CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.4/dev' into jertel/wip

Browse Source
This commit is contained in:
Jason Ertel
2025-01-15 11:06:05 -05:00
parent 3ab1b907e4 846f2485db
commit d101fda423
26 changed files with 1659 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
salt/elasticfleet/defaults.yaml
View File

@@ -53,6 +53,7 @@ elasticfleet:
- citrix_adc - citrix_adc
- citrix_waf - citrix_waf
- cloudflare - cloudflare
- cloudflare_logpush
- crowdstrike - crowdstrike
- darktrace - darktrace
- elastic_agent - elastic_agent

845
salt/elasticsearch/defaults.yaml
View File

@@ -3671,6 +3671,834 @@ elasticsearch:
set_priority: set_priority:
priority: 50 priority: 50
min_age: 30d min_age: 30d
so-logs-cloudflare_logpush_x_access_request:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.access_request@package
- logs-cloudflare_logpush.access_request@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.access_request@custom
index_patterns:
- logs-cloudflare_logpush.access_request-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.access_request-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_logpush_x_audit:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.audit@package
- logs-cloudflare_logpush.audit@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.audit@custom
index_patterns:
- logs-cloudflare_logpush.audit-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.audit-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_logpush_x_casb:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.casb@package
- logs-cloudflare_logpush.casb@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.casb@custom
index_patterns:
- logs-cloudflare_logpush.casb-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.casb-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_logpush_x_device_posture:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.device_posture@package
- logs-cloudflare_logpush.device_posture@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.device_posture@custom
index_patterns:
- logs-cloudflare_logpush.device_posture-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.device_posture-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_logpush_x_dns:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.dns@package
- logs-cloudflare_logpush.dns@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.dns@custom
index_patterns:
- logs-cloudflare_logpush.dns-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.dns-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_logpush_x_dns_firewall:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.dns_firewall@package
- logs-cloudflare_logpush.dns_firewall@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.dns_firewall@custom
index_patterns:
- logs-cloudflare_logpush.dns_firewall-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.dns_firewall-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_logpush_x_firewall_event:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.firewall_event@package
- logs-cloudflare_logpush.firewall_event@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.firewall_event@custom
index_patterns:
- logs-cloudflare_logpush.firewall_event-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.firewall_event-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_logpush_x_gateway_dns:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.gateway_dns@package
- logs-cloudflare_logpush.gateway_dns@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.gateway_dns@custom
index_patterns:
- logs-cloudflare_logpush.gateway_dns-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.gateway_dns-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_logpush_x_gateway_http:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.gateway_http@package
- logs-cloudflare_logpush.gateway_http@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.gateway_http@custom
index_patterns:
- logs-cloudflare_logpush.gateway_http-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.gateway_http-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_logpush_x_gateway_network:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.gateway_network@package
- logs-cloudflare_logpush.gateway_network@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.gateway_network@custom
index_patterns:
- logs-cloudflare_logpush.gateway_network-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.gateway_network-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_logpush_x_http_request:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.http_request@package
- logs-cloudflare_logpush.http_request@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.http_request@custom
index_patterns:
- logs-cloudflare_logpush.http_request-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.http_request-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_logpush_x_magic_ids:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.magic_ids@package
- logs-cloudflare_logpush.magic_ids@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.magic_ids@custom
index_patterns:
- logs-cloudflare_logpush.magic_ids-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.magic_ids-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_logpush_x_nel_report:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.nel_report@package
