diff --git a/rules/application/opencanary/opencanary_ftp_login_attempt.yml b/rules/application/opencanary/opencanary_ftp_login_attempt.yml new file mode 100644 index 000000000..5de2b206d --- /dev/null +++ b/rules/application/opencanary/opencanary_ftp_login_attempt.yml @@ -0,0 +1,24 @@ +title: OpenCanary - FTP Login Attempt +id: 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5 +status: experimental +description: Detects instances where an FTP service on an OpenCanary node has had a login attempt. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.initial_access + - attack.exfiltration + - attack.t1190 + - attack.t1021 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 2000 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/application/opencanary/opencanary_git_clone_request.yml b/rules/application/opencanary/opencanary_git_clone_request.yml new file mode 100644 index 000000000..f361cc86a --- /dev/null +++ b/rules/application/opencanary/opencanary_git_clone_request.yml @@ -0,0 +1,22 @@ +title: OpenCanary - GIT Clone Request +id: 4fe17521-aef3-4e6a-9d6b-4a7c8de155a8 +status: experimental +description: Detects instances where a GIT service on an OpenCanary node has had Git Clone request. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.collection + - attack.t1213 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 16001 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/application/opencanary/opencanary_http_get.yml b/rules/application/opencanary/opencanary_http_get.yml new file mode 100644 index 000000000..11886a7e9 --- /dev/null +++ b/rules/application/opencanary/opencanary_http_get.yml @@ -0,0 +1,22 @@ +title: OpenCanary - HTTP GET Request +id: af6c3078-84cd-4c68-8842-08b76bd81b13 +status: experimental +description: Detects instances where an HTTP service on an OpenCanary node has received a GET request. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 3000 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/application/opencanary/opencanary_http_post_login_attempt.yml b/rules/application/opencanary/opencanary_http_post_login_attempt.yml new file mode 100644 index 000000000..bf5d4a219 --- /dev/null +++ b/rules/application/opencanary/opencanary_http_post_login_attempt.yml @@ -0,0 +1,23 @@ +title: OpenCanary - HTTP POST Login Attempt +id: af1ac430-df6b-4b38-b976-0b52f07a0252 +status: experimental +description: | + Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 3001 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml b/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml new file mode 100644 index 000000000..93ee36d59 --- /dev/null +++ b/rules/application/opencanary/opencanary_httpproxy_login_attempt.yml @@ -0,0 +1,24 @@ +title: OpenCanary - HTTPPROXY Login Attempt +id: 5498fc09-adc6-4804-b9d9-5cca1f0b8760 +status: experimental +description: | + Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.initial_access + - attack.defense_evasion + - attack.t1090 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 7001 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml b/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml new file mode 100644 index 000000000..045feea7a --- /dev/null +++ b/rules/application/opencanary/opencanary_mssql_login_sqlauth.yml @@ -0,0 +1,25 @@ +title: OpenCanary - MSSQL Login Attempt Via SQLAuth +id: 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd +status: experimental +description: | + Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.credential_access + - attack.collection + - attack.t1003 + - attack.t1213 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 9001 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/application/opencanary/opencanary_mssql_login_winauth.yml b/rules/application/opencanary/opencanary_mssql_login_winauth.yml new file mode 100644 index 000000000..af3443b41 --- /dev/null +++ b/rules/application/opencanary/opencanary_mssql_login_winauth.yml @@ -0,0 +1,25 @@ +title: OpenCanary - MSSQL Login Attempt Via Windows Authentication +id: 6e78f90f-0043-4a01-ac41-f97681613a66 +status: experimental +description: | + Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.credential_access + - attack.collection + - attack.t1003 + - attack.t1213 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 9002 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/application/opencanary/opencanary_mysql_login_attempt.yml b/rules/application/opencanary/opencanary_mysql_login_attempt.yml new file mode 100644 index 000000000..171854980 --- /dev/null +++ b/rules/application/opencanary/opencanary_mysql_login_attempt.yml @@ -0,0 +1,24 @@ +title: OpenCanary - MySQL Login Attempt +id: e7d79a1b-25ed-4956-bd56-bd344fa8fd06 +status: experimental +description: Detects instances where a MySQL service on an OpenCanary node has had a login attempt. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.credential_access + - attack.collection + - attack.t1003 + - attack.t1213 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 8001 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/application/opencanary/opencanary_ntp_monlist.yml b/rules/application/opencanary/opencanary_ntp_monlist.yml new file mode 100644 index 000000000..403d4f58f --- /dev/null +++ b/rules/application/opencanary/opencanary_ntp_monlist.yml @@ -0,0 +1,22 @@ +title: OpenCanary - NTP Monlist Request +id: 7cded4b3-f09e-405a-b96f-24248433ba44 +status: experimental +description: Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.impact + - attack.t1498 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 11001 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/application/opencanary/opencanary_redis_command.yml b/rules/application/opencanary/opencanary_redis_command.yml new file mode 100644 index 000000000..8f72baca5 --- /dev/null +++ b/rules/application/opencanary/opencanary_redis_command.yml @@ -0,0 +1,24 @@ +title: OpenCanary - REDIS Action Command Attempt +id: 547dfc53-ebf6-4afe-8d2e-793d9574975d +status: experimental +description: Detects instances where a REDIS service on an OpenCanary node has had an action command attempted. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.credential_access + - attack.collection + - attack.t1003 + - attack.t1213 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 17001 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/application/opencanary/opencanary_sip_request.yml b/rules/application/opencanary/opencanary_sip_request.yml new file mode 100644 index 000000000..12388c79b --- /dev/null +++ b/rules/application/opencanary/opencanary_sip_request.yml @@ -0,0 +1,22 @@ +title: OpenCanary - SIP Request +id: e30de276-68ec-435c-ab99-ef3befec6c61 +status: experimental +description: Detects instances where an SIP service on an OpenCanary node has had a SIP request. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.collection + - attack.t1123 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 15001 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/application/opencanary/opencanary_smb_file_open.yml b/rules/application/opencanary/opencanary_smb_file_open.yml new file mode 100644 index 000000000..543a490d3 --- /dev/null +++ b/rules/application/opencanary/opencanary_smb_file_open.yml @@ -0,0 +1,24 @@ +title: OpenCanary - SMB File Open Request +id: 22777c9e-873a-4b49-855f-6072ab861a52 +status: experimental +description: Detects instances where an SMB service on an OpenCanary node has had a file open request. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.lateral_movement + - attack.collection + - attack.t1021 + - attack.t1005 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 5000 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/application/opencanary/opencanary_snmp_cmd.yml b/rules/application/opencanary/opencanary_snmp_cmd.yml new file mode 100644 index 000000000..26a207ce5 --- /dev/null +++ b/rules/application/opencanary/opencanary_snmp_cmd.yml @@ -0,0 +1,24 @@ +title: OpenCanary - SNMP OID Request +id: e9856028-fd4e-46e6-b3d1-10f7ceb95078 +status: experimental +description: Detects instances where an SNMP service on an OpenCanary node has had an OID request. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.discovery + - attack.lateral_movement + - attack.t1016 + - attack.t1021 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 13001 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/application/opencanary/opencanary_ssh_login_attempt.yml b/rules/application/opencanary/opencanary_ssh_login_attempt.yml new file mode 100644 index 000000000..1e7a6691c --- /dev/null +++ b/rules/application/opencanary/opencanary_ssh_login_attempt.yml @@ -0,0 +1,26 @@ +title: OpenCanary - SSH Login Attempt +id: ff7139bc-fdb1-4437-92f2-6afefe8884cb +status: experimental +description: Detects instances where an SSH service on an OpenCanary node has had a login attempt. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.initial_access + - attack.lateral_movement + - attack.persistence + - attack.t1133 + - attack.t1021 + - attack.t1078 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 4002 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/application/opencanary/opencanary_ssh_new_connection.yml b/rules/application/opencanary/opencanary_ssh_new_connection.yml new file mode 100644 index 000000000..eba6b2a9e --- /dev/null +++ b/rules/application/opencanary/opencanary_ssh_new_connection.yml @@ -0,0 +1,26 @@ +title: OpenCanary - SSH New Connection Attempt +id: cd55f721-5623-4663-bd9b-5229cab5237d +status: experimental +description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.initial_access + - attack.lateral_movement + - attack.persistence + - attack.t1133 + - attack.t1021 + - attack.t1078 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 4000 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/application/opencanary/opencanary_telnet_login_attempt.yml b/rules/application/opencanary/opencanary_telnet_login_attempt.yml new file mode 100644 index 000000000..c3f853d71 --- /dev/null +++ b/rules/application/opencanary/opencanary_telnet_login_attempt.yml @@ -0,0 +1,24 @@ +title: OpenCanary - Telnet Login Attempt +id: 512cff7a-683a-43ad-afe0-dd398e872f36 +status: experimental +description: Detects instances where a Telnet service on an OpenCanary node has had a login attempt. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.initial_access + - attack.command_and_control + - attack.t1133 + - attack.t1078 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 6001 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/application/opencanary/opencanary_tftp_request.yml b/rules/application/opencanary/opencanary_tftp_request.yml new file mode 100644 index 000000000..0d35635ed --- /dev/null +++ b/rules/application/opencanary/opencanary_tftp_request.yml @@ -0,0 +1,22 @@ +title: OpenCanary - TFTP Request +id: b4e6b016-a2ac-4759-ad85-8000b300d61e +status: experimental +description: Detects instances where a TFTP service on an OpenCanary node has had a request. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.exfiltration + - attack.t1041 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 10001 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/application/opencanary/opencanary_vnc_connection_attempt.yml b/rules/application/opencanary/opencanary_vnc_connection_attempt.yml new file mode 100644 index 000000000..03255b073 --- /dev/null +++ b/rules/application/opencanary/opencanary_vnc_connection_attempt.yml @@ -0,0 +1,22 @@ +title: OpenCanary - VNC Connection Attempt +id: 9db5446c-b44a-4291-8b89-fcab5609c3b3 +status: experimental +description: Detects instances where a VNC service on an OpenCanary node has had a connection attempt. +references: + - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration + - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 +author: Security Onion Solutions +date: 2024/03/08 +tags: + - attack.lateral_movement + - attack.t1021 +logsource: + category: application + product: opencanary +detection: + selection: + logtype: 12001 + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/tests/logsource.json b/tests/logsource.json index abf853e80..1f6d7b8c9 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -266,6 +266,14 @@ }, "service":{} }, + "opencanary":{ + "commun": [], + "empty": [], + "category":{ + "application":[] + }, + "service":{} + }, "velocity":{ "commun": [], "empty": [],