search

opencybersecurityalliance / stix-shifter

This project consists of an open source library allowing software to connect to data repositories using STIX Patterning, and return results as STIX Observations.
https://stix-shifter.readthedocs.io
Other
231 stars 232 forks source link

Support eBPF observability / container-optimized operating systems using Sysdig Secure captures #194

Open marcredhat opened 5 years ago

marcredhat commented 5 years ago

Container-optimized operating systems forensics need eBPF observability. (https://sysdig.com/blog/introducing-container-observability-with-ebpf-and-sysdig/)

Sysdig Secure can automatically capture all system calls made by any process. These captures can easily be converted to JSON e.g. sudo sysdig -r sysdig.scap -j > sysdig.json

It'd be great if we could provide an end-to-end example of using STIX-Shifter to translate Sysdig Secure JSON captures into STIX format.

Relevant links: https://github.com/draios/sysdig/wiki/Sysdig-Examples https://sysdig.com/blog/fishing-for-hackers/ https://sysdig.com/blog/fishing-for-hackers-part-2/

JasonKeirstead commented 5 years ago

This is a very interesting proposal.

marcredhat commented 5 years ago

Thanks @JasonKeirstead Please see a short video at http://bit.ly/threatmanage

mdazam1942 commented 4 years ago

@marcredhat do you have any proposed implementation?

olegzhr commented 3 years ago

Hi,

Sysdig is based on Falco project. If you need to see translated json Falco format to STIX-Shifter output, you can use Alertflex connector.

please see example below:

{ "type": "bundle", "id": "bundle--094fbe38-ab30-4e40-9416-07d5509caa93", "spec_version": "2.0", "objects": [ { "type": "identity", "id": "identity--3532c56d-ea72-48be-a2ad-1a53f4c9c6d3", "name": "Alertflex", "identity_class": "events" }, { "id": "observed-data--43bb881a-64df-4bdf-8b40-25329300e85a", "type": "observed-data", "created_by_ref": "identity--3532c56d-ea72-48be-a2ad-1a53f4c9c6d3", "created": "2021-07-29T21:24:34.011Z", "modified": "2021-07-29T21:24:34.011Z", "objects": { "0": { "type": "ipv4-addr", "value": "0.0.0.0" }, "1": { "type": "network-traffic", "src_ref": "0", "dst_port": 0, "protocols": [ "ip" ], "src_port": 0, "dst_ref": "4" }, "2": { "type": "process", "name": "altprobe" }, "3": { "type": "file", "name": "/etc/altprobe/filters.json" }, "4": { "type": "ipv4-addr", "value": "0.0.0.0" }, "5": { "type": "user-account", "user_id": "root" } }, "x_org_alertflex": { "severity": 2, "agent": "collr02", "description": "00:16:25.340210122: Error File below /etc opened for writing (user=root command=altprobe start parent=altprobe pcmdline=altprobe start file=/etc/altprobe/filters.json program=altprobe gparent= ggparent= gggparent= container_id=host image=)", "source": "Falco", "type": "HOST", "node": "node01", "event": "Write below etc", "category": "falco, filesystem, mitre_TA0003", "info": "indef" }, "first_observed": "2021-07-29T21:16:25.000Z", "last_observed": "2021-07-29T21:16:25.000Z", "number_observed": 1 } ] }

DerekRushton commented 2 months ago

Given the lack of interest in this enhancement I'm considering closing this issue. If there is any interest I'm open to leaving this open, but if not I will close this soon.