- logs-cloudflare_logpush.nel_report@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.nel_report@custom
index_patterns:
- logs-cloudflare_logpush.nel_report-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.nel_report-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_logpush_x_network_analytics:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.network_analytics@package
- logs-cloudflare_logpush.network_analytics@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.network_analytics@custom
index_patterns:
- logs-cloudflare_logpush.network_analytics-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.network_analytics-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_logpush_x_network_session:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.network_session@package
- logs-cloudflare_logpush.network_session@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.network_session@custom
index_patterns:
- logs-cloudflare_logpush.network_session-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.network_session-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_logpush_x_sinkhole_http:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.sinkhole_http@package
- logs-cloudflare_logpush.sinkhole_http@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.sinkhole_http@custom
index_patterns:
- logs-cloudflare_logpush.sinkhole_http-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.sinkhole_http-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_logpush_x_spectrum_event:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.spectrum_event@package
- logs-cloudflare_logpush.spectrum_event@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.spectrum_event@custom
index_patterns:
- logs-cloudflare_logpush.spectrum_event-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.spectrum_event-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-cloudflare_logpush_x_workers_trace:
index_sorting: false
index_template:
composed_of:
- logs-cloudflare_logpush.workers_trace@package
- logs-cloudflare_logpush.workers_trace@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-cloudflare_logpush.workers_trace@custom
index_patterns:
- logs-cloudflare_logpush.workers_trace-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-cloudflare_logpush.workers_trace-logs
number_of_replicas: 0
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-crowdstrike_x_alert: so-logs-crowdstrike_x_alert:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -3679,6 +4507,8 @@ elasticsearch:
template: template:
settings: settings:
index: index:
lifecycle:
name: so-logs-crowdstrike.alert-logs
number_of_replicas: 0 number_of_replicas: 0
composed_of: composed_of:
- logs-crowdstrike.alert@package - logs-crowdstrike.alert@package
@@ -3723,6 +4553,8 @@ elasticsearch:
template: template:
settings: settings:
index: index:
lifecycle:
name: so-logs-crowdstrike.falcon-logs
number_of_replicas: 0 number_of_replicas: 0
composed_of: composed_of:
- logs-crowdstrike.falcon@package - logs-crowdstrike.falcon@package
@@ -3767,6 +4599,8 @@ elasticsearch:
template: template:
settings: settings:
index: index:
lifecycle:
name: so-logs-crowdstrike.fdr-logs
number_of_replicas: 0 number_of_replicas: 0
composed_of: composed_of:
- logs-crowdstrike.fdr@package - logs-crowdstrike.fdr@package
@@ -3811,6 +4645,8 @@ elasticsearch:
template: template:
settings: settings:
index: index:
lifecycle:
name: so-logs-crowdstrike.host-logs
number_of_replicas: 0 number_of_replicas: 0
composed_of: composed_of:
- logs-crowdstrike.host@package - logs-crowdstrike.host@package
@@ -8271,6 +9107,7 @@ elasticsearch:
index_sorting: false index_sorting: false
index_template: index_template:
composed_of: composed_of:
- okta-mappings
- logs-okta.system@package - logs-okta.system@package
- logs-okta.system@custom - logs-okta.system@custom
- so-fleet_globals-1 - so-fleet_globals-1
@@ -10775,6 +11612,8 @@ elasticsearch:
template: template:
settings: settings:
index: index:
lifecycle:
name: so-logs-trend_micro_vision_one.alert-logs
number_of_replicas: 0 number_of_replicas: 0
composed_of: composed_of:
- "logs-trend_micro_vision_one.alert@package" - "logs-trend_micro_vision_one.alert@package"
@@ -10819,6 +11658,8 @@ elasticsearch:
template: template:
settings: settings:
index: index:
lifecycle:
name: so-logs-trend_micro_vision_one.audit-logs
number_of_replicas: 0 number_of_replicas: 0
ignore_missing_component_templates: ignore_missing_component_templates:
- "logs-trend_micro_vision_one.audit@custom" - "logs-trend_micro_vision_one.audit@custom"
@@ -10863,6 +11704,8 @@ elasticsearch:
template: template:
settings: settings:
index: index:
lifecycle:
name: so-logs-trend_micro_vision_one.detection-logs
number_of_replicas: 0 number_of_replicas: 0
ignore_missing_component_templates: ignore_missing_component_templates:
- "logs-trend_micro_vision_one.detection@custom" - "logs-trend_micro_vision_one.detection@custom"
@@ -10907,6 +11750,8 @@ elasticsearch:
template: template:
settings: settings:
index: index:
lifecycle:
name: so-logs-trend_micro_vision_one.deep_security-logs
number_of_replicas: 0 number_of_replicas: 0
ignore_missing_component_templates: ignore_missing_component_templates:
- "logs-trendmicro.deep_security@custom" - "logs-trendmicro.deep_security@custom"

