Brawl Format (bson/bsf)

[zacoker]

Is there a way to get traffic from elasticsearch into the brawl format automatically? I have unfetter analytic set up and I have pointed Cascade to the ES database, but Cascade isn't seeing anything.

Thanks!

[unkempthenry]

I'll need to check the compatibility with unfetter-analytic.

After connecting CASCADE to unfetter-analytic's ES server, did you also add that connection to your CASCADE user's account (this is in 'Account Settings'). This step is necessary, but knowing that it needs to be done isn't the most intuitive thing in the world.

Curious if you are asking about BSF (https://github.com/mitre/brawl-public-game-001#bsf ) , or about the CAR Data Model (https://car.mitre.org/wiki/Data_Model ).
BSF introduces hierarchy (below), where at the bottom level, the BSF events are pretty much structured the same as the CAR Data Model.

Operation: 
   |-> Steps
          |-> Events

An example of BSF created by CALDERA can be found at https://github.com/mitre/brawl-public-game-001/blob/master/data/bsf-brawl_public_game_001.json ). Part of it's purpose is to be able to diff reporting made by red and blue. For red teams the 'Step' level is fairly easy to create because Steps are basically ATT&CK techniques, while events are much harder for red because it's very difficult/impossible for red to know every single logged event that performing an action will create. Blue has the opposite problem, they can see the actual events, but it takes additional work to infer (or, "guess") what set of events was caused by which 'Step' / Adversary technique.

If you are interested in BSF I can put you in touch with the BSF experts, but I wanted to make sure that was what you are after first.

[zacoker]

Thanks for the reply!

Can Cascade can read directly from the Unfetter-Analytic ES (which is not in brawl format) or does it require the data in BSF format, like the example you linked?

[rw-access]

If the data format looks like this https://github.com/mitre/brawl-public-game-001/blob/master/data/sysmon-brawl_public_game_001.json, then it should work fine

