcessName: deviceCustomString1
event_data.Path: deviceCustomString1
event_data.PipeName: deviceCustomString1
event_data.ProcessCommandLine: deviceCustomString1
event_data.ProcessName: deviceCustomString1
event_data.Properties: deviceCustomString1
event_data.SecurityID: deviceCustomString1
event_data.ServiceFileName: deviceCustomString1
event_data.ServiceName: deviceCustomString1
event_data.ShareName: deviceCustomString1
event_data.Signature: deviceCustomString1
event_data.Source: deviceCustomString1
event_data.SourceImage: deviceCustomString1
event_data.StartModule: deviceCustomString1
event_data.Status: deviceCustomString1
event_data.SubjectUserName: deviceCustomString1
event_data.SubjectUserSid: deviceCustomString1
event_data.TargetFilename: deviceCustomString1
event_data.TargetImage: deviceCustomString1
event_data.TargetObject: deviceCustomString1
event_data.TicketEncryptionType: deviceCustomString1
event_data.TicketOptions: deviceCustomString1
event_data.User: deviceCustomString1
event_data.WorkstationName: deviceCustomString1
FailureCode: deviceCustomString1
GroupName: deviceCustomString1
GroupSid: deviceCustomString1
hashes: deviceCustomString1
Header.Accept: deviceCustomString1
HiveName: deviceCustomString1
host.scan.vuln_name: deviceCustomString1
HostVersion: deviceCustomString1
ImagePath: deviceCustomString1
Imphash: deviceCustomString1
IpAddress: deviceCustomString1
IpPort: deviceCustomString1
KeyLength: deviceCustomString1
log_name: deviceCustomString1
LogonType: deviceCustomString1
NewProcessName: deviceCustomString1
ObjectClass: deviceCustomString1
ObjectName: deviceCustomString1
ObjectType: deviceCustomString1
ObjectValueName: deviceCustomString1
ParentProcessName: deviceCustomString1
Path: deviceCustomString1
ProcessCommandLine: deviceCustomString1
ProcessName: deviceCustomString1
Properties: deviceCustomString1
resource.URL: deviceCustomString1
SecurityEvent: deviceCustomString1
SecurityID: deviceCustomString1
SelectionURL: deviceCustomString1
ServiceFileName: deviceCustomString1
ServiceName: deviceCustomString1
ShareName: deviceCustomString1
Source: deviceCustomString1
source_name: deviceCustomString1
SourceIP: deviceCustomString1
Status: deviceCustomString1
SubjectDomainName: deviceCustomString1
SubjectUserName: deviceCustomString1
SubjectUserSid: deviceCustomString1
SysmonEvent: deviceCustomString1
TargetDomainName: deviceCustomString1
TargetUserSid: deviceCustomString1
TicketEncryptionType: deviceCustomString1
TicketOptions: deviceCustomString1
winlog.channel: deviceCustomString1
WorkstationName: deviceCustomString1
tools/config/ecs-proxy.yml
+44 -5
View File
@@ -1,16 +1,44 @@
title: Elastic Common Schema mapping for proxy logs
title: Elastic Common Schema mapping for proxy and webserver logs including NSM logs (zeek/suricata)
order: 20
backends:
- es-qs
- es-dsl
- elasticsearch-rule
- kibana
- xpack-watcher
- elastalert
- elastalert-dsl
logsources:
proxy:
category: proxy
index: filebeat-*
# logsources:
# proxy:
# category: proxy
# index:
# - "filebeat-*"
# - "*ecs-*"
#zeek-category-proxy:
# category: proxy
# rewrite:
# product: zeek
# service: http
#zeek-category-webserver:
# category: webserver
# conditions:
# event.dataset: http
# rewrite:
# product: zeek
# service: http
# zeek-http:
# product: zeek
# service: http
# conditions:
# event.dataset: http
# zeek-http2:
# product: zeek
# service: http2
# conditions:
# event.dataset: http2
defaultindex:
- filebeat-*
# logsourcemerging: or
fieldmappings:
# All Logs Applied Mapping & Taxonomy
dst:
@@ -48,6 +76,14 @@ fieldmappings:
sc-bytes: http.response.body.bytes
sc-status: http.response.status_code
# Temporary one off rule name fields
destination.domain:
# destination.ip:
# destination.port:
# http.response.status_code
# http.request.body.content
# source.domain:
# source.ip:
# source.port:
agent.version: http.version
c-ip:
- source.address
@@ -65,6 +101,9 @@ fieldmappings:
- destination.address
- destination.ip
dest_port: destination.port
#TODO:WhatShouldThisBe?==dest:
#TODO:WhatShouldThisBe?==destination:
#TODO:WhatShouldThisBe?==Destination:
destination.hostname:
- destination.domain
- url.domain
tools/config/ecs-zeek-corelight.yml
+232 -124
View File
@@ -26,10 +26,14 @@ logsources:
service: syslog
zeek-category-firewall:
category: firewall
conditions:
event.dataset: conn
rewrite:
product: zeek
service: conn
zeek-category-dns:
category: dns