25
salt/elasticsearch/files/ingest/zeek.ldap Normal file
View File

@@ -0,0 +1,25 @@
{
"description": "zeek.ldap",
"processors": [
{"set": {"field": "event.dataset", "value": "ldap"}},
{"json": {"field": "message", "target_field": "message2", "ignore_failure": true}},
{"rename": {"field": "message2.message_id", "target_field": "ldap.message_id", "ignore_missing": true}},
{"rename": {"field": "message2.opcode", "target_field": "ldap.opcode", "ignore_missing": true}},
{"rename": {"field": "message2.result", "target_field": "ldap.result", "ignore_missing": true}},
{"rename": {"field": "message2.diagnostic_message", "target_field": "ldap.diagnostic_message", "ignore_missing": true}},
{"rename": {"field": "message2.version", "target_field": "ldap.version", "ignore_missing": true}},
{"rename": {"field": "message2.object", "target_field": "ldap.object", "ignore_missing": true}},
{"rename": {"field": "message2.argument", "target_field": "ldap.argument", "ignore_missing": true}},
{"rename": {"field": "message2.scope", "target_field": "ldap_search.scope", "ignore_missing":true}},
{"rename": {"field": "message2.deref_aliases", "target_field": "ldap_search.deref_aliases", "ignore_missing":true}},
{"rename": {"field": "message2.base_object", "target_field": "ldap.object", "ignore_missing":true}},
{"rename": {"field": "message2.result_count", "target_field": "ldap_search.result_count", "ignore_missing":true}},
{"rename": {"field": "message2.filter", "target_field": "ldap_search.filter", "ignore_missing":true}},
{"rename": {"field": "message2.attributes", "target_field": "ldap_search.attributes", "ignore_missing":true}},
{"script": {"source": "if (ctx.containsKey('ldap') && ctx.ldap.containsKey('diagnostic_message') && ctx.ldap.diagnostic_message != null) {\n String message = ctx.ldap.diagnostic_message;\n\n // get user and property from SASL success\n if (message.toLowerCase().contains(\"sasl(0): successful result\")) {\n Pattern pattern = /user:\\s*([^ ]+)\\s*property:\\s*([^ ]+)/i;\n Matcher matcher = pattern.matcher(message);\n if (matcher.find()) {\n ctx.ldap.user_email = matcher.group(1); // Extract user email\n ctx.ldap.property = matcher.group(2); // Extract property\n }\n }\n if (message.toLowerCase().contains(\"ldaperr:\")) {\n Pattern pattern = /comment:\\s*([^,]+)/i;\n Matcher matcher = pattern.matcher(message);\n\n if (matcher.find()) {\n ctx.ldap.comment = matcher.group(1);\n }\n }\n }","ignore_failure": true}},
{"script": {"source": "if (ctx.containsKey('ldap') && ctx.ldap.containsKey('object') && ctx.ldap.object != null) {\n String message = ctx.ldap.object;\n\n // parse common name from ldap object\n if (message.toLowerCase().contains(\"cn=\")) {\n Pattern pattern = /cn=([^,]+)/i;\n Matcher matcher = pattern.matcher(message);\n if (matcher.find()) {\n ctx.ldap.common_name = matcher.group(1); // Extract CN\n }\n }\n // build domain from ldap object\n if (message.toLowerCase().contains(\"dc=\")) {\n Pattern dcPattern = /dc=([^,]+)/i;\n Matcher dcMatcher = dcPattern.matcher(message);\n\n StringBuilder domainBuilder = new StringBuilder();\n while (dcMatcher.find()) {\n if (domainBuilder.length() > 0 ){\n domainBuilder.append(\".\");\n }\n domainBuilder.append(dcMatcher.group(1));\n }\n if (domainBuilder.length() > 0) {\n ctx.ldap.domain = domainBuilder.toString();\n }\n }\n // create list of any organizational units from ldap object\n if (message.toLowerCase().contains(\"ou=\")) {\n Pattern ouPattern = /ou=([^,]+)/i;\n Matcher ouMatcher = ouPattern.matcher(message);\n ctx.ldap.organizational_unit = [];\n\n while (ouMatcher.find()) {\n ctx.ldap.organizational_unit.add(ouMatcher.group(1));\n }\n if(ctx.ldap.organizational_unit.isEmpty()) {\n ctx.remove(\"ldap.organizational_unit\");\n }\n }\n}\n","ignore_failure": true}},
{"remove": {"field": "message2.tags","ignore_failure": true}},
{"remove": {"field": ["host"],"ignore_failure": true}},
{"pipeline": {"name": "zeek.common"}}
]
}

9
salt/elasticsearch/files/ingest/zeek.ldap_search Normal file
View File

@@ -0,0 +1,9 @@
{
"description":"zeek.ldap_search",
"processors":[
{"pipeline": {"name": "zeek.ldap", "ignore_missing_pipeline":true,"ignore_failure":true}},
{"set": {"field": "event.dataset", "value":"ldap_search"}},
{"remove": {"field": "tags", "ignore_missing":true}},
{"pipeline": {"name": "zeek.common"}}
]
}

