search

opensearch-project / security-analytics

Security Analytics enables users for detecting security threats on their security event log data. It will also allow them to modify/tailor the pre-packaged solution.
Apache License 2.0
72 stars 72 forks source link

Complete mapping of all log types #189

Closed sbcd90 closed 1 year ago

sbcd90 commented 1 year ago

There already exists a PR for it https://github.com/opensearch-project/security-analytics/pull/153 Enhance it for new log types. like firewall logs @phaseshiftg @sbcd90

phaseshiftg commented 1 year ago

Rule: azure_aad_secops_signin_failure_bad_password_threshold.yml

detection: selection: ResultType: 50126 ResultDescription: Invalid username or password or Invalid on-premises username or password. filter_computer: TargetUserName|endswith: '$' condition: selection and not filter_computer

Applicable beat: Winlogbeat

Fields: ResultType, ResultDescription, TargetUserName

Fields that exist: TargetUserName: winlog.event_data.TargetUserName Fields that do not exist in ecs mappings: ResultType, ResultDescription https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html#exported-fields-winlog

Note: One of the fields used in the rule appears in the ecs documentation.

Rule: azure_aadhybridhealth_adfs_new_server.yml

detection: selection: CategoryValue: 'Administrative' ResourceProviderValue: 'Microsoft.ADHybridHealthService' ResourceId|contains: 'AdFederationService' OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action' condition: selection

Applicable beat: Winlogbeat

Fields: CategoryValue, ResourceProviderValue, ResourceId, OperationNameValue Fields that do not exist in ecs mappings:
CategoryValue, ResourceProviderValue, ResourceId, OperationNameValue

https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html#exported-fields-winlog

Note: None of the fields used in the rule appear in the ecs documentation

Rule: azure_aadhybridhealth_adfs_service_delete.yml detection: selection: CategoryValue: 'Administrative' ResourceProviderValue: 'Microsoft.ADHybridHealthService' ResourceId|contains: 'AdFederationService' OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete' condition: selection

Applicable beat: Winlogbeat

Fields: CategoryValue, ResourceProviderValue, ResourceId, OperationNameValue Fields that do not exist in ecs mappings:
CategoryValue, ResourceProviderValue, ResourceId, OperationNameValue

https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html#exported-fields-winlog

Note: None of the fields used in the rule appear in the ecs documentation Rule: azure_ad_bitlocker_key_retrieval.yml detection: selection: Category: KeyManagement OperationName: Read BitLocker key condition: selection

Applicable beat: Winlogbeat Fields: Category, OperationName Fields that do not exist in ecs mappings: Category, OperationName

https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html#exported-fields-winlog

Note: None of the fields used in the rule appear in the ecs documentation Rule: azure_ad_device_registration_or_join_without_mfa.yml detection: selection: ResourceDisplayName: 'Device Registration Service' conditionalAccessStatus: 'success' filter_mfa: AuthenticationRequirement: 'multiFactorAuthentication' condition: selection and not filter_mfa

Applicable beat: Winlogbeat Fields: ResourceDisplayName, conditionalAccessStatus Fields that do not exist in ecs mappings: ResourceDisplayName, conditionalAccessStatus

https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html#exported-fields-winlog

Note: None of the fields used in the rule appear in the ecs documentation Rule: azure_ad_device_registration_policy_changes.yml detection: selection: ResourceDisplayName: 'Device Registration Service' conditionalAccessStatus: 'success' filter_mfa: AuthenticationRequirement: 'multiFactorAuthentication' condition: selection and not filter_mfa

Applicable beat: Winlogbeat Fields: ResourceDisplayName, conditionalAccessStatus, AuthenticationRequirement Fields that do not exist in ecs mappings: ResourceDisplayName, conditionalAccessStatus, AuthenticationRequirement

https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html#exported-fields-winlog

Note: None of the fields used in the rule appear in the ecs documentation Rule: azure_ad_device_registration_policy_changes.yml detection: selection: ResourceDisplayName: 'Device Registration Service' conditionalAccessStatus: 'success' filter_mfa: AuthenticationRequirement: 'multiFactorAuthentication' condition: selection and not filter_mfa

Applicable beat: Winlogbeat Fields: ResourceDisplayName, conditionalAccessStatus, AuthenticationRequirement Fields that do not exist in ecs mappings: ResourceDisplayName, conditionalAccessStatus, AuthenticationRequirement

https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html#exported-fields-winlog

Note: None of the fields used in the rule appear in the ecs documentation Rule: azure_ad_sign_ins_from_noncompliant_devices.yml detection: selection: DeviceDetail.isCompliant: 'false' condition: selection

Applicable beat: Winlogbeat Fields: DeviceDetail Fields that do not exist in ecs mappings: DeviceDetail

https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html#exported-fields-winlog

Note: None of the fields used in the rule appear in the ecs documentation Rule: azure_ad_sign_ins_from_unknown_devices.yml detection: selection: AuthenticationRequirement: singleFactorAuthentication ResultType: '0' NetworkLocationDetails: '[]' DeviceDetail.deviceId: '' condition: selection