rewrite:
product: zeek
service: dns
conditions:
event.dataset: dns
zeek-category-proxy:
@@ -39,8 +43,6 @@ logsources:
service: http
zeek-category-webserver:
category: webserver
conditions:
event.dataset: http
rewrite:
product: zeek
service: http
@@ -395,151 +397,251 @@ fieldmappings:
uid: log.id.uid
uids: log.id.uids
uuid: log.id.uuid
# Overlapping fields/mappings (aka: shared fields)
# Deep mappings / Overlapping fields/mappings (aka: shared fields)
#_action
action:
#- smb.action
- '*.action'
#service=smb_files: smb.action
#service=mqtt: mqtt.action
#service=tunnel: tunnel.action
#- '*.action'
service=mqtt: mqtt.action
service=smb_files: smb.action
service=tunnel: tunnel.action
mqtt_action: smb.action
smb_action: smb.action
tunnel_action: tunnel.action
#_addl
addl:
#- weird.addl
- '*.addl'
#service=dns: dns.addl
#service=weird: weird.addl
#- '*.addl'
service=dns: dns.addl
service=weird: weird.addl
dns_addl: dns.addl
weird_addl: weird.addl
#_analyzer
analyzer:
#- dpd.analyzer
- '*.analyzer'
#service=dpd: dpd.analyzer
#service=files: files.analyzer
#- '*.analyzer'
service=dpd: dpd.analyzer
service=files: files.analyzer
dpd_analyzer: dpd.analyzer
files_analyzer: file.analyzer
#_arg
arg:
#- ftp.arg
- '*.arg'
#service=ftp: ftp.arg
#service=ftp: pop3.arg
#service=msqyl: mysql.arg
#auth:
#service=rfb: rfb.auth #RFB does not exist in newer logs, so skipping to cover dns.auth
#- '*.arg'
service=ftp: ftp.arg
service=msqyl: mysql.arg
service=pop3: pop3.arg
ftp_arg: ftp.arg
mysql_arg: mysql.arg
pop3_arg: pop3.arg
#_auth
auth:
#- dns.auth
service=dns: dns.auth
service=rfb: rfb.auth
dns_auth: dns.auth
rfb_auth: rfb.auth
#_cipher
cipher:
#- kerberos.cipher
- '*.client'
#service=kerberos: kerberos.cipher
#service=ssl: tls.cipher
#- '*.client'
service=kerberos: kerberos.cipher
service=ssl: tls.cipher
kerberos_cipher: kerberos.cipher
ssl_cipher: tls.cipher
tls_cipher: tls.cipher
#_client
client:
#- ssh.client
- '*.client'
#service=kerberos: kerberos.client
#service=ssh: ssh.client
#- '*.client'
service=kerberos: kerberos.client
service=ssh: ssh.client
kerberos_client: kerberos.client
ssh_client: ssh.client
#_command
command:
#- ftp.command
- '*.command'
#service=pop3: pop3.command
#service=ftp: ftp.command
#service=irc: irc.command
#- '*.command'
service=irc: irc.command
service=ftp: ftp.command
service=pop3: pop3.command
ftp_command: ftp.command
irc_command: irc.command
pop3_command: pop3.command
#_date
date:
#- smtp.date
- '*.date'
#service=sip: sip.date
#service=smtp: smtp.date
#- '*.date'
service=sip: sip.date
service=smtp: smtp.date
sip_date: sip.date
smtp_date: smtp.date
#_duration
duration:
- event.duration
#- '*.duration'
#service=conn: event.duration
#service=files: files.duration
#service=snmp: event.duration
#- event.duration
service=conn: event.duration
service=files: files.duration
service=snmp: event.duration
conn_duration: event.duration
files_duration: files.duration
snmp_duration: event.duration
#_from
from:
#- smtp.from
- '*.from'
#service=kerberos: kerberos.from
#service=smtp: smtp.from
#- '*.from'
service=kerberos: kerberos.from
service=smtp: smtp.from
kerberos_from: kerberos.from
smtp_from: smtp.from
#_is_orig
is_orig:
- '*.is_orig'
#service=file: file.is_orig
#service=pop3: pop3.is_orig
#- '*.is_orig'
service=file: file.is_orig
service=pop3: pop3.is_orig
files_is_orig: file.is_orig
pop3_is_orig: pop3.is_orig
#_local_orig
local_orig:
- '*.local_orig'
#service=conn conn.local_orig
#service=files file.local_orig
#- '*.local_orig'
service=conn: conn.local_orig
service=files: file.local_orig
conn_local_orig: conn.local_orig
files_local_orig: file.local_orig
#_method
method:
- http.request.method
#service=http: http.request.method
#service=sip: sip.method
#- http.request.method
service=http: http.request.method
service=sip: sip.method
http_method: http.request.method
sip_method: sip.method
#_msg
msg:
- notice.msg
#service=notice: notice.msg
#service=pop3: pop3.msg
#- notice.msg
service=notice: notice.msg
service=pop3: pop3.msg
notice_msg: notice.msg
pop3_msg: pop3.msg
#_name
name:
- file.name
#- '*.name'
#service=smb_files: file.name
#service=software: software.name
#service=weird: weird.name
#- file.name
service=smb_files: file.name
service=software: software.name
service=weird: weird.name
smb_files_name: file.name
software_name: software.name
weird_name: weird.name
#_path
path:
- file.path
#- '*.path'
