David French
f77e18977a
* create new cli commands
* add kibana object to create_dnstwist_rule
* Adding code for index-dnstwist-results
* Changed es to es_client
* Tested. it works!
* flake8-ed
* Adding timestamps
* use eql.utils.load_dump to load json file
* rename data to dnstwist_data
* start working on create-dnstwist-rule command
* add print statements for user
* tweak formatting for line length
* add template threat match rule file
* continue working on threat match rule creation
* create rule using TomlRuleContents
* save rule to toml file
* Moving rule creation to eswrap.py
* Moving create dnstwist rule stuff to eswrap
* Fixed imports
* flake8 fixes
* More flake8 fixes
* fix usage of @add_client('kibana')
* use ctx.invoke to upload rule
* cleanup record assembly and use bulk api
* swap order of notes in `note` for sample rule
* small modifications
* move command to root click group
* remove unused click group
* Update detection_rules/main.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* remove rule upload and convert template to ndjson
* Adding docs for typosquatting rule
* renaming the file
* Adding a note
* separate index and rule prep commands
* Final changes
Co-authored-by: Apoorva <appujo@gmail.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com>
(cherry picked from commit 90aa65aed3)
1.6 KiB
Generating detection rule to alert on traffic to typosquatting or homonym domains
What does the rule do?
This rule helps detect spoofing attacks on domains that you want to protect.
Steps
1. Run dnstwist on the domain you want to watch
Eg: dnstwist --format json elastic.co | jq
This should give you a json file consisting of potentially malicious lookalike domains for your domain.
2. Index the lookalike domains into Elasticsearch
In order to detect network activity on the lookalike domains using a threat match rule, you would first need to index these domains into an Elasticsearch index using the following CLI command:
python -m detection_rules typosquat create-dnstwist-index [OPTIONS] INPUT_FILE
3. Prep rule to alert on generated indexes
Run the following CLI command to generate the typosquat rule file, which you will then import into Kibana.
python -m detection_rules typosquat prep-rule [OPTIONS] AUTHOR
4. Import the rule into Kibana
Import the ndjson rule file generated in the previous step, into Kibana, via the Detection rules UI.
5. Detect potentially malicious network activity targeting your organization!
Note
You DO NOT need to re-import the rule file each time you have an additional domain to track. For each new domain, you'd run Step 1 to generate the json file consisting of lookalike domains for that domain, followed by the CLI command in Step 2 to index these domains into a new index. This index will automatically be picked up by the rule you imported the very first time.