metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Laurens Vets <laur...@daemon.be>
Subject Re: SUM aggregator not working?
Date Thu, 05 Oct 2017 01:04:18 GMT
It's working now, so I'm happy :)

On 2017-10-04 14:03, Casey Stella wrote:
> Ok, so this is subtle.  Your rules are wrong and I totally understand 
> why
> you thought they were right.
> 
> When we index into ES, we take . and convert them to :, however PRIOR 
> to
> indexing (when threat triage is running) those fields have .'s not :'s
> Therefore, your rules should be:
> 
> userIdentity.sessionContext.attributes.mfaAuthenticated == 'False'
> and
> additionalEventData.MFAUsed == 'No'
> 
> The same general argument goes for your threat triage stellar 
> expressions.
> 
> 
> Sorry about the confusion, we do that mapping because ES doesn't handle
> those .'s well.  Hey, maybe ES 5 is more sane about that sort of thing 
> and
> we can avoid doing that transformation.
> 
> Casey
> 
> On Wed, Oct 4, 2017 at 4:38 PM, Laurens Vets <laurens@daemon.be> wrote:
> 
>> No idea whether it's a bug yet, I just need a 2nd set of eyes :)
>> 
>> This is my event as indexed in ES (Obviously some parts have been
>> obfuscated):
>> 
>> {
>>   "_index": "cloudtrail_index_2017.10.04.19",
>>   "_type": "cloudtrail_doc",
>>   "_id": "95617686-bd39-46ff-b5c0-db3aeb5b6bab",
>>   "_score": null,
>>   "_timestamp": 1507143907108,
>>   "_source": {
>>     "eventID": "9e3d5468-2d97-4b9a-9821-5c61fec8c158",
>>     "additionalEventData:MFAUsed": "No",
>>     "adapter:stellaradapter:end:ts": "1507143907145",
>>     "threatinteljoinbolt:joiner:ts": "1507143907153",
>>     "eventVersion": "1.05",
>>     "threat:triage:rules:0:comment": "Checks whether the field is_work 
>> is
>> true or false.",
>>     "sourceIPAddress": "208.110.73.106",
>>     "eventSource": "signin.amazonaws.com",
>>     "enrichmentsplitterbolt:splitter:begin:ts": "1507143907143",
>>     "enrichmentjoinbolt:joiner:ts": "1507143907147",
>>     "additionalEventData:MobileVersion": "No",
>>     "threat:triage:rules:0:name": "Not WORK",
>>     "source:type": "cloudtrail",
>>     "original_string": "{\"eventVersion\":\"1.05\",\"
>> userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDAI
>> 5ITCMVR3BQV5DUFW\",\"arn\":\"arn:aws:iam::<ACCOUNTID>:user/
>> <EMAIL>\",\"accountId\":\"<ACCOUNTID>\",\"userName\":\"<
>> EMAIL>\"},\"eventTime\":\"2017-10-04T18:57:31Z\",\"eventSource\":\"
>> signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\"
>> ,\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"208.110.7
>> 3.106\",\"userAgent\":\"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; 
>> rv:56.0)
>> Gecko/20100101 Firefox/56.0\",\"requestParame
>> ters\":null,\"responseElements\":{\"ConsoleLogin\":\"
>> Success\"},\"additionalEventData\":{\"LoginTo\":\"https://
>> console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true\
>> <https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true%5C>
>> ",\"MobileVersion\":\"No\",\"MFAUsed\":\"No\"},\"eventID\":
>> \"9e3d5468-2d97-4b9a-9821-5c61fec8c158\",\"eventType\":\
>> "AwsConsoleSignIn\",\"recipientAccountId\":\"<ACCOUNTID>\"}",
>>     "eventTime": "2017-10-04T18:57:31Z",
>>     "eventName": "ConsoleLogin",
>>     "recipientAccountId": "<ACCOUNTID>",
>>     "userIdentity:principalId": "AIDAI5ITCMVR3BQV5DUFW",
>>     "threatintelsplitterbolt:splitter:end:ts": "1507143907148",
>>     "threat:triage:rules:0:score": 20,
>>     "timestamp": 1507143907108,
>>     "threat:triage:rules:0:reason": "208.110.73.106 is not an WORK
>> network!",
>>     "awsRegion": "us-east-1",
>>     "is_work": false,
>>     "userIdentity:userName": "<EMAIL>",
>>     "enrichmentsplitterbolt:splitter:end:ts": "1507143907143",
>>     "threat:triage:score": 20,
>>     "is_alert": "true",
>>     "userAgent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:56.0)
>> Gecko/20100101 Firefox/56.0",
>>     "adapter:stellaradapter:begin:ts": "1507143907145",
>>     "eventType": "AwsConsoleSignIn",
>>     "userIdentity:arn": "arn:aws:iam::<ACCOUNTID>:user/<EMAIL>",
>>     "userIdentity:accountId": "<ACCOUNTID>",
>>     "userIdentity:type": "IAMUser",
>>     "threatintelsplitterbolt:splitter:begin:ts": "1507143907148",