#service=smb_files: file.path
#service=smb_mapping: file.path
#service=smtp: smtp.path
#- file.path
service=smb_files: file.path
service=smb_mapping: file.path
service=smtp: smtp.path
smb_files_path: file.path
smb_mapping_path: file.path
smtp_path: smtp.path
#_reply_msg
reply_msg:
#- ftp.reply_msg
- '*.reply_msg'
#service=ftp: ftp.reply_msg
#service=radius: radius.reply_msg
#- '*.reply_msg'
service=ftp: ftp.reply_msg
service=radius: radius.reply_msg
ftp_reply_msg: ftp.reply_msg
radius_reply_msg: radius.reply_msg
#_reply_to
reply_to:
#- smtp.reply_to
- '*.reply_to'
#service=sip: sip.reply_to
#service=smtp: smtp.reply_to
#- '*.reply_to'
service=sip: sip.reply_to
service=smtp: smtp.reply_to
sip_reply_to: sip.reply_to
smtp_reply_to: smtp.reply_to
#_response_body_len
response_body_len:
- http.response.body.bytes
#service=http: http.response.body.bytes
#service=sip: sip.response_body_len
#- http.response.body.bytes
service=http: http.response.body.bytes
service=sip: sip.response_body_len
http_response_body_len: http.response.body.bytes
sip_response_body_len: sip.response_body_len
#_request_body_len
request_body_len:
- http.request.body.bytes
#service=http: http.response.body.bytes
#service=sip: sip.request_body_len
#- http.request.body.bytes
service=http: http.response.body.bytes
service=sip: sip.request_body_len
http_request_body_len: http.response.body.bytes
sip_request_body_len: sip.response_body_len
#_rtt
#rtt:
#- event.duration
#- 'zeek.*.rtt'
#service=dns: event.duration
#service=dce_rpc: event.duration
dns_rtt: event.duration
dce_rpc_rtt: event.duration
#_service
service:
#- kerberos.service
- '*.service'
#service=kerberos: kerberos.service
#service=smb_mapping: smb.service
#- '*.service'
service=kerberos: kerberos.service
service=smb_mapping: smb.service
kerberos_service: kerberos.service
smb_mapping_kerberos: smb.service
#_status
status:
#- socks.status
- '*.status'
#service=pop3: pop3.status
#service=mqtt: mqtt.status
#service=socks: socks.status
#- '*.status'
service=mqtt: mqtt.status
service=pop3: pop3.status
service=socks: socks.status
mqtt_status: mqtt.status
pop3_status: pop3.status
socks_status: socks.status
#_status_code
status_code:
- 'http.response.status_code'
#service=http: http.response.status_code
#service=sip: sip.status_code
#- 'http.response.status_code'
service=http: http.response.status_code
service=sip: sip.status_code
http_status_code: http.response.status_code
sip_status_code: sip.status_code
#_status_msg
status_msg:
- http.status_msg
#- '*.status_msg'
#service=http: http.status_msg
#service=sip: sip.status_msg
service=http: http.status_msg
service=sip: sip.status_msg
http_status_msg: http.status_msg
sip_status_msg: sip.status_msg
#_subject
subject:
#- smtp.subject
- '*.subject'
#service=known_certs: known_certs.subject
#service=sip: sip.subject
#service=smtp: smtp.subject
#service=ssl: tls.subject
#- '*.subject'
service=known_certs: known_certs.subject
service=sip: sip.subject
service=smtp: smtp.subject
service=ssl: tls.subject
known_certs_subject: known_certs.subject
sip_subject: sip.subject
smtp_subject: smtp.subject
ssl_subject: tls.subject
#_service
#_trans_depth
trans_depth:
#- http.trans_depth
- '*.trans_depth'
#service=http: http.trans_depth
#service=sip: sip.trans_depth
#service=smtp: smtp.trans_depth
#- '*.trans_depth'
service=http: http.trans_depth
service=sip: sip.trans_depth
service=smtp: smtp.trans_depth
http_trans_depth: http.trans_depth
sip_trans_depth: sip.trans_depth
smtp_trans_depth: smtp.trans_depth
#_user_agent
#user_agent: #already normalized
http_user_agent: user_agent.original
gquic_user_agent: user_agent.original
sip_user_agent: user_agent.original
smtp_user_agent: user_agent.original
#_version
version:
#- tls.version
- '*.version'
#service=gquic: gquic.version
#service=ntp: ntp.version
#service=socks: socks.version
#service=snmp: snmp.version
#service=ssh: ssh.version
#service=tls: tls.version
#- '*.version'
service=gquic: gquic.version
service=http: http.version
service=ntp: ntp.version
service=socks: socks.version
service=snmp: snmp.version
service=ssh: ssh.version
service=tls: tls.version
gquic_version: gquic.version
http_version: http.version
ntp_version: ntp.version
socks_version: socks.version
snmp_version: snmp.version
ssh_version: ssh.version
ssl_version: tls.version
tls_version: tls.version
# Conn and Conn Long
cache_add_rx_ev: conn.cache_add_rx_ev