81
salt/elasticsearch/templates/component/ecs/zeek.json
View File

@@ -834,6 +834,81 @@
} }
} }
}, },
"ldap": {
"type": "object",
"properties": {
"message_id": {
"type": "short"
},
"opcode": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
},
"diagnostic_message": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"type": "short"
},
"object": {
"ignore_above": 1024,
"type": "keyword"
},
"argument": {
"ignore_above": 1024,
"type": "keyword"
},
"user_email": {
"ignore_above": 1024,
"type": "keyword"
},
"property": {
"ignore_above": 1024,
"type": "keyword"
},
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ldap_search": {
"type": "object",
"properties": {
"scope": {
"ignore_above": 1024,
"type": "keyword"
},
"deref_aliases": {
"ignore_above": 1024,
"type": "keyword"
},
"result_count": {
"type": "long"
},
"filter": {
"ignore_above": 1024,
"type": "keyword"
},
"attributes": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"modbus": { "modbus": {
"properties": { "properties": {
"exception": { "exception": {
@@ -1176,24 +1251,30 @@
"type": "object", "type": "object",
"properties": { "properties": {
"server_name": { "server_name": {
"ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"version": { "version": {
"type": "short" "type": "short"
}, },
"client_initial_dcid": { "client_initial_dcid": {
"ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"client_scid": { "client_scid": {
"ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"server_scid": { "server_scid": {
"ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"client_protocol": { "client_protocol": {
"ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"history": { "history": {
"ignore_above": 1024,
"type": "keyword" "type": "keyword"
} }
} }

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.access_request@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.audit@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.casb@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.device_posture@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns_firewall@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.firewall_event@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_dns@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_http@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_network@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.http_request@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.magic_ids@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.nel_report@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_analytics@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_session@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.sinkhole_http@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.spectrum_event@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.workers_trace@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

7
salt/nginx/config.sls
View File

@@ -49,6 +49,13 @@ navigatorconfig:
- makedirs: True - makedirs: True
- template: jinja - template: jinja
navigatorlayersdir:
file.directory:
- name: /opt/so/conf/navigator/layers/
- user: 939
- group: 939
- makedirs: True
nginx_sbin: nginx_sbin:
file.recurse: file.recurse:
- name: /usr/sbin - name: /usr/sbin