>>     "guid": "95617686-bd39-46ff-b5c0-db3aeb5b6bab",
>>     "additionalEventData:LoginTo": "https://console.aws.amazon.co
>> m/console/home?state=hashArgs%23&isauthcode=true",
>>     "responseElements:ConsoleLogin": "Success"
>>   },
>>   "fields": {
>>     "adapter:stellaradapter:end:ts": [
>>       1507143907145
>>     ],
>>     "threatinteljoinbolt:joiner:ts": [
>>       1507143907153
>>     ],
>>     "enrichmentsplitterbolt:splitter:end:ts": [
>>       1507143907143
>>     ],
>>     "enrichmentsplitterbolt:splitter:begin:ts": [
>>       1507143907143
>>     ],
>>     "enrichmentjoinbolt:joiner:ts": [
>>       1507143907147
>>     ],
>>     "adapter:stellaradapter:begin:ts": [
>>       1507143907145
>>     ],
>>     "eventTime": [
>>       1507143451000
>>     ],
>>     "threatintelsplitterbolt:splitter:begin:ts": [
>>       1507143907148
>>     ],
>>     "threatintelsplitterbolt:splitter:end:ts": [
>>       1507143907148
>>     ],
>>     "timestamp": [
>>       1507143907108
>>     ]
>>   },
>>   "sort": [
>>     1507143451000
>>   ]
>> }
>> 
>> This is my sensor configuration:
>> 
>> 
>> {
>>         "enrichment": {
>>                 "fieldMap": {
>>                         "stellar": {
>>                                 "config": {
>>                                         "is_work": "IN_SUBNET(if
>> IS_IP(sourceIPAddress) then sourceIPAddress else NULL, '1.2.3.4/16', '
>> 5.6.7.8/23')"
>>                                 }
>>                         }
>>                 },
>>                 "fieldToTypeMap": {},
>>                 "config": {}
>>         },
>>         "threatIntel": {
>>                 "fieldMap": {
>>                         "stellar": {
>>                                 "config": [
>>                                         "is_alert := exists(is_work) 
>> &&
>> is_work != true && eventName == \"ConsoleLogin\"",
>>                                         "is_alert := is_alert ||
>> (eventName == \"ConsoleLogin\" && 
>> userIdentity:sessionContext:attributes:mfaAuthenticated
>> == \"False\")",
>>                                         "is_alert := is_alert ||
>> (eventName == \"ConsoleLogin\" && additionalEventData:MFAUsed == 
>> \"No\")"
>>                                 ]
>>                         }
>>                 },
>>                 "fieldToTypeMap": {},
>>                 "config": {},
>>                 "triageConfig": {
>>                         "riskLevelRules": [
>>                                 {
>>                                         "name": "Not WORK",
>>                                         "comment": "Checks whether the
>> field is_work is true or false.",
>>                                         "rule": "is_work == false",
>>                                         "score": 20,
>>                                         "reason": "FORMAT('%s is not 
>> an
>> WORK network!', sourceIPAddress)"
>>                                 },
>>                                 {
>>                                         "name": "MFA",
>>                                         "comment": "Checks whether MFA
>> used or not.",
>>                                         "rule":
>> "userIdentity:sessionContext:attributes:mfaAuthenticated == 'False'",
>>                                         "score": 20,
>>                                         "reason": null
>>                                 },
>>                                 {
>>                                         "name": "MFA2",
>>                                         "comment": "Checks whether MFA
>> used or not.",
>>                                         "rule":
>> "additionalEventData:MFAUsed == 'No'",
>>                                         "score": 20,
>>                                         "reason": null
>>                                 }
>>                         ],
>>                         "aggregator": "SUM",
>>                         "aggregationConfig": {}
>>                 }
>>         },
>>         "configuration": {}
>> }
>> 
>> Any idea why the score isn't 40? I would expect riskLevelRule 1 & 2 to 
>> be
>> SUMmed?
>> 

Mime
View raw message