cache_add_rx_mpg: conn.cache_add_rx_mpg
@@ -594,7 +696,7 @@ fieldmappings:
# DNS
AA: dns.AA
#addl: dns.addl
auth: dns.auth
#auth: dns.auth
answers: dns.answers.name
TTLs: dns.answers.ttl
RA: dns.RA
@@ -689,6 +791,7 @@ fieldmappings:
uri_vars: http.uri_vars
#user_agent: user_agent.original
#username: source.user.name
#version: http.version
# Intel
file_mime_type: file.mime_type
file_desc: intel.file_desc
@@ -1062,6 +1165,11 @@ fieldmappings:
san.email: x509.san.email
san.ip: x509.san.ip
san.uri: x509.san.url
# Few other variations of names from zeek source itself
id_orig_h: source.ip
id_orig_p: source.port
id_resp_h: destination.ip
id_resp_p: destination.port
# Temporary one off rule name fields
cs-uri: url.original
# destination.domain:
@@ -1087,7 +1195,7 @@ fieldmappings:
destination.hostname:
- destination.domain
- url.domain
DestinationAddress:
DestinationAddress: destination.ip
DestinationHostname:
- destination.domain
- url.domain
@@ -1109,7 +1217,7 @@ fieldmappings:
- url.domain
http_uri: url.original
http_url: url.original
http_user_agent: user_agent.original
#http_user_agent: user_agent.original
http.request.url-query-params: url.original
HttpMethod: http.request.method
in_url: url.original
tools/config/humio.yml
+532 -4
View File
@@ -2,8 +2,368 @@ title: Humio log source conditions
order: 20
backends:
- humio
logsources:
zeek:
product: zeek
zeek-category-accounting:
category: accounting
rewrite:
product: zeek
service: syslog
zeek-category-firewall:
category: firewall
rewrite:
product: zeek
service: conn
zeek-category-dns:
category: dns
rewrite:
product: zeek
service: dns
zeek-category-proxy:
category: proxy
rewrite:
product: zeek
service: http
zeek-category-webserver:
category: webserver
rewrite:
product: zeek
service: http
zeek-conn:
product: zeek
service: conn
conditions:
'@stream': conn
zeek-conn_long:
product: zeek
service: conn_long
conditions:
'@stream': conn_long
zeek-dce_rpc:
product: zeek
service: dce_rpc
conditions:
'@stream': dce_rpc
zeek-dns:
product: zeek
service: dns
conditions:
'@stream': dns
zeek-dnp3:
product: zeek
service: dnp3
conditions:
'@stream': dnp3
zeek-dpd:
product: zeek
service: dpd
conditions:
'@stream': dpd
zeek-files:
product: zeek
service: files
conditions:
'@stream': files
zeek-ftp:
product: zeek
service: ftp
conditions:
'@stream': ftp
zeek-gquic:
product: zeek
service: gquic
conditions:
'@stream': gquic
zeek-http:
product: zeek
service: http
conditions:
'@stream': http
zeek-http2:
product: zeek
service: http2
conditions:
'@stream': http2
zeek-intel:
product: zeek
service: intel
conditions:
'@stream': intel
zeek-irc:
product: zeek
service: irc
conditions:
'@stream': irc
zeek-kerberos:
product: zeek
service: kerberos
conditions:
'@stream': kerberos
zeek-known_certs:
product: zeek
service: known_certs
conditions:
'@stream': known_certs
zeek-known_hosts:
product: zeek
service: known_hosts
conditions:
'@stream': known_hosts
zeek-known_modbus:
product: zeek
service: known_modbus
conditions:
'@stream': known_modbus
zeek-known_services:
product: zeek
service: known_services
conditions:
'@stream': known_services
zeek-modbus:
product: zeek
service: modbus
conditions:
'@stream': modbus
zeek-modbus_register_change:
product: zeek
service: modbus_register_change
conditions:
'@stream': modbus_register_change
zeek-mqtt_connect:
product: zeek
service: mqtt_connect
conditions:
'@stream': mqtt_connect
zeek-mqtt_publish:
product: zeek
service: mqtt_publish
conditions:
'@stream': mqtt_publish
zeek-mqtt_subscribe:
product: zeek
service: mqtt_subscribe
conditions:
'@stream': mqtt_subscribe
zeek-mysql:
product: zeek
service: mysql
conditions:
'@stream': mysql
zeek-notice:
product: zeek
service: notice
conditions:
'@stream': notice
zeek-ntlm:
product: zeek
service: ntlm
conditions:
'@stream': ntlm
zeek-ntp:
product: zeek
service: ntp
conditions:
'@stream': ntp
zeek-ocsp:
product: zeek
service: ntp
conditions:
'@stream': ocsp
zeek-pe:
product: zeek
service: pe
conditions:
'@stream': pe
zeek-pop3:
product: zeek
service: pop3
conditions:
'@stream': pop3
zeek-radius:
product: zeek
service: radius
conditions:
'@stream': radius
zeek-rdp:
product: zeek
service: rdp
conditions:
'@stream': rdp
zeek-rfb:
product: zeek
service: rfb
conditions:
'@stream': rfb
zeek-sip:
product: zeek
service: sip
conditions:
'@stream': sip
zeek-smb_files:
product: zeek
service: smb_files
conditions:
'@stream': smb_files