Applicable beat: Winlogbeat Fields: AuthenticationRequirement, ResultType, NetworkLocationDetails, DeviceDetail Fields that do not exist in ecs mappings: AuthenticationRequirement, ResultType, NetworkLocationDetails, DeviceDetail

https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html#exported-fields-winlog

Note: None of the fields used in the rule appear in the ecs documentation Rule: azure_ad_user_added_to_admin_role.yml detection: selection: Operation: 'Add member to role.' Workload: 'AzureActiveDirectory' ModifiedProperties.NewValue|endswith:

Applicable beat: Winlogbeat Fields: Operation, Workload, ModifiedProperties Fields that do not exist in ecs mappings: Operation, Workload, ModifiedProperties

https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html#exported-fields-winlog

Note: None of the fields used in the rule appear in the ecs documentation

Rule: azure_ad_users_added_to_device_admin_roles.yml detection: selection: Category: RoleManagement OperationName|contains|all:

Applicable beat: Winlogbeat Fields: Category, OperationName, TargetResources Fields that do not exist in ecs mappings: Category, OperationName, TargetResources

https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html#exported-fields-winlog

Note: None of the fields used in the rule appear in the ecs documentation Rule: win_ldap_recon.yml detection: generic_search: EventID: 30 SearchFilter|contains:

Applicable beat: Winlogbeat Fields: EventID, SearchFilter Fields that do not exist in ecs mappings: EventID, SearchFilter

https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html#exported-fields-winlog

Note: None of the fields used in the rule appear in the ecs documentation

phaseshiftg commented 1 year ago

Rule: net_firewall_high_dns_bytes_out.yml detection: selection: dst_port: 53 timeframe: 1m condition: selection

Applicable beat: Filebeat Fields: dst_port Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-netflow.html

Note: Its not clear what source we are talking about in “firewall”. Netflow is one, iptables, is another, and there are many other types of firewalls for specific situations. Here I am defaulting to netflow. Rule: net_firewall_high_dns_requests_rate.yml detection: selection:
dst_port: 53 timeframe: 1m condition: selection

Applicable beat: Filebeat Fields: dst_port Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-netflow.html

Note: Its not clear what source we are talking about in “firewall”. Netflow is one, iptables, is another, and there are many other types of firewalls for specific situations. Here I am defaulting to netflow. Rule: net_firewall_susp_network_scan_by_ip.yml detection: selection: action: denied timeframe: 24h condition: selection

Applicable beat: Filebeat Fields: action Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-netflow.html

Note: Its not clear what source we are talking about in “firewall”. Netflow is one, iptables, is another, and there are many other types of firewalls for specific situations. Here I am defaulting to netflow. Rule: net_firewall_susp_network_scan_by_port.yml detection: selection: action: denied timeframe: 24h condition: selection

Applicable beat: Filebeat Fields: action Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-netflow.html

Note: Its not clear what source we are talking about in “firewall”. Netflow is one, iptables, is another, and there are many other types of firewalls for specific situations. Here I am defaulting to netflow. Rule: zeek_dce_rpc_domain_user_enumeration.yml detection: selection: operation:

- LsarEnumerateTrustedDomains #potentially too many FPs, removing. caused by netlogon

        #- SamrEnumerateDomainsInSamServer #potentially too many FPs, removing. #method obtains a listing of all domains hosted by the server side of this protocol. This value is a cookie that the server can use to continue an enumeration on a subsequent call
        - LsarLookupNames3 #method translates a batch of security principal names to their SID form  
        - LsarLookupSids3 #translates a batch of security principal SIDs to their name forms
        - SamrGetGroupsForUser #obtains a listing of groups that a user is a member of
        - SamrLookupIdsInDomain #method translates a set of RIDs into account names
        - SamrLookupNamesInDomain #method translates a set of account names into a set of RIDs
        - SamrQuerySecurityObject #method queries the access control on a server, domain, user, group, or alias object
        - SamrQueryInformationGroup #obtains attributes from a group object
timeframe: 30s
condition: selection

Applicable beat: Filebeat Fields: operation Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html

Rule: zeek_dce_rpc_mitre_bzar_execution.yml detection: op1: endpoint: 'JobAdd' operation: 'atsvc' op2: endpoint: 'ITaskSchedulerService' operation: 'SchRpcEnableTask' op3: endpoint: 'ITaskSchedulerService' operation: 'SchRpcRegisterTask' op4: endpoint: 'ITaskSchedulerService' operation: 'SchRpcRun' op5: endpoint: 'IWbemServices' operation: 'ExecMethod' op6: endpoint: 'IWbemServices' operation: 'ExecMethodAsync' op7: endpoint: 'svcctl' operation: 'CreateServiceA' op8: endpoint: 'svcctl' operation: 'CreateServiceW' op9: endpoint: 'svcctl' operation: 'StartServiceA' op10: endpoint: 'svcctl' operation: 'StartServiceW' condition: 1 of op*

