CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add RITA Elasticsearch ingest pipeline config

Browse Source
This commit is contained in:
Wes Lambert
2022-03-22 17:38:22 +00:00
parent f613d8ad86
commit 2487d468ab
3 changed files with 202 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

127
salt/elasticsearch/files/ingest/rita.beacon Normal file
View File

@@ -0,0 +1,127 @@
{
"description": "RITA Beacons",
"processors": [
{
"set": {
"field": "_index",
"value": "so-rita",
"override": true
}
},
{
"csv": {
"field": "message",
"target_fields": [
"beacon.score",
"source.ip",
"destination.ip",
"network.connections",
"network.average_bytes",
"beacon.interval.range",
"beacon.size.range",
"beacon.interval.top",
"beacon.size.top",
"beacon.interval.top_count",
"beacon.size.top_count",
"beacon.interval.skew",
"beacon.size.skew",
"beacon.interval.dispersion",
"beacon.size.dispersion",
"network.bytes"
]
}
},
{
"convert": {
"field": "beacon.score",
"type": "float"
}
},
{
"convert": {
"field": "network.connections",
"type": "integer"
}
},
{
"convert": {
"field": "network.average_bytes",
"type": "integer"
}
},
{
"convert": {
"field": "beacon.interval.range",
"type": "integer"
}
},
{
"convert": {
"field": "beacon.size.range",
"type": "integer"
}
},
{
"convert": {
"field": "beacon.interval.top",
"type": "integer"
}
},
{
"convert": {
"field": "beacon.size.top",
"type": "integer"
}
},
{
"convert": {
"field": "beacon.interval.top_count",
"type": "integer"
}
},
{
"convert": {
"field": "beacon.size.top_count",
"type": "integer"
}
},
{
"convert": {
"field": "beacon.interval.skew",
"type": "float"
}
},
{
"convert": {
"field": "beacon.size.skew",
"type": "float"
}
},
{
"convert": {
"field": "beacon.interval.dispersion",
"type": "integer"
}
},
{
"convert": {
"field": "beacon.size.dispersion",
"type": "integer"
}
},
{
"convert": {
"field": "network.bytes",
"type": "integer"
}
},
{ "set": { "if": "ctx.beacon?.score == 1", "field": "dataset", "value": "alert", "override": true }},
{ "set": { "if": "ctx.beacon?.score == 1", "field": "rule.name", "value": "Potential C2 Beacon Activity", "override": true }},
{ "set": { "if": "ctx.beacon?.score == 1", "field": "event.severity", "value": 3, "override": true }},
{
"pipeline": {
"name": "common"
}
}
]
}

36
salt/elasticsearch/files/ingest/rita.connection Normal file
View File

@@ -0,0 +1,36 @@
{
"description": "RITA Connections",
"processors": [
{
"set": {
"field": "_index",
"value": "so-rita",
"override": true
}
},
{
"dissect": {
"field": "message",
"pattern": "%{source.ip},%{destination.ip},%{network.port}:%{network.protocol}:%{network.service},%{connection.duration},%{connection.state}"
}
},
{
"convert": {
"field": "connection.duration",
"type": "float"
}
},
{
"set": {
"field": "event.duration",
"value": "{{ connection.duration }}",
"override": true
}
},
{
"pipeline": {
"name": "common"
}
}
]
}

39
salt/elasticsearch/files/ingest/rita.dns Normal file
View File

@@ -0,0 +1,39 @@
{
"description": "RITA DNS",
"processors": [
{
"set": {
"field": "_index",
"value": "so-rita",
"override": true
}
},
{
"csv": {
"field": "message",
"target_fields": [
"dns.question.name",
"dns.question.subdomain_count",
"dns.question.count"
]
}
},
{
"convert": {
"field": "dns.question.subdomain_count",
"type": "integer"
}
},
{
"convert": {
"field": "dns.question.count",
"type": "integer"
}
},
{
"pipeline": {
"name": "common"
}
}
]
}