zeek-smb_mapping:
product: zeek
service: smb_mapping
conditions:
'@stream': smb_mapping
zeek-smtp:
product: zeek
service: smtp
conditions:
'@stream': smtp
zeek-smtp_links:
product: zeek
service: smtp_links
conditions:
'@stream': smtp_links
zeek-snmp:
product: zeek
service: snmp
conditions:
'@stream': snmp
zeek-socks:
product: zeek
service: socks
conditions:
'@stream': socks
zeek-software:
product: zeek
service: software
conditions:
'@stream': software
zeek-ssh:
product: zeek
service: ssh
conditions:
'@stream': ssh
zeek-ssl:
product: zeek
service: ssl
conditions:
'@stream': ssl
zeek-tls: # In case people call it TLS even though orig log is called ssl
product: zeek
service: tls
conditions:
'@stream': ssl
zeek-syslog:
product: zeek
service: syslog
conditions:
'@stream': syslog
zeek-tunnel:
product: zeek
service: tunnel
conditions:
'@stream': tunnel
zeek-traceroute:
product: zeek
service: traceroute
conditions:
'@stream': traceroute
zeek-weird:
product: zeek
service: weird
conditions:
'@stream': weird
zeek-x509:
product: zeek
service: x509
conditions:
'@stream': x509
zeek-ip_search:
product: zeek
service: network
conditions:
'@stream':
- conn
- conn_long
- dce_rpc
- dhcp
- dnp3
- dns
- ftp
- gquic
- http
- irc
- kerberos
- modbus
- mqtt_connect
- mqtt_publish
- mqtt_subscribe
- mysql
- ntlm
- ntp
- radius
- rfb
- sip
- smb_files
- smb_mapping
- smtp
- smtp_links
- snmp
- socks
- ssh
- tls #SSL
- tunnel
- weird
fieldmappings:
# Deep mappings Taxonomy for overall/general fields
dst_ip:
product=windows: winlog.event_data.DestinationIp
product=zeek: id.resp_h
src_ip:
product=windows: winlog.event_data.SourceIp
product=zeek: id.orig_h
dst_port:
product=windows: winlog.event_data.DestinationPort
product=zeek: id.resp_p
src_port:
product=windows: winlog.event_data.SourcePort
product=zeek: id.orig_p
network_protocol:
product=zeek: proto
# Deep mappings Taxonomy for DNS Category and DNS service
answer:
product=zeek: answers
#question_length: # product=zeek: # Does not exist in open source version
record_type:
product=zeek: qtype_name
#parent_domain: #product=zeek: # Does not exist in open source version
# Deep mappings Taxonomy for HTTP, Webserver category, and Proxy category
cs-bytes:
product=zeek: request_body_len
cs-cookie:
product=zeek: cookie
r-dns:
product=zeek: host
sc-bytes:
product=zeek: response_body_len
sc-status:
product=zeek: status_code
c-uri:
product=zeek: uri
c-uri-extension:
product=zeek: uri
c-uri-query:
product=zeek: uri
c-uri-stem:
product=zeek: uri
c-useragent:
product=zeek: user_agent
cs-host:
product=zeek: host
cs-method:
product=zeek: method
cs-referrer:
product=zeek: referrer
cs-version:
product=zeek: version
# Windows / WEF / Winlogbeat
EventID: winlog.event_id
Event_ID: winlog.event_id
eventId: winlog.event_id
@@ -25,10 +385,8 @@ fieldmappings:
Description: winlog.event_data.Description
DestinationHostname: winlog.event_data.DestinationHostname
DestinationIp: winlog.event_data.DestinationIp
dst_ip: winlog.event_data.DestinationIp
DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
DestinationPort: winlog.event_data.DestinationPort
dst_port: winlog.event_data.DestinationPort
Details: winlog.event_data.Details
EngineVersion: winlog.event_data.EngineVersion
EventType: winlog.event_data.EventType
@@ -69,7 +427,6 @@ fieldmappings:
Source: winlog.event_data.Source
SourceImage: winlog.event_data.SourceImage
SourceIp: winlog.event_data.SourceIp
src_ip: winlog.event_data.SourceIp
StartModule: winlog.event_data.StartModule
Status: winlog.event_data.Status
SubjectUserName: winlog.event_data.SubjectUserName
@@ -95,3 +452,174 @@ fieldmappings:
PHYType: winlog.event_data.PHYType
ProfileName: winlog.event_data.ProfileName
SSID: winlog.event_data.SSID
# Zeek Deep Mappings
# Temporary one off rule name fields
agent.version:
product=zeek: version
c-cookie:
product=zeek: cookie
c-ip:
product=zeek: id.orig_h
cs-uri:
product=zeek: uri
clientip:
product=zeek: id.orig_h
clientIP:
product=zeek: id.orig_h
dest_domain:
product=zeek: host
#- query
#- server_name
dest_ip:
product=zeek: id.resp_h
dest_port:
product=zeek: id.resp_p
#TODO:WhatShouldThisBe?==dest:
#TODO:WhatShouldThisBe?==destination:
#TODO:WhatShouldThisBe?==Destination:
destination.hostname:
product=zeek: host
#- query
#- server_name
DestinationAddress:
product=zeek: id.resp_h
dst-ip:
product=zeek: id.resp_h
dstip:
product=zeek: id.resp_h
dstport:
product=zeek: id.resp_p
Host:
product=zeek: host
#- query
#- server_name
http_host:
product=zeek: host
#- query
#- server_name
http_uri:
product=zeek: uri
http_url:
product=zeek: uri
http_user_agent:
product=zeek: user_agent
http.request.url-query-params:
product=zeek: uri
HttpMethod:
product=zeek: method
in_url:
product=zeek: uri
post_url_parameter:
product=zeek: uri
Request Url:
product=zeek: uri
request_url:
product=zeek: uri
request_URL:
product=zeek: uri
RequestUrl:
product=zeek: uri
response:
product=zeek: status_code
resource.url:
product=zeek: uri
resource.URL:
product=zeek: uri
sc_status:
product=zeek: status_code
service.response_code:
product=zeek: status_code
source:
product=zeek: id.orig_h
SourceAddr:
product=zeek: id.orig_h
SourceAddress:
product=zeek: id.orig_h
SourceIP:
product=zeek: id.orig_h
SourceNetworkAddress:
product=zeek: id.orig_h
SourcePort:
product=zeek: id.orig_p
srcip:
product=zeek: id.orig_h
status:
product=zeek: status_code
url:
product=zeek: uri
URL:
product=zeek: uri
url_query:
product=zeek: uri
url.query:
product=zeek: uri
uri_path:
product=zeek: uri
user_agent:
product=zeek: user_agent
user_agent.name:
product=zeek: user_agent
user-agent:
product=zeek: user_agent
User-Agent:
product=zeek: user_agent
useragent:
product=zeek: user_agent
UserAgent:
product=zeek: user_agent
User Agent:
product=zeek: user_agent
web_dest:
product=zeek: host
#- query
#- server_name
web.dest:
product=zeek: host
#- query
#- server_name
Web.dest:
product=zeek: host
#- query
#- server_name
web.host:
product=zeek: host
#- query
#- server_name
Web.host:
product=zeek: host
#- query
#- server_name
web_method:
product=zeek: method
Web_method:
product=zeek: method
web.method:
product=zeek: method
Web.method:
product=zeek: method
web_src:
product=zeek: id.orig_h
web_status:
product=zeek: status_code
Web_status:
product=zeek: status_code
web.status:
product=zeek: status_code
Web.status:
product=zeek: status_code
web_uri:
product=zeek: uri
web_url:
product=zeek: uri
# Already
destination.ip:
product=zeek: id.resp_h
destination.port:
product=zeek: id.resp_p
http.request.body.content:
product=zeek: post_body
#source.domain:
source.ip:
product=zeek: id.orig_h
source.port:
product=zeek: id.orig_p
tools/config/logstash-zeek-default-json.yml
+132 -8
View File
@@ -19,12 +19,14 @@ logsources:
service: syslog
zeek-category-firewall:
category: firewall
conditions:
'@stream': conn
rewrite:
product: zeek
service: conn
zeek-category-dns:
category: dns
conditions:
'@stream': dns
rewrite:
product: zeek
service: dns
zeek-category-proxy:
category: proxy
rewrite:
@@ -32,8 +34,6 @@ logsources:
service: http
zeek-category-webserver:
category: webserver
conditions:
'@stream': http
rewrite:
product: zeek
service: http
@@ -321,7 +321,6 @@ logsources:
defaultindex: 'logstash-*'
fieldmappings:
# All Logs Applied Mapping & Taxonomy
clientip: id.resp_h
dst_ip: id.resp_h
dst_port: id.resp_p
network_protocol: proto
@@ -346,4 +345,129 @@ fieldmappings:
cs-host: host
cs-method: method
cs-referrer: referrer
cs-version: version
cs-version: version
# Few other variations of names from zeek source itself
id_orig_h: id.orig_h
id_orig_p: id.orig_p
id_resp_h: id.resp_h
id_resp_p: id.resp_p
# Temporary one off rule name fields
agent.version: version
c-cookie: cookie
c-ip: id.orig_h
cs-uri: uri
clientip: id.orig_h
clientIP: id.orig_h
dest_domain:
- query
- host
- server_name
dest_ip: id.resp_h
dest_port: id.resp_p
#TODO:WhatShouldThisBe?==dest:
#TODO:WhatShouldThisBe?==destination:
#TODO:WhatShouldThisBe?==Destination:
destination.hostname:
- query
- host
- server_name
DestinationAddress: id.resp_h
DestinationHostname:
- host
- query
- server_name
DestinationIp: id.resp_h
DestinationIP: id.resp_h
DestinationPort: id.resp_p
dst-ip: id.resp_h
dstip: id.resp_h
dstport: id.resp_p
Host:
- host
- query
- server_name
HostVersion: http.version
http_host:
- host
- query
- server_name
http_uri: uri
http_url: uri
http_user_agent: user_agent
http.request.url-query-params: uri
HttpMethod: method
in_url: uri
# parent_domain: # Not in open source zeek
post_url_parameter: uri
Request Url: uri
request_url: uri
request_URL: uri
RequestUrl: uri
#response: status_code
resource.url: uri
resource.URL: uri
sc_status: status_code
sender_domain:
- query
- server_name
service.response_code: status_code
source: id.orig_h
SourceAddr: id.orig_h
SourceAddress: id.orig_h