47
salt/soc/defaults.yaml
View File

@@ -284,6 +284,27 @@ soc:
- kerberos.service - kerberos.service
- kerberos.request_type - kerberos.request_type
- log.id.uid - log.id.uid
'::ldap':
- soc_timestamp
- event.dataset
- source.ip
- source.port
- destination.ip
- destination.port
- ldap.result
- ldap.common_name
- ldap.object
- ldap.opcode
'::ldap_search':
- soc_timestamp
- event.dataset
- source.ip
- source.port
- destination.ip
- destination.port
- ldap.result
- ldap.object
- ldap_search.filter
'::modbus': '::modbus':
- soc_timestamp - soc_timestamp
- event.dataset - event.dataset
@@ -1696,23 +1717,23 @@ soc:
showSubtitle: true showSubtitle: true
- name: HTTP - name: HTTP
description: HTTP grouped by destination port description: HTTP grouped by destination port
query: 'tags:(http OR http2) | groupby destination.port' query: '(tags:http OR tags:http2) | groupby destination.port'
showSubtitle: true showSubtitle: true
- name: HTTP - name: HTTP
description: HTTP grouped by status code and message description: HTTP grouped by status code and message
query: 'tags:(http OR http2) | groupby http.status_code http.status_message' query: '(tags:http OR tags:http2) | groupby http.status_code http.status_message'
showSubtitle: true showSubtitle: true
- name: HTTP - name: HTTP
description: HTTP grouped by method and user agent description: HTTP grouped by method and user agent
query: 'tags:(http OR http2) | groupby http.method http.useragent' query: '(tags:http OR tags:http2) | groupby http.method http.useragent'
showSubtitle: true showSubtitle: true
- name: HTTP - name: HTTP
description: HTTP grouped by virtual host description: HTTP grouped by virtual host
query: 'tags:(http OR http2) | groupby http.virtual_host' query: '(tags:http OR tags:http2) | groupby http.virtual_host'
showSubtitle: true showSubtitle: true
- name: HTTP - name: HTTP
description: HTTP with exe downloads description: HTTP with exe downloads
query: 'tags:(http OR http2) AND file.resp_mime_types:*exec* | groupby http.virtual_host' query: '(tags:http OR tags:http2) AND file.resp_mime_types:*exec* | groupby http.virtual_host'
showSubtitle: true showSubtitle: true
- name: Intel - name: Intel
description: Intel framework hits grouped by indicator description: Intel framework hits grouped by indicator
@@ -1726,6 +1747,14 @@ soc:
description: KERBEROS grouped by service description: KERBEROS grouped by service
query: 'tags:kerberos | groupby kerberos.service' query: 'tags:kerberos | groupby kerberos.service'
showSubtitle: true showSubtitle: true
- name: LDAP
description: LDAP grouped by source ip and result
query: 'tags:ldap | groupby source.ip ldap.result'
showSubtitle: true
- name: LDAP_SEARCH
description: LDAP_SEARCH grouped by source.ip and filter
query: 'tags:ldap_search | groupby source.ip | groupby ldap_search.filter'
showSubtitle: true
- name: MODBUS - name: MODBUS
description: MODBUS grouped by function description: MODBUS grouped by function
query: 'tags:modbus | groupby modbus.function' query: 'tags:modbus | groupby modbus.function'
@@ -1943,7 +1972,7 @@ soc:
query: 'tags:ftp | groupby ftp.command | groupby -sankey ftp.command source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby ftp.argument | groupby ftp.user' query: 'tags:ftp | groupby ftp.command | groupby -sankey ftp.command source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby ftp.argument | groupby ftp.user'
- name: HTTP - name: HTTP
description: HTTP (Hyper Text Transport Protocol) network metadata description: HTTP (Hyper Text Transport Protocol) network metadata
query: 'tags:(http OR http2) | groupby http.method | groupby -sankey http.method http.virtual_host | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' query: '(tags:http OR tags:http2) | groupby http.method | groupby -sankey http.method http.virtual_host | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: Intel - name: Intel
description: Zeek Intel framework hits description: Zeek Intel framework hits
query: 'tags:intel | groupby intel.indicator | groupby -sankey intel.indicator source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby intel.indicator_type | groupby intel.seen_where' query: 'tags:intel | groupby intel.indicator | groupby -sankey intel.indicator source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby intel.indicator_type | groupby intel.seen_where'
@@ -1956,6 +1985,12 @@ soc:
- name: Kerberos - name: Kerberos
description: Kerberos network metadata description: Kerberos network metadata
query: 'tags:kerberos | groupby kerberos.service | groupby -sankey kerberos.service source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby kerberos.client | groupby kerberos.request_type' query: 'tags:kerberos | groupby kerberos.service | groupby -sankey kerberos.service source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby kerberos.client | groupby kerberos.request_type'
- name: LDAP
description: LDAP (Lightweight Directory Access Protocol) network metadata
query: 'tags:ldap | groupby source.ip | groupby destination.ip | groupby destination.port | groupby ldap.user_email | groupby ldap.property | groupby ldap.result | groupby ldap.common_name | groupby ldap.organizational_unit | groupby ldap.domain | groupby ldap.version | groupby ldap.object'
- name: LDAP_SEARCH
description: LDAP_SEARCH (Lightweight Directory Access Protocol) Search network metadata
query: 'tags:ldap_search | groupby source.ip | groupby destination.ip | groupby destination.port | groupby ldap_search.scope | groupby ldap.object | groupby ldap.domain | groupby ldap_search.filter'
- name: MySQL - name: MySQL
description: MySQL network metadata description: MySQL network metadata
query: 'tags:mysql | groupby mysql.command | groupby -sankey mysql.command source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows' query: 'tags:mysql | groupby mysql.command | groupby -sankey mysql.command source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows'

4
salt/soc/soc_soc.yaml
View File

@@ -438,11 +438,11 @@ soc:
intervalMinutes: intervalMinutes:
description: How often to generate the Navigator Layers. (minutes) description: How often to generate the Navigator Layers. (minutes)
global: True global: True
helpLink: navigator.html helpLink: attack-navigator.html
lookbackDays: lookbackDays:
description: How far back to search for ATT&CK-tagged alerts. (days) description: How far back to search for ATT&CK-tagged alerts. (days)
global: True global: True
helpLink: navigator.html helpLink: attack-navigator.html
client: client:
enableReverseLookup: enableReverseLookup:
description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.