{"@timestamp": "2017-05-01T18:57:41.852Z", "host": "platten-pc.brawlco.com", "type": "sysmon", "data_model": {"fields": {"log_name": "Microsoft-Windows-Sysmon/Operational", "log_type": "Microsoft-Windows-Sysmon", "fqdn": "platten-pc.brawlco.com", "record_number": "3303899", "keywords": "0x8000000000000000", "severity": "Information", "hostname": "platten-pc", "event_code": "3", "op_code": "0", "user": "NT AUTHORITY\\NETWORK SERVICE", "utc_time": "2017-05-01 18:57:41.852", "uuid": "{6C70CE0A-7D6E-5907-0000-0010AEB90000}", "process_guid": "{6C70CE0A-7D6E-5907-0000-0010AEB90000}", "pid": "1008", "image_path": "C:\\Windows\\System32\\svchost.exe", "transport": "udp", "initiated": "false", "src_ipv6": "false", "src_ip": "224.0.0.252", "src_fqdn": "%{[Event][EventData][0][Data][9][content]}", "src_port": "5355", "src_port_name": "llmnr", "dest_ipv6": "false", "dest_ip": "10.3.15.225", "dest_fqdn": "peele-pc.brawlco.com", "dest_port": "59880", "dest_port_name": "", "exe": "svchost.exe"}, "action": ["start"], "object": "flow"}, "game_id": "BRAWL_public_game_001", "@uuid": "a1412613-08cd-4011-b394-4c510e2a8fb5"}
{"@timestamp": "2017-05-01T18:58:10.006Z", "host": "fulco-pc.brawlco.com", "type": "sysmon", "data_model": {"fields": {"log_name": "Microsoft-Windows-Sysmon/Operational", "log_type": "Microsoft-Windows-Sysmon", "fqdn": "fulco-pc.brawlco.com", "record_number": "3337333", "keywords": "0x8000000000000000", "severity": "Information", "hostname": "fulco-pc", "event_code": "3", "op_code": "0", "user": "NT AUTHORITY\\NETWORK SERVICE", "utc_time": "2017-05-01 18:58:10.006", "uuid": "{6C70CE0A-7D8C-5907-0000-001045BF0000}", "process_guid": "{6C70CE0A-7D8C-5907-0000-001045BF0000}", "pid": "400", "image_path": "C:\\Windows\\System32\\svchost.exe", "transport": "udp", "initiated": "false", "src_ipv6": "false", "src_ip": "224.0.0.252", "src_fqdn": "%{[Event][EventData][0][Data][9][content]}", "src_port": "5355", "src_port_name": "llmnr", "dest_ipv6": "false", "dest_ip": "10.3.15.222", "dest_fqdn": "minahan-pc.brawlco.com", "dest_port": "62561", "dest_port_name": "", "exe": "svchost.exe"}, "action": ["start"], "object": "flow"}, "game_id": "BRAWL_public_game_001", "@uuid": "8f9b5952-bea8-4e03-b674-01631c9c4e5d"}
{"@timestamp": "2017-05-01T18:58:04.988Z", "host": "santilli-pc.brawlco.com", "type": "sysmon", "data_model": {"fields": {"log_name": "Microsoft-Windows-Sysmon/Operational", "log_type": "Microsoft-Windows-Sysmon", "fqdn": "santilli-pc.brawlco.com", "record_number": "3261604", "keywords": "0x8000000000000000", "severity": "Information", "hostname": "santilli-pc", "event_code": "1", "op_code": "0", "user": "NT AUTHORITY\\SYSTEM", "utc_time": "2017-05-01 18:58:04.988", "uuid": "{6C70CE0A-853C-5907-0000-0010EBAB1100}", "process_guid": "{6C70CE0A-853C-5907-0000-0010EBAB1100}", "pid": "2692", "image_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-admon.exe", "command_line": "\"c:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-admon.exe\"", "current_directory": "C:\\windows\\system32\\", "logon_guid": "{6C70CE0A-7DA5-5907-0000-0020E7030000}", "logon_id": "0x3e7", "terminal_session_id": "0", "integrity_level": "System", "parent_process_guid": "{6C70CE0A-7DC8-5907-0000-00100CC20100}", "ppid": "2116", "parent_image_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe", "parent_command_line": "\"c:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe\" service", "hash": {"SHA1": "E5C4B478B0CB9F8DE91BB702C8B30B955AD12990", "MD5": "3B2E96D9576FE33B2AE13C66C3AC8E71", "SHA256": "AEE9C62DE8777F145FBE4E8E8E7A4924617704DBE40C814739271110659ABAD5", "IMPHASH": "C9E036D762E6435EF42A0CE059D91D05"}, "exe": "splunk-admon.exe", "parent_exe": "splunkd.exe"}, "action": ["create"], "object": "process"}, "game_id": "BRAWL_public_game_001", "@uuid": "69efc2b4-69fd-4383-8a38-cb134cd14812"}
{"@timestamp": "2017-05-01T18:58:01.758Z", "host": "dc.brawlco.com", "type": "sysmon", "data_model": {"fields": {"log_name": "Microsoft-Windows-Sysmon/Operational", "log_type": "Microsoft-Windows-Sysmon", "fqdn": "dc.brawlco.com", "record_number": "51415024", "keywords": "0x8000000000000000", "severity": "Information", "hostname": "dc", "event_code": "1", "op_code": "0", "user": "NT AUTHORITY\\SYSTEM", "utc_time": "2017-05-01 18:58:01.758", "uuid": "{E925140A-8539-5907-0000-00109586F92D}", "process_guid": "{E925140A-8539-5907-0000-00109586F92D}", "pid": "3244", "image_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe", "command_line": "\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"", "current_directory": "C:\\Windows\\system32\\", "logon_guid": "{E925140A-E415-58CB-0000-0020E7030000}", "logon_id": "0x3e7", "terminal_session_id": "0", "integrity_level": "System", "parent_process_guid": "{E925140A-E432-58CB-0000-00107E520100}", "ppid": "1596", "parent_image_path": "C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe", "parent_command_line": "\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe\" service", "hash": {"SHA1": "B1B8F8597D842D366469007288726BC59164837C", "MD5": "94105BFEB9727945115B7A299EF3A88F", "SHA256": "998B2C155EA59F4B14FE9C496759F83E6DC0993389CA44C18D9958AB8837B894", "IMPHASH": "4163F5A2F5D2155C13AF0D971845D0E1"}, "exe": "splunk-MonitorNoHandle.exe", "parent_exe": "splunkd.exe"}, "action": ["create"], "object": "process"}, "game_id": "BRAWL_public_game_001", "@uuid": "af016083-0d88-4e3d-9192-dd0a43c2815f"}

[zacoker]

Hey there Cascade team,

We're trying to set up Cascade to import and visualize sysmon data from a host, and we had some questions on the CAR data model.

We are running Cascade on a Ubuntu server EC2 instance and we have a Windows 2016 instance generating sysmon and forwarding logs to ElasticSearch. We pointed Cascade to ElasticSearch within the user and global settings. What step are we missing to label the data so Cascade recognizes and visualizes the activity?

Is there some kind of automated tool or ElasticSearch function to translate raw sysmon into the CAR data model that Cascade likes?

Thanks so much!

• Zach

[unkempthenry]

Hi Zach,

The the only one I know about is, what you've already found, unfetter-analytic. Their logstash configs are here: https://github.com/unfetter-analytic/unfetter/blob/master/logstash/pipeline/3.sysmon.conf . I actually spent a couple hours trying to get this set up over the weekend, but kept running into bugs--but, I'm going to cycle back around and take another crack at it.