SourceIP: id.orig_h
SourceIp: id.orig_h
SourceNetworkAddress: id.orig_h
SourcePort: id.orig_p
srcip: id.orig_h
Status: status_code
status: status_code
url: uri
URL: uri
url_query: uri
url.query: uri
uri_path: uri
user_agent: user_agent
user_agent.name: user_agent
user-agent: user_agent
User-Agent: user_agent
useragent: user_agent
UserAgent: user_agent
User Agent: user_agent
web_dest:
- host
- query
- server_name
web.dest:
- host
- query
- server_name
Web.dest:
- host
- query
- server_name
web.host:
- host
- query
- server_name
Web.host:
- host
- query
- server_name
web_method: method
Web_method: method
web.method: method
Web.method: method
web_src: id.orig_h
web_status: status_code
Web_status: status_code
web.status: status_code
Web.status: status_code
web_uri: uri
web_url: uri
# Most are in ECS, but for things not using Elastic - these need renamed
destination.ip: id.resp_h
destination.port: id.resp_p
http.request.body.content: post_body
#source.domain:
source.ip: id.orig_h
source.port: id.orig_p
tools/config/qradar.yml
+93 -47
View File
@@ -1,52 +1,98 @@
title: QRadar
backends:
- qradar
- qradar
order: 20
logsources:
apache:
product: apache
conditions:
LOGSOURCETYPENAME(devicetype): ilike '%apache%'
windows:
product: windows
conditions:
LOGSOURCETYPENAME(devicetype): 'Microsoft Windows Security Event Log'
qflow:
product: qflow
index: flows
netflow:
product: netflow
index: flows
ipfix:
product: ipfix
index: flows
flow:
category: flow
index: flows
apache:
product: apache
index: apache
conditions:
LOGSOURCETYPENAME(devicetype): '*apache*'
windows:
product: windows
index: windows
conditions:
LOGSOURCETYPENAME(devicetype): '*Microsoft Windows Security Event Log*'
qflow:
product: qflow
index: flows
netflow:
product: netflow
index: flows
ipfix:
product: ipfix
index: flows
flow:
category: flow
index: flows
fieldmappings:
EventID:
- Event ID Code
dst:
- destinationIP
dst_ip:
- destinationIP
src:
- sourceIP
src_ip:
- sourceIP
c-ip: sourceIP
cs-ip: sourceIP
c-uri: url
c-uri-extension: file_extension
c-useragent: user_agent
c-uri-query: uri_query
cs-method: Method
r-dns: FQDN
ClientIP: sourceIP
ServiceFileName: Service Name
event_id: EventID
EventID: EventID
dst: destinationip
dst_ip: destinationip
src: sourceip
src_ip: sourceip
c-ip: sourceip
cs-ip: sourceip
c-uri: URL
c-uri-extension: URL
c-useragent: user_agent
c-uri-query: uri_query
cs-method: Method
r-dns: FQDN
ClientIP: sourceip
ServiceFileName: ServiceFileName
event_data.CommandLine: Process CommandLine
CommandLine: Process CommandLine
file_hash: File Hash
hash: File Hash
#Message: search_payload
Event-ID: EventID
Event_ID: EventID
eventId: EventID
event-id: EventID
eventid: EventID
hashes: File Hash
url.query: URL
resource.URL: URL
event_data.CallingProcessName: CallingProcessName
event_data.ComputerName: Hostname/HOSTNAME
ComputerName: Hostname/HOSTNAME
event_data.DestinationHostname: Hostname/HOSTNAME
DestinationHostname: Hostname/HOSTNAME
event_data.DestinationIp: destinationip
event_data.DestinationPort: destinationip
event_data.Details: Target Details
Details: Target Details
event_data.FileName: Filename
event_data.Hashes: File Hash
Hashes: File Hash
event_data.Image: Image
event_data.ImageLoaded: LoadedImage
event_data.ImagePath: SourceImage
ImagePath: Image
event_data.Imphash: IMP Hash
Imphash: IMP Hash
event_data.ParentCommandLine: ParentCommandLine
event_data.ParentImage: ParentImage
event_data.ParentProcessName: ParentImageName
event_data.Path: File Path
Path: File Path
event_data.PipeName: PipeName
event_data.ProcessCommandLine: Process CommandLine
ProcessCommandLine: Process CommandLine
event_data.ServiceFileName: ServiceFileName
event_data.ShareName: ShareName
event_data.Signature: Signature
event_data.SourceImage: SourceImage
event_data.StartModule: StartModule
event_data.SubjectUserName: username
event_data.SubjectUserSid: SubjectUserSid
event_data.TargetFilename: Filename
TargetFilename: Filename
event_data.TargetImage: TargetImage
TargetImage: TargetImage
event_data.TicketOptions: TicketOptions
event_data.User: username
User: username
user: username
tools/config/splunk-zeek.yml
+15 -9
View File
@@ -12,12 +12,14 @@ logsources:
service: syslog
zeek-category-firewall:
category: firewall
conditions:
sourcetype: 'bro:conn:json'
rewrite:
product: zeek
service: conn
zeek-category-dns:
category: dns
conditions:
sourcetype: 'bro:dns:json'
rewrite:
product: zeek