Applicable beat: Filebeat Fields: operation, endpoint Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html

Rule: zeek_dce_rpc_mitre_bzar_persistence.yml detection: op1: endpoint: 'JobAdd' operation: 'atsvc' op2: endpoint: 'ITaskSchedulerService' operation: 'SchRpcEnableTask' op3: endpoint: 'ITaskSchedulerService' operation: 'SchRpcRegisterTask' op4: endpoint: 'ITaskSchedulerService' operation: 'SchRpcRun' op5: endpoint: 'IWbemServices' operation: 'ExecMethod' op6: endpoint: 'IWbemServices' operation: 'ExecMethodAsync' op7: endpoint: 'svcctl' operation: 'CreateServiceA' op8: endpoint: 'svcctl' operation: 'CreateServiceW' op9: endpoint: 'svcctl' operation: 'StartServiceA' op10: endpoint: 'svcctl' operation: 'StartServiceW' condition: 1 of op*

Applicable beat: Filebeat Fields: operation, endpoint Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml detection: selection: operation|startswith:

Applicable beat: Filebeat Fields: operation Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_dce_rpc_printnightmare_print_driver_install.yml detection: selection: operation:

Applicable beat: Filebeat Fields: operation Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_dce_rpc_smb_spoolss_named_pipe.yml detection: selection: path|endswith: IPC$ name: spoolss condition: selection

Applicable beat: Filebeat Fields: path, name Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_default_cobalt_strike_certificate.yml detection: selection: certificate.serial: 8BB00EE condition: selection

Applicable beat: Filebeat Fields: certificate.serial Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_default_cobalt_strike_certificate.yml detection: selection: certificate.serial: 8BB00EE condition: selection

Applicable beat: Filebeat Fields: certificate.serial Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_dns_mining_pools.yml detection: selection: query|endswith:

Applicable beat: Filebeat Fields: query Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_dns_nkn.yml detection: selection: query|contains|all:

Applicable beat: Filebeat Fields: query Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_dns_susp_zbit_flag.yml detection: z_flag_unset: Z: '0' most_probable_valid_domain: query|contains: '.' exclude_tlds: query|endswith:

Applicable beat: Filebeat Fields: Z, query, qtype_name, answers, id.resp_p Fields that do not exist in ecs mappings: Z, id.resp_p

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_dns_torproxy.yml detection: selection: query:

Applicable beat: Filebeat Fields: query Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_http_executable_download_from_webdav.yml detection: selection_webdav:

Applicable beat: Filebeat Fields: c-useragent, c-uri, resp_mime_types Fields that do not exist in ecs mappings: c-useragent, c-uri

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_http_omigod_no_auth_rce.yml detection: selection: status_code: 200 uri: /wsman method: POST auth_header: client_header_names|contains: 'AUTHORIZATION' too_small_http_client_body: request_body_len: 0

winrm_ports:

#    id.resp_p:
#        -  5985
#        -  5986
#        -  1270
condition: selection and not auth_header and not too_small_http_client_body
#condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule

Applicable beat: Filebeat Fields: status_code, uri, method, client_header_names, request_body_len Fields that do not exist in ecs mappings: status_code, uri, method, request_body_len

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_http_webdav_put_request.yml detection: selection: user_agent|contains: 'WebDAV' method: 'PUT' filter: id.resp_h:

Applicable beat: Filebeat Fields: user_agent, method, id.resp_h Fields that do not exist in ecs mappings: user_agent, method, id.resp_h

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html

Note: user_agent and method are available for the sip protocol but the rule is refering to http Rule: zeek_rdp_public_listener.yml detection: selection: id.orig_h|startswith:

Applicable beat: Filebeat Fields: id.orig_h Fields that do not exist in ecs mappings: id.orig_h

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html

Rule: zeek_smb_converted_win_atsvc_task.yml detection: selection: path: \*\IPC$ name: atsvc

Accesses: 'WriteData'

condition: selection

Applicable beat: Filebeat Fields: path, name Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html

Rule: zeek_smb_converted_win_lm_namedpipe.yml detection: selection1: path: \*\IPC$ selection2: path: \*\IPC$ name:

Applicable beat: Filebeat Fields: path, name Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html

Rule: zeek_smb_converted_win_susp_psexec.yml detection: selection1: path|contains|all:

Applicable beat: Filebeat Fields: path, name Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html Rule: zeek_smb_converted_win_susp_raccess_sensitive_fext.yml detection: selection: name|endswith:

Applicable beat: Filebeat Fields: name Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html

Rule: zeek_smb_converted_win_transferring_files_with_credential_data.yml detection: selection: name:

Applicable beat: Filebeat Fields: name Fields that do not exist in ecs mappings:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html

Rule: zeek_susp_kerberos_rc4.yml detection: selection: request_type: 'TGS' cipher: 'rc4-hmac' computer_acct: service|startswith: '$' condition: selection and not computer_acct

Applicable beat: Filebeat Fields: request_type, cipher, service Fields that do not exist in ecs mappings: request_type

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-zeek.html