service: dns
zeek-category-proxy:
category: proxy
rewrite:
@@ -25,16 +27,15 @@ logsources:
service: http
zeek-category-webserver:
category: webserver
conditions:
sourcetype: 'bro:http:json'
rewrite:
product: zeek
service: http
zeek-conn:
product: zeek
service: conn
conditions:
sourcetype: 'bro:conn:json'
rewrite:
product: zeek
service: conn
zeek-conn_long:
product: zeek
service: conn_long
@@ -338,6 +339,11 @@ fieldmappings:
cs-method: method
cs-referrer: referrer
cs-version: version
# Few other variations of names from zeek source itself
id_orig_h: id.orig_h
id_orig_p: id.orig_p
id_resp_h: id.resp_h
id_resp_p: id.resp_p
# Temporary one off rule name fields
agent.version: version
c-cookie: cookie
@@ -358,7 +364,7 @@ fieldmappings:
- query
- host
- server_name
DestinationAddress:
DestinationAddress: id.resp_h
DestinationHostname:
- host
- query
tools/config/winlogbeat-modules-enabled.yml
-1
View File
@@ -93,7 +93,6 @@ fieldmappings:
KeyLength: winlog.event_data.KeyLength
LogonProcessName: winlog.event_data.LogonProcessName
LogonType: winlog.event_data.LogonType
Message: winlog.event_data.Message
NewProcessName: winlog.event_data.NewProcessName
ObjectClass: winlog.event_data.ObjectClass
ObjectName: winlog.event_data.ObjectName
tools/config/winlogbeat-old.yml
+2 -3
View File
@@ -55,9 +55,9 @@ fieldmappings:
AuthenticationPackageName: event_data.AuthenticationPackageName
CallingProcessName: event_data.CallingProcessName
CallTrace: event_data.CallTrace
Channel: winlog.channel
CommandLine: event_data.CommandLine
ComputerName: computer_name
ContextInfo: event_data.ContextInfo
ComputerName: event_data.ComputerName
CurrentDirectory: event_data.CurrentDirectory
Description: event_data.Description
DestinationHostname: event_data.DestinationHostname
@@ -83,7 +83,6 @@ fieldmappings:
KeyLength: event_data.KeyLength
LogonProcessName: event_data.LogonProcessName
LogonType: event_data.LogonType
Message: event_data.Message
NewProcessName: event_data.NewProcessName
ObjectClass: event_data.ObjectClass
ObjectName: event_data.ObjectName
tools/config/winlogbeat.yml
+19 -3
View File
@@ -55,15 +55,17 @@ fieldmappings:
AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
CallingProcessName: winlog.event_data.CallingProcessName
CallTrace: winlog.event_data.CallTrace
Channel: winlog.channel
CommandLine: winlog.event_data.CommandLine
ComputerName: winlog.computer_name
ContextInfo: winlog.event_data.ContextInfo
ComputerName: winlog.ComputerName
CurrentDirectory: winlog.event_data.CurrentDirectory
Description: winlog.event_data.Description
DestinationHostname: winlog.event_data.DestinationHostname
DestinationIp: winlog.event_data.DestinationIp
dst_ip: winlog.event_data.DestinationIp
DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
DestinationPort: winlog.event_data.DestinationPort
dst_port: winlog.event_data.DestinationPort
Details: winlog.event_data.Details
EngineVersion: winlog.event_data.EngineVersion
EventType: winlog.event_data.EventType
@@ -83,7 +85,6 @@ fieldmappings:
KeyLength: winlog.event_data.KeyLength
LogonProcessName: winlog.event_data.LogonProcessName
LogonType: winlog.event_data.LogonType
Message: winlog.event_data.Message
NewProcessName: winlog.event_data.NewProcessName
ObjectClass: winlog.event_data.ObjectClass
ObjectName: winlog.event_data.ObjectName
@@ -104,6 +105,8 @@ fieldmappings:
Signature: winlog.event_data.Signature
Source: winlog.event_data.Source
SourceImage: winlog.event_data.SourceImage
SourceIp: winlog.event_data.SourceIp
src_ip: winlog.event_data.SourceIp
StartModule: winlog.event_data.StartModule
Status: winlog.event_data.Status
SubjectUserName: winlog.event_data.SubjectUserName
@@ -115,3 +118,16 @@ fieldmappings:
TicketOptions: winlog.event_data.TicketOptions
User: winlog.event_data.User
WorkstationName: winlog.event_data.WorkstationName
# Channel: WLAN-Autoconfig AND EventID: 8001
AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm
BSSID: winlog.event_data.BSSID
BSSType: winlog.event_data.BSSType
CipherAlgorithm: winlog.event_data.CipherAlgorithm
ConnectionId: winlog.event_data.ConnectionId
ConnectionMode: winlog.event_data.ConnectionMode
InterfaceDescription: winlog.event_data.InterfaceDescription
InterfaceGuid: winlog.event_data.InterfaceGuid
OnexEnabled: winlog.event_data.OnexEnabled
PHYType: winlog.event_data.PHYType
ProfileName: winlog.event_data.ProfileName
SSID: winlog.event